On 7/19/19 10:13 AM, Daniel Moerner wrote:
Thank you, this is a great tool. Everything is working perfectly as far
as I can tell. It also works with fish shell by adding .config/fish to
$chdirs.
I was thinking about what kinds of files, not present in the default
installation but possibly added to a user's system, might need to be
added to $chdirs and $chfiles manually. Perhaps such a list could go in
the documentation. Some examples:
1. Any files sourced by your shell startup scripts that are in the
persistent private volume, e.g., files that provide completion
information for your shell but that aren't in the template.
If you could provide a specific example, that would be great. The usual
shell sources are already included, at least the ones that get executed.
2. Executables installed by other package managers that don't use the
normal paths. For example, go uses $HOME/go/bin by default; cabal uses
$HOME/.cabal/bin. Probably not worth trying to list all of these, but
rather just noting the risk. Of courses, users that make regular use of
these package managers might not want to enable this kind of hardening
for convenience reasons.
That is interesting about language-specific environments; these appear
to be examples that don't play nicely with the host OS or shell. My
initial advice here would be to add protection for $PATH (such as
Qubes-VM-hardening) to your template early, then add these other
components afterward. In future, it may be possible to parse the $PATH
for anything
that references the private volume, then then automatically lock those
paths down.
BTW, thank you for the bug fix! I've already posted it with a note in
the Readme. The current version is now 0.8.5.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2851f8c1-9755-4160-af8c-70c3505aab8c%40posteo.net.