Re: [qubes-users] Re: Thoughts about installed software

[Drew White]

On Wednesday, 12 October 2016 11:30:27 UTC+11, Manuel Amador (Rudd-O)  wrote:
> On 10/12/2016 12:26 AM, Drew White wrote:
> > Hi Robert,
> > Do you think you could build a template that would be that which you would 
> > consider secure?
> >
> > Personally, I've been asking what packages are REQUIRED for full 
> > integration, and never gotten an answer that provides the information I 
> > request from anyone, not even the qubes devs.
> 
> All the packages in the template that are named qubes-* are required for
> full integration.  Additionally, NetworkMAnager, NetworkManager-wifi and
> NetworkManager*fedora are also required for NetVMs to operate correctly.
 
So what do those packages require as dependancies though? 
The dependancies are also required for full integration.
Just saying, there is more than just "qubes-*" to be thinking about.


> The Fedora minimal template works fine as a very minimal base system. 
> Those NetworkManager packages are needed to use it as a sys-net template.

The Fedora minimal template is FAR from minimal. It still contain a lot of 
things it shouldn't, and is missing vital things too.


> >
> > I'm not sure if they don't know, or just think that the information is 
> > there when it isn't,
> 
> Of course they know.  They build the templates.  It's just that this
> question is a low-priority question because this is something you could
> have found out yourself.

No, it's not a low-priority question, I was told that they didn't know. I can 
find the thread where they told me, if you want, or else you can search 
qubes-users for it.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bba6c05c-7b20-4af1-a6ef-6f61a6278d38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

[Drew White]

On Wednesday, 12 October 2016 12:50:23 UTC+11, nezn...@xy9ce.tk  wrote:
> i readed that proprietary driver better than free driver. Because with free 
> driver you'll get hot laptop and because free driver can't adjust rotate of 
> the fan and etc..
> How i can add the repo? Can you write me? Because i'm not sure. And about 
> gpg-keys.. Did you something with it? maybe you use --nogpgcheck or something?

It's not ALWAYS the case.
Sometimes the free drivers don't have bugs and the propriety do.
You can not be sure unless you go through the source code and check it yourself 
and then compile it from that source code yourself for installation.



All I did was follow the instructions on the page(s).
Read the instructions on those pages carefully.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c48f769-c994-4b64-9365-c74844563951%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] "VM didnt give back all requested memory"

[pixel fairy]

i keep getting this while running appvms based on fedora-24. the template was 
updated from fedora-23. Just got it on one of the two new appvms i just made. 
havent used either one yet. everything seems to work ok.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3c0a052-bb36-414e-beb0-521a1d5db58b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

[neznaika]

i readed that proprietary driver better than free driver. Because with free 
driver you'll get hot laptop and because free driver can't adjust rotate of the 
fan and etc..
How i can add the repo? Can you write me? Because i'm not sure. And about 
gpg-keys.. Did you something with it? maybe you use --nogpgcheck or something?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c275ae4-f4a4-4f5b-81e1-1fa140d1a21b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

[neznaika]

i readed that proprietary driver better than free driver. Because with free 
driver you'll get hot laptop and because free driver can't adjust rotate of the 
fun and etc..
How i can add the repo? Can you write me? Because i'm noy sure. And about 
gpg-keys.. Did you something with it? maybe you use --nogpgcheck or something?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b1e7aa91-4092-4714-a31d-321cf8e202df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Thoughts about installed software

[Manuel Amador (Rudd-O)]

On 10/12/2016 12:26 AM, Drew White wrote:
> Hi Robert,
> Do you think you could build a template that would be that which you would 
> consider secure?
>
> Personally, I've been asking what packages are REQUIRED for full integration, 
> and never gotten an answer that provides the information I request from 
> anyone, not even the qubes devs.

All the packages in the template that are named qubes-* are required for
full integration.  Additionally, NetworkMAnager, NetworkManager-wifi and
NetworkManager*fedora are also required for NetVMs to operate correctly.

The Fedora minimal template works fine as a very minimal base system. 
Those NetworkManager packages are needed to use it as a sys-net template.

