On Wed, Jan 23, 2019 at 07:19:14AM -0800, john.e.ma...@gmail.com wrote: > On Wednesday, January 23, 2019 at 9:54:50 AM UTC-5, unman wrote: > > On Wed, Jan 23, 2019 at 05:38:42AM -0800, john.e.ma...@gmail.com wrote: > > > On Tuesday, January 22, 2019 at 8:18:48 PM UTC-5, unman wrote: > > > > On Tue, Jan 22, 2019 at 01:23:54PM -0800, wrote: > > > > > Is it possible to compare (diff) files across appvms. Or (and), is it > > > > > possible to pass arguments to an appvm through a dom0 terminal. > > > > > > > > > > Basically, I want to check if a Keepassxc file in my vault is > > > > > different than a Keepassxc file in my appvm. > > > > > > > > > > Thanks for any ideas. > > > > > > > > > > John > > > > > > > > > > > > > You can do this using qvm-run-vm or by using qvm-run in dom0. > > > > Look at the policy file in /etc/qubes-rpc/policy/qubes.VMShell and the > > > > warning. > > > > > > > > If all you want to do is see if the files differ, then you can just > > > > generate hashes: from vault - > > > > qvm-run-vm appvm 'md5sum db.kdbx' > > > > Compare that with local hash. > > > > > > > > I dont think you can diff the files themselves. > > > > > > unman, I don't have qvm-run (perhaps that's for 3.2?), and running hash > > > command example you gave (modified to point to a file that exists in the > > > appvm) produced no output. Specifically: > > > > > > $ qvm-run vault 'md5sum file.kdbx' > > > Running 'md5sum file.kdbx' on vault > > > > > > But no output. Any ideas? > > > > > > Thanks. > > > John > > > > > > > In qubes, you should have qvm-run-vm tool. In dom0, qvm-run. The > > capabilities (and controls) are different. > > > > You are trying to run in dom0 - to get output there you need to use;: > > qvm-run -p vault 'md5sum file.kdbx' > > The '-p' allows for stdio from the running program to be passed to dom0 > > - be aware of the potential risks. Otherwise the command is run (and > > stdio kept) in the target qube. > > > > In qubes, you use qvm-run-vm - you must have considered > > /etc/qubes-rpc/policy/qubes.VMShell > > So, from vault run "qvm-run-vm appvm 'md5sum file.kdbx'", and the output > > of that command run on appvm will appear in vault, and you will be able > > to make the comparison. > > unman, thank you for this. I understand the difference now, and using qvm-run > -p in dom0 works fine. I cannot get qvm-run-vm to work, because I'm presented > with "Request refused". I don't understand the significance of > /etc/qubes-rpc/policy/qubes.VMShell, but I don't actually have a directory > called policy, so that file path is /etc/qubes-rpc/qubes.VMShell. > > I can make this work using dom0, but I suspect (but don't know for sure) that > that is unwise. > > John
It's not ideal because you are parsing the output of an (unknown) command run in a qube in dom0. You are getting the "request refused" because you have not set a policy rule allowing vault to run commands in appvm. I dont have /etc/qubes-rpc/qubes.VMShell, and I do have /etc/qubes-rpc/policy. I've just checked this on a number of boxes, including a clean 4.0 image and they all have the same. It occurs to me that you are looking in the qube, and not in dom0 - can you check this? You need to set the policy in dom0, and it will be applied in individual qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190123160439.z4vxeg6osuauiwq2%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
