On Thu, Mar 07, 2019 at 01:10:02PM -0500, Ryan Tate wrote: > Short version: Is it a security issue to set a networked disp vm as > the default disp vm for a vaulted vm? > > I have a vaulted vm (no network) and a printing dvm (limited local > network access via firewall). It would be convenient to set the > printing dvm as default disp vm for the vault so i can easily print to > network when I want to do so. > > But I notice that when I launch "view in disposable vm" from > right-click menu, there is no confirmation in the GUI as there is for > qvm-move and so forth. Which makes me wonder if malicious software in > the VM could use this as an escape vector. > > I read through the below document, and although some security issues > around dvms are addressed, I could not figure out the answer to my > question from it: > > https://www.qubes-os.org/doc/disposablevm/ > > Thanks for any advice....
Short answer: Yes, it is. I'm assuming that you have Qubes4.0. The fact that you don't see a prompt suggests that you have a policy set to "allow" - you can check this in /etc/qubes-rpc/policy/qubes.OpenInVM If you change that so that it reads: vault $dispvm ask then you should see a prompt. This would go some way to mitigating the risk. On a more general level, I don't know what is in your vault, and so don't know what it is you might want to print. I have a number of qubes that act as vaults, with different levels of content. The most secure has no default disposableVM and explicit "deny" rules in every relevant policy. Lower content levels have lesser restrictions. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190308002408.wpwko7cxd3htgors%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