>
> I'm not sure if they don't know, or just think that the information is there 
> when it isn't,

Of course they know.  They build the templates.  It's just that this
question is a low-priority question because this is something you could
have found out yourself.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd02034d-c77a-634d-da39-74f9d5e688d3%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Thoughts about installed software

[Drew White]

On Tuesday, 11 October 2016 20:30:54 UTC+11, Robert Mittendorf  wrote:
> Software that you don't need is a security risk as it imposes additional 
> attack surface - we all know that.
> Besides exploits those tools might cause additional threat (e.G. RDP- 
> VNC-, SSH-Clients)
> So you better do not install non-universal software* in a template VM.
> *software that is not needed in every VM which is based on that template
> 
> So where to put non-universal software?
> 
> - user-space: allows malware to persist easily, because of persistent 
> write rights. And does not allow usage of standard repositories
> - other (cloned) TemplateVM: You need to make sure that you keep all 
> templates up-to-date for security reasons, you need much more storage 
> space and cause more ssd aging
> 
> So what about a multi-level template system. That way you can keep at 
> least most software up-to-date with a single update process. This would 
> need a delta-filesystem instead of the current image=directory approach 
> i think. I don't know whether Xen has such capabilities?!
> 
> Robert

Hi Robert,

Do you think you could build a template that would be that which you would 
consider secure?

Personally, I've been asking what packages are REQUIRED for full integration, 
and never gotten an answer that provides the information I request from anyone, 
not even the qubes devs.

I'm not sure if they don't know, or just think that the information is there 
when it isn't, but if you are able to build a secure template, one that is 
based for Qubes and works properly and fully, then you should do it and give it 
to them to put into the template repo.

I think it would be interesting if you could actually do it, rather than these 
insecure systemd templates.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bde33624-fc46-4e37-a731-109a2b0be023%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

[Drew White]

On Wednesday, 12 October 2016 07:28:28 UTC+11, nezn...@xy9ce.tk  wrote:
> I see very  detailed instructions in the Docs about HVM, Templates and other. 
> But instructions about the proprietary driver Nvidia and bumblebee looks like 
> a some secret. This problem have status "open" from R2 version. And i killed 
> many weeks to solve this. Still i have just Qubes with nouveau in the 
> blacklist. I need to work, but i'm reading many forums and manuals about 
> bumblebee, Nvidia drivers, fedora, gpg cheking, adding repos, x.11, x.conf 
> and other and other and other. Things which in i'm not the professional. I'm 
> professional in the my job, not in the Qubes. Everywhere this manuals have 
> difference for different version of Linux. On the Qubes do this all is even 
> more harder. Many people have optimus and still i'm not see the simple 
> detailed "How to". I wanna work, and cant!
> Can somebody tell me what i need to do? I installed Qubes, and adding nouveau 
> in the blacklist, what next? What first, what second? And HOW?
> 1. Add repos of rpmfusion and repos of bumblebee? How can i do this?
> 2. Install the propritary driver Nvidia? How?
> 3. Install bumblebee without gpg-cheking? How? With gpg-cheking? How do this?
> 
> If this instructions is simple, then what the problem to write it? If it 
> hard, then why the community can't write it and help to all "lucky" users of 
> optimus? Why it's so big secret?

https://www.qubes-os.org/doc/install-nvidia-driver/
These instructions work. I used the Manual Installation back in the day. These 
days I just use Nouveau because there is no need to install propriety drivers 
since version 3.1. Since in 3.2 they fixed the display issue that was happening 
when they upgraded the GUI. (even though upgrading the gui in a bad way in my 
opinion).
There is no big secret, it's on their website.
Installing bumblebee, well, just add the repo and do the install, simple.
http://bumblebee-project.org/install.html

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd9aa24b-bab1-4d83-859d-446f1f0b170a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] rc.local iptables persistence on reboot

[Manuel Amador (Rudd-O)]

On 09/18/2016 12:14 AM, nishiwak...@gmail.com wrote:
> iptables -F
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>

Looks to me like you would be a happy user of

https://github.com/Rudd-O/qubes-network-server

With it, set a static IP on your VM as per the instructions, and that's
it.  Your VM should be accessible at that IP by other VMs on your
system.  No need to futz with config files or scripts.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0f83bc73-0145-e660-8436-a855c1b98592%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why it so big secret?

