On Wednesday, January 23, 2019 at 11:04:40 AM UTC-5, unman wrote: > On Wed, Jan 23, 2019 at 07:19:14AM -0800, john.e.ma...@gmail.com wrote: > > On Wednesday, January 23, 2019 at 9:54:50 AM UTC-5, unman wrote: > > > On Wed, Jan 23, 2019 at 05:38:42AM -0800, john.e.ma...@gmail.com wrote: > > > > On Tuesday, January 22, 2019 at 8:18:48 PM UTC-5, unman wrote: > > > > > On Tue, Jan 22, 2019 at 01:23:54PM -0800, wrote: > > > > > > Is it possible to compare (diff) files across appvms. Or (and), is > > > > > > it possible to pass arguments to an appvm through a dom0 terminal. > > > > > > > > > > > > Basically, I want to check if a Keepassxc file in my vault is > > > > > > different than a Keepassxc file in my appvm. > > > > > > > > > > > > Thanks for any ideas. > > > > > > > > > > > > John > > > > > > > > > > > > > > > > You can do this using qvm-run-vm or by using qvm-run in dom0. > > > > > Look at the policy file in /etc/qubes-rpc/policy/qubes.VMShell and the > > > > > warning. > > > > > > > > > > If all you want to do is see if the files differ, then you can just > > > > > generate hashes: from vault - > > > > > qvm-run-vm appvm 'md5sum db.kdbx' > > > > > Compare that with local hash. > > > > > > > > > > I dont think you can diff the files themselves. > > > > > > > > unman, I don't have qvm-run (perhaps that's for 3.2?), and running hash > > > > command example you gave (modified to point to a file that exists in > > > > the appvm) produced no output. Specifically: > > > > > > > > $ qvm-run vault 'md5sum file.kdbx' > > > > Running 'md5sum file.kdbx' on vault > > > > > > > > But no output. Any ideas? > > > > > > > > Thanks. > > > > John > > > > > > > > > > In qubes, you should have qvm-run-vm tool. In dom0, qvm-run. The > > > capabilities (and controls) are different. > > > > > > You are trying to run in dom0 - to get output there you need to use;: > > > qvm-run -p vault 'md5sum file.kdbx' > > > The '-p' allows for stdio from the running program to be passed to dom0 > > > - be aware of the potential risks. Otherwise the command is run (and > > > stdio kept) in the target qube. > > > > > > In qubes, you use qvm-run-vm - you must have considered > > > /etc/qubes-rpc/policy/qubes.VMShell > > > So, from vault run "qvm-run-vm appvm 'md5sum file.kdbx'", and the output > > > of that command run on appvm will appear in vault, and you will be able > > > to make the comparison. > > > > unman, thank you for this. I understand the difference now, and using > > qvm-run -p in dom0 works fine. I cannot get qvm-run-vm to work, because I'm > > presented with "Request refused". I don't understand the significance of > > /etc/qubes-rpc/policy/qubes.VMShell, but I don't actually have a directory > > called policy, so that file path is /etc/qubes-rpc/qubes.VMShell. > > > > I can make this work using dom0, but I suspect (but don't know for sure) > > that that is unwise. > > > > John > > It's not ideal because you are parsing the output of an (unknown) command > run in a qube in dom0. > > You are getting the "request refused" because you have not set a policy > rule allowing vault to run commands in appvm. > I dont have /etc/qubes-rpc/qubes.VMShell, and I do have > /etc/qubes-rpc/policy. > I've just checked this on a number of boxes, including a clean 4.0 image > and they all have the same. > It occurs to me that you are looking in the qube, and not in dom0 - can > you check this? You need to set the policy in dom0, and it will be > applied in individual qubes.
unman, thank you for being so generous with your time. I appreciate the education. Yes, I was looking in appvms. I'm starting to understand better what needs to be done. I'll see how far I get. John -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/692340e7-1194-4788-9db2-71bf5de11551%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