[Desobediente]

Additionaly, the Bumblebee howto is here:
https://fedoraproject.org/wiki/Bumblebee

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAF0bz4T0NA41LkDTyt9%2B%3DFz%3DMLHiyaz0dWqeGLZCqO0Skp%3DNhg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why it so big secret?

[Desobediente]

This should be here: https://www.qubes-os.org/doc/install-nvidia-driver/

Have you tried that?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAF0bz4T6uPbZu1hfMNsxLrxLBcuu35cH1H4-ERNcU9Os75H5rQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: rc.local iptables persistence on reboot

[pleomati]

https://www.qubes-os.org/doc/qubes-firewall/

everything is in this chapter "Enabling networking between two VMs".
dont need to run custom scripts for enabling networking between two vms.

In case u need yuor system safe from connecting apps each other you can allow 
traffic on single port and connect them via ssh tunnel.Lets say allow trafic 
A<>B on port 22,then  conect its via ssh 
ssh -L port:ip:port user@ip and then point browser in client VM to 
localhost.SSH tunnel redirect you to your webserver on B VM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cad7e178-4de4-4e0e-b53e-a229848b55f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: rc.local iptables persistence on reboot

[pleomati]

https://www.qubes-os.org/doc/qubes-firewall/

everything is in this chapter "Enabling networking between two VMs".
dont need to run custom scripts for enabling networking between two vms.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3705b621-a6d7-4b0d-964c-95fdff46dc4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Why it's so big secret?

[neznaika]

I see very  detailed instructions in the Docs about HVM, Templates and other. 
But instructions about the proprietary driver Nvidia and bumblebee looks like a 
some secret. This problem have status "open" from R2 version. And i killed many 
weeks to solve this. Still i have just Qubes with nouveau in the blacklist. I 
need to work, but i'm reading many forums and manuals about bumblebee, Nvidia 
drivers, fedora, gpg cheking, adding repos, x.11, x.conf and other and other 
and other. Things which in i'm not the professional. I'm professional in the my 
job, not in the Qubes. Everywhere this manuals have difference for different 
version of Linux. On the Qubes do this all is even more harder. Many people 
have optimus and still i'm not see the simple detailed "How to". I wanna work, 
and cant!
Can somebody tell me what i need to do? I installed Qubes, and adding nouveau 
in the blacklist, what next? What first, what second? And HOW?
1. Add repos of rpmfusion and repos of bumblebee? How can i do this?
2. Install the propritary driver Nvidia? How?
3. Install bumblebee without gpg-cheking? How? With gpg-cheking? How do this?

If this instructions is simple, then what the problem to write it? If it hard, 
then why the community can't write it and help to all "lucky" users of optimus? 
Why it's so big secret?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d642b844-5d14-458d-b8f7-a4c1c2b0c312%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Why it's so big secret?

[neznaika]

I see very  detailed instructions in the Docs about HVM, Templates and other. 
But instructions about the proprietary driver Nvidia and bumblebee looks like a 
some secret. This problem have status "open" from R2 version. And i kill many 
weeks to solve this. Still i have just Qubes with nouveau in the blacklist. I 
need to work, but i'm reading many forums and manuals about bumblebee, Nvidia 
drivers, fedora, gpg cheking, adding repos, x.conf and other and other and 
other. Things which in i'm not the professional. I'm professional in the my 
job, not in the Qubes. Everywhere this manuals have difference for different 
version of Linux. On the Qubes did this all is even more harder. Many people 
have optimus and still i'm not see the simple detailed "How to". Is it secret 
or it just impossible? I wanna work, and cant!
Can somebody tell me what i need to do? I installed Qubes, and adding nouveau 
in the blacklist (), what next? What first, what second? And HOW?
1. Add repos of rpmfusion and repos of bumblebee? How can i do it?
2. Install propritary driver Nvidia? How?
3. Install bumblebee without gpg-cheking? How? With gpg-cheking? How do this?

If this instructions is simple, then what the problem to write it? If it hard, 
then why the community can't write it? Why it's so big secret?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7d7ad6cc-b1c5-4ca9-b87c-f718ad54918a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Why it so big secret?

[neznaika]

I see very  detailed instructions in the Docs about HVM, Templates and other. 
But instructions about the proprietary driver Nvidia and bumblebee looks like a 
some secret. This problem have status "open" from R2 version. And i kill many 
weeks to solve this. Still i have just Qubes with nouveau in the blacklist. I 
need to work, but i'm reading many forums and manuals about bumblebee, Nvidia 
drivers, fedora, gpg cheking, adding repos, x.conf and other and other and 
other. Things which in i'm not the professional. I'm professional in the my 
job, not in the Qubes. Everywhere this manuals have difference for different 
version of Linux. On the Qubes did this all is even more harder. Many people 
have optimus and still i'm not see the simple detailed "How to". Is it secret 
or it just impossible? I wanna work, and cant!
Can somebody tell me what i need to do? I installed Qubes, and adding nouveau 
in the blacklist (), what next? What first, what second? And HOW?
1. Add repos of rpmfusion and repos of bumblebee? How can i do it?
2. Install propritary driver Nvidia? How?
3. Install bumblebee without gpg-cheking? How? With gpg-cheking? How do this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7c4373e0-49bf-402c-95fd-46a8da9df8ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Problems with USB Pass through / iGPU drivers

[raahelps]

On Tuesday, October 11, 2016 at 3:19:15 PM UTC-4, jidar wrote:
> On 10/11/2016 08:31 AM, Marek Marczykowski-Górecki wrote:
> >
> > If you want custom USB VM, you can simply remove the default one.
> > As for qubes.InputKeyboard, take a look here:
> > https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard
> >
> > - --
> > Best Regards,
> > Marek Marczykowski-Górecki
> > Invisible Things Lab
> >
> So while this is helpful to understand the function of how qubes sets 
> the InputKeyboard, what it does not do is tell me how to specify the 
> device used as the keyboard. When I follow the instructions for 
> "Creating and Using a USB qube", I'm prompted to allow devices for Mouse 
> and Keyboard. I select "Yes to all" and normally my keyboard should work 
> here (my mouse does). However, my keyboard is never again functional. 
> I'm forced to remove the kernel lines `rd.qubes.hide_all_usb` and force 
> sys-usb to not start at boot, then reboot.
> 
> In essence, what I'm really trying to understand (outside several other 
> questions in the OP of this thread) is how a keyboard device is decided 
> on, or how to manually force what device is going to be used for a 
> keyboard.
> 
> The following is the device I'm attempting to use, but failing:
> 
>   Bus 001 Device 006: ID 04d9:0141 Holtek Semiconductor, Inc.
> 
> For whatever reason, the device is never picked up (unless I don't use a 
> sys-usb qube at all) for use as a keyboard.
> 
> Any information you could provide on the decision process, or debugging 
> tools I could use to determine why this doesn't work and what a 
> potential solution could look like would be awesome.
> 
> Thanks!
> --jidar

see here https://github.com/qubesos/qubes-app-linux-input-proxy

also I would recommend not using a usb keyboard.  get a little ps2 adapter for 
it which is more secure then having the keyboard in a usbvm.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b9f2d50-183d-4721-bcb8-14d8a1a64d72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] ANN: Qubes network server

[Manuel Amador (Rudd-O)]

Folks, it gives me great pleasure to announce the product of over two
years of work (primarily because I never paid enough attention to this
project to bring it to completion): Qubes network server.

The traditional Qubes OS networking model contemplates a client-only use
case. User VMs (AppVMs or StandaloneVMs) are attached to ProxyVMs, which
give the user control over outbound connections taking place from user
VMs. ProxyVMs in turn attach to NetVMs, which provide outbound
connectivity for ProxyVMs and other user VMs alike.

Qubes network server changes all that.  With the Qubes network server
software, it becomes possible to make network servers in user VMs
available to other machines, be them peer VMs in the same Qubes OS
system or machines connected to a physical link shared by a NetVM. You
get actual, full, GUI control over network traffic, both exiting the VM
and entering the VM, with exactly the same Qubes OS user experience you
are used to.

This is all, of course, opt-in, so the standard Qubes OS network
security model remains in effect until you decide to share network servers.

Anyway, without further ado:

https://github.com/Rudd-O/qubes-network-server

Real easy: clone, build, install, test.  I tested it with Qubes 3.1, but
it's very likely that it'll work fine in Qubes 3.2.  I recommend you
test this on a Qubes machine that is not your main Qubes machine, but
the code does not do anything funky, and uninstalling the program should
be enough to revert your system back to its original state.

I hope we can turn this add-on into a core Qubes feature.  As always,
contributions to the project — reports, code enhancements, pull
requests, other items — are very much welcome!

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6de9db66-fbd1-a8a9-ef53-c2f6173e6356%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: rc.local iptables persistence on reboot

[raahelps]

On Tuesday, October 11, 2016 at 6:16:31 AM UTC-4, Unman wrote:
> On Mon, Oct 10, 2016 at 10:19:16PM -0700, raahe...@gmail.com wrote:
> > On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote:
> > > world writable script executed as root is the worst advice I've ever seen 
> > > on this mailing list.
> > > please don't do that!
> > 
> > I don't even think that'd make it executable, but writeable lol.  just do 
> > chmod a+x
> > 
> > why not filter outbound instead of inbound?
> > 
> chmod 766 does make it executable, obviously - it also makes it world
> writable.
> 
> I've seen plenty of worse advice on the lists.
> The fact that it's now world writable is a red herring. Every file in a
> qube is writeable by the user in default setup, regardless of
> permissions. It doesn't matter.
> Look at /etc/sudoers.d/qubes 
> 
> Setting custom iptables rules from rc.local is possible - whether it
> adds anything more than a minimal layer of safety is questionable. I
> choose to set inbound and outbound restrictions on all net and proxy
> qubes, and custom restrictions on FORWARD rules too.
> 
> unman

oh ok I thought it would make it readable and writable,  but not executable.  
But I didn't test it. 

Ya well I mean unless he is a webserver I would be filtering outgoing for ports 
80,443, not incoming. Figured it was just good practice.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b08846b3-03fc-4d36-aac3-04cf175be68b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Problems with USB Pass through / iGPU drivers

[jidar]

On 10/11/2016 08:31 AM, Marek Marczykowski-Górecki wrote:


If you want custom USB VM, you can simply remove the default one.
As for qubes.InputKeyboard, take a look here:
https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

So while this is helpful to understand the function of how qubes sets 
the InputKeyboard, what it does not do is tell me how to specify the 
device used as the keyboard. When I follow the instructions for 
"Creating and Using a USB qube", I'm prompted to allow devices for Mouse 
and Keyboard. I select "Yes to all" and normally my keyboard should work 
here (my mouse does). However, my keyboard is never again functional. 
I'm forced to remove the kernel lines `rd.qubes.hide_all_usb` and force 
sys-usb to not start at boot, then reboot.


In essence, what I'm really trying to understand (outside several other 
questions in the OP of this thread) is how a keyboard device is decided 
on, or how to manually force what device is going to be used for a 
keyboard.


The following is the device I'm attempting to use, but failing:

Bus 001 Device 006: ID 04d9:0141 Holtek Semiconductor, Inc.

For whatever reason, the device is never picked up (unless I don't use a 
sys-usb qube at all) for use as a keyboard.


Any information you could provide on the decision process, or debugging 
tools I could use to determine why this doesn't work and what a 
potential solution could look like would be awesome.


Thanks!
--jidar

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53d23eba-e0f0-96e8-4363-8cce01ae48b5%40faptastic.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Group/Hide VMs (e.g. mark arbitrary VM as "internal")

[Unman]

On Tue, Oct 11, 2016 at 03:23:00PM +0200, Robert Mittendorf wrote:
> Hey again,
> 
> I have quite some VMs that I don't use very often (e.g. for backup reasons).
> I'd like to hide those without hiding all inactive VMs.
> Is it possible to mark an own VM as "internal" like the fedora-23-dvm
> template?
> 
> For future versions it might be nice to be able to group VMs or set as
> "hidden".
> If this is a security concern one could define that running VMs are always
> shown, no matter whether they are hidden or not.
> 
> Robert
> 

Absolutely you can.
qvm-prefs  -s internal True

This has the added benefit of keeping those qubes off the menu.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161011180543.GA29951%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Lenovo ideapad 700

[Jan Fabo]

Hi,

seems good on this machine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPxa56rqLpwXBLfoTmNDYqM92KS%3DCWPagQD4iJ_FwCPH4o68pQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-80RU-20161011-191252.cpio.gz
Description: GNU Zip compressed data


Qubes-HCL-LENOVO-80RU-20161011-191252.yml
Description: application/yaml

Re: [qubes-users] Random MAC addresses working in Network Manager 1.4.2

[Chris Laprise]

On 10/03/2016 03:05 PM, Chris Laprise wrote:
Network Manager 1.4.2 has been testing very well for me the last few 
days...


This new version appears to randomize MAC addresses properly, and the 
feature set has evolved to the point where the randomization process 
is managed in a more holistic way. For example, you can specify a 
cloned-mac-address type of 'stable', and this will generate a random 
MAC (for a given access point) and store it for use with the same AP 
in the future. Setting it to 'random' will generate a random MAC each 
time it connects, instead of remembering the address. You can also 
specify bitmasks for randomization.


When disconnected, the MAC is changed regularly at a set interval. 
Randomizing also works for ethernet, and is handled entirely by NM 
just like it is now for wifi.


The network-manager 1.4.2 package is in Debian unstable repo and its 
not hard to install in Debian stretch/9. I do recommend removing your 
old NM connection profiles after upgrading, as randomization (while 
connected) didn't work for me until I started with fresh connection 
settings (created a new netvm). After installing, edit 
/etc/NetworkManager/NetworkManager.conf in the template and add lines 
like:


   [device-scan]
   wifi.scan-rand-mac-address=yes

   [connection]
   wifi.cloned-mac-address=random

Then stop the template and restart the netvm.

More details here:
https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ 

https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html 


man nm-settings
https://github.com/QubesOS/qubes-issues/issues/938

Chris



FYI, Network Manager 1.4.2 has migrated to the Debian stretch repo. 
Simply upgrading the template to debian 9 should provide all the 
randomizing features that NM offers.


https://www.qubes-os.org/doc/debian-template-upgrade-8/

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8da2f4db-34ec-1de9-f3c6-3a994bc11ecf%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Problems with USB Pass through / iGPU drivers

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Oct 10, 2016 at 08:28:04PM -0500, jidar wrote:
> On 10/05/2016 10:10 PM, Jeremy Rand wrote:
> > You can setup a USB VM that's not a NetVM.  Create a new AppVM and
> > assign the USB controller to it in the Devices tab.  You might also have
> > to do the pci_strictreset thingy that the documentation mentions.
> > 
> > Cheers,
> > -Jeremy
> > 
> I've been trying to do this but for some reason it seems my USB keyboard
> gets attached to sys-usb and never get's passed through to
> "qubes.InputKeyboard" which means I get locked out as soon as sys-usb powers
> up. I'm currently trying to read the instructions and github page to
> determine how / why this happens.

If you want custom USB VM, you can simply remove the default one.
As for qubes.InputKeyboard, take a look here:
https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX/OmWAAoJENuP0xzK19cs7SgIAJmMugKzkMolBH3wOVoIHfpj
qzHPE/i6yqH+2z7z/hkLZ9bUEvA8jE/AEkEoJMel1cKn/7P5SvL4wWgkI3HC8L03
LOx0BQcqL5y20YQKsSoeBeakojwqHnFoeAGRoo7M0y1unPe8K3MvjEqBh2wgDWXa
P6vtr/G9/NLSF3ggmuZo6muhVMvnMaFMy+gJmPZ4KOiFCoA6D+EcNP9lqzV43hzF
2Ma4XosD3gpvHoU0qgFiKQOOD02JwiJjdqlEI9Y0H6NKD0Iol+YxE/e3ONbyU0tp
IgvCma+JzEQKlXHbpVbthrx/2ulHnr4MUw16mmlj8+/0I5hxEAcdBF9dNBAgNog=
=tJze
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161011133104.GB15776%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: rc.local iptables persistence on reboot

[Unman]

On Mon, Oct 10, 2016 at 10:19:16PM -0700, raahe...@gmail.com wrote:
> On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote:
> > world writable script executed as root is the worst advice I've ever seen 
> > on this mailing list.
> > please don't do that!
> 
> I don't even think that'd make it executable, but writeable lol.  just do 
> chmod a+x
> 
> why not filter outbound instead of inbound?
> 
chmod 766 does make it executable, obviously - it also makes it world
writable.

I've seen plenty of worse advice on the lists.
The fact that it's now world writable is a red herring. Every file in a
qube is writeable by the user in default setup, regardless of
permissions. It doesn't matter.
Look at /etc/sudoers.d/qubes 

Setting custom iptables rules from rc.local is possible - whether it
adds anything more than a minimal layer of safety is questionable. I
choose to set inbound and outbound restrictions on all net and proxy
qubes, and custom restrictions on FORWARD rules too.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161011101629.GA26870%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to solve ProxyVM (sys-firewall) becomming non-functional at runtime

[Robert Mittendorf]

Hey folks,

sometimes the sys-firewall (more likely a service within it) crashes and 
does no longer allow connected VMs to resolve DNS.
The ProxyVM must be the responsible entity, because the connection will 
be fine again If I restart the sys-firewall.
Restarting the ProxyVM is tedious, as you cannot simple restart it when 
running (App)VMs are attached. You have to change the NetVM setting of 
every running connected AppVM (or shut them down) in order to restart 
the sys-firewall.


This does not happen very often, just once, twice a month - but is there 
a less tedious way to fix this?
like a shell command to restart the corresponding service in the 
sys-firewall?


One could use an intermediate proxy, so you have to change only the 
NetVM of a single connected "App"VM - but what if the same problem 
occurs with that additional ProxyVM


What is the problem with restarting a connected ProxyVM anyway? Yes, 
there should be a warning - but it should be possible to bypass this 
warning I think.


thanks for reading,
Robert

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a706c75b-1aa9-18a3-9c35-6187c1087544%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Thoughts about installed software

[Robert Mittendorf]

Software that you don't need is a security risk as it imposes additional 
attack surface - we all know that.
Besides exploits those tools might cause additional threat (e.G. RDP- 
VNC-, SSH-Clients)

So you better do not install non-universal software* in a template VM.
*software that is not needed in every VM which is based on that template

So where to put non-universal software?

- user-space: allows malware to persist easily, because of persistent 
write rights. And does not allow usage of standard repositories
- other (cloned) TemplateVM: You need to make sure that you keep all 
templates up-to-date for security reasons, you need much more storage 
space and cause more ssd aging


So what about a multi-level template system. That way you can keep at 
least most software up-to-date with a single update process. This would 
need a delta-filesystem instead of the current image=directory approach 
i think. I don't know whether Xen has such capabilities?!


Robert

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7962f0f-9a05-2f81-9390-ce3a7bfb87ee%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HVM Windows

[Robert Mittendorf]

pen usb - is it a thumb drive or a tool for drawing?
if thumb drive how do you attach? (block device or usb device?)
are you using the usb-vm? afaik Windows Qubes tools do not yet support 
USB-passthrough.


The file will usually be in documents folder.
You did install the Windows Qubes Tools, didn't you?

Robert

Am 10/06/2016 um 08:38 PM schrieb asdfg...@sigaint.org:

On Thursday, 6 October 2016 10:30:19 UTC+1, asdf...@sigaint.org  wrote:

Hello
When I send a file from a appVM to windows HVM, where does it go?
I'm searching but I don't find it

Thank you

Check your user folder, should be in there or in documents. will be in a
folder call QubesIncoming.

Unfortunately there isn't no folder with this name
Another issue is when I attach a pen usb, there isn't no folder where I
can see the file inside

Regards



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/977b77ac-3152-7325-4319-1cc77ba099a8%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: 3.2 installation crash on a ThinkPad

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-10-10 03:21, pixel fairy wrote:
> On Monday, October 10, 2016 at 3:07:06 AM UTC-7, yaqu wrote:
>> On Mon, 10 Oct 2016 01:49:07 -0700 (PDT), pixel fairy
>>  wrote:
>>
>>> On Thursday, October 6, 2016 at 1:47:02 AM UTC-7, jkitt wrote:
 I'm trying to install 3.2 on a ThinkPad T420S but the installation
 seems to crash while booting. The kernel boot log display is
 distorted (see pic) and the system seems to hang.

 Does 3.2 work on the T420? Is it a graphical thing - can I disable
 it with a kernel parameter?
>>>
>>> this seems to work on a lot of thinkpads.
>>>
>>> https://www.qubes-os.org/doc/thinkpad_x201/
>>
>> It looks like T420s has the same graphics as T520 (Intel HD 3000). I had
>> a problem with this GPU and R3.2 (random reboots) and I have solved it
>> by adding i915.enable_rc6=0 to kernel parameters:
>> https://groups.google.com/forum/#!msg/qubes-users/DSFcUer3C7M/Rbno0VdfBQAJ
>>
>> BTW with iommu=no-igfx my T520 didn't boot at all.
>>
>> -- 
>> yaqu
> 
> Andrew David Wong, can you add this to the thinkpad notes?
> 

Added: 
https://github.com/QubesOS/qubes-doc/commit/dd99a8527511fca75205ddb72a857d57ce44e5e0

Thanks!

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJX/JVAAAoJENtN07w5UDAwbU4QAKoA7G8gZcXtvvl4AplNCWzl
0OKsNMxygU5rVXnrWf16+4dzHqV6TEWFhAq7LqEVds7MKK/8BedhfNaVbjKEAZQf
zb77jsbLlk9YdUzBTicBinVLBtAf4UTVkxG6avF1GA9uP1wycb1FVFvdnITC8hMh
ypMdaCpvLqBzy8AMSDuvDXF0z+2LF1PKoc7Ybnv38Y/ZmuI2Op9jZBC6sS5m/Crt
Vg0v97Jy5HDto4OD12FOoAzKecAuA/AccZqujhM7EfSD7NMoFHV1GmclOVFTf134
FF4tnPAhWTReYBxoORrQ7a7WrzIhuSat4ijpdqICaSpgD/ddmVaAyvm6VoRKEVpa
+1YMKQtPDgxZ7xjjKQLsXC13GQA1Zi/k+jtSlIkZIHwm0QwmFT7i8oUq6ZveUf68
OJHQ2/jRCyz/CNfTqkLmuNtmyzFvwET+oUSic6kUptrQJ1SgPLOYCq/U7K+hje5G
lAHHl6SirvBG1tNLrBH7dVYqNbgsxqvgYgiyP55SMY85Kr+MkkVQjspe5PFWbcsp
Doc4oV0suabJ7zrnZ/FhVLHwfiznGoq027WEIau88DXff5nXQXm9j41N7cUzV4zD
oLDSvifN9QSTQQhijUq1+6ssR5i4i7G8YB49srrBqpdXPpkVFBtTbz7uWBNfvOO5
r1hyG1hzBWIOr2JLlS0u
=jwn3
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8973d03e-b16e-8995-6d9f-6eaea186de51%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Q3.2] Fn keys stopped working.

[Mathew Evans]

I've used qubes for quite a while not and had no issues with my Fn (function) 
keys working as should do until the Qubes 3.2 release, all the release 
candidates they worked perfectly fine. Ive checked with xev in dom0 and they 
are not even detected as XF86 keys so i cant even manually map them in i3 
config.

Any ideas at all would be helpful.

Laptop: Clevo P650

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a036b8c-6b5f-4c43-9cff-b76a1179cf8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes Windows 10?

[Ph.T]

On Mon, Oct 10, 2016 at 10:39 PM,  wrote:

>
> how did you remove cortana?
>

https://www.youtube.com/watch?v=Q990oW7JgvA

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAF20Xn0%3DN0B3YPV5FO6UBd-jZLNf9PXCVUQuUqADJG100Lj9hw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.