date:20161115

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 07, 2016 at 08:46:24PM +, Fred wrote:
> 
> I followed the instructions here
> https://www.qubes-os.org/doc/managing-vm-kernel/ for using the VM kernel.
> 
> So in short:
> 
> in dom0: sudo qubes-dom0-update grub2-xen
> in fedora-23 template vm: sudo yum install qubes-kernel-vm-support
> grub2-tools
> in fedora-23 template vm: installed a distro kernel and matching
> kernel-devel from fedora repo.
> in fedora-23 template vm: sudo grub2-mkconfig -o /boot/grub2/grub.cfg to
> create grub config.
> 
> I can then set pvgrub2 as kernel for fedora-23 template and start it.
> 
> fedora-23 boots without error, booting the VM kernel. Troubleshooting with
> sudo xl console fedora-23 shows no obvious problems and it finishes the boot
> sequence with a login prompt. The virt manager in dom0 shows for its status
> an amber dot. It momentarily goes green, but then changes back to amber.
> 
> Is there any way to debug this further? Have any steps been missed?

Check if u2mfn module was built automatically. Simply login on the
template console and check `modinfo u2mfn`. If it's not there, build it
using `dkms autoinstall` command (see its manual page for exact
parameters).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYK6jZAAoJENuP0xzK19cs0/kH/3XG4J8atKnd0FsWBzF4mNgs
1KXVRFHQssR3n0Xe5/eqSHkjfBBJPK+zCH3AG/9zixSijwDYoLO0tidqDNZaJi8n
1Ozwnev1sugVGH/gQ7ewiCalqC96kCiCm23ro/4Jm4Ss9xcY/z52ahPtsBqz3kxD
wSdDEAuB5TM89wyvdaJsVMJp2vaJPv2Q8riE6QJq1ZDnxbwkDA3M4DfiJO3i4Fj4
/kzmjTddyhFEZYB16dfXGkr1vEQ2T3wNarCuu+YxKK4Pqt5s+PNEXRq+obCM74dZ
vF6lelrdIKuLwWs+GgyN4byzk14xF7VZgffcPupojwAM9OBVO/2bIBJYj0feaVQ=
=VpgR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116003120.GP17458%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 16, 2016 at 12:28:17AM +0100, yaqu wrote:
> On Tue, 15 Nov 2016 23:06:48 +0100, yaqu 
> wrote:
> 
> > You have tried to remove fedora-23 using dnf, while some appVMs still
> > were using it as a template. Dnf has displayed an error, but also it
> > has removed package, leaving it in qubes config (and not cleaning
> > template's directory).
> 
> Anyway, I think it should be considered as a bug.
> 
> Steps to reproduce (assuming fedora-23-minimal is not installed):
> 
> $ sudo qubes-dom0-update qubes-template-fedora-23-minimal
> $ qvm-create -t fedora-23-minimal -l red test-vm
> $ sudo dnf remove qubes-template-fedora-23-minimal

Yes, you're right. Previously (before Fedora introduced DNF), failure in
%preun script aborted the operation, now it results just in a message.
Not sure if this is a bug of a feature of DNF...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYK6ThAAoJENuP0xzK19csJe0IAJbIvs+gev4bIw8KhuRwLZY0
8UiCjHsBtqtcIdANlK7wmrSFVaz2CmOTofWSC5+8NrbQDmH5zdTWdF2EDUl/qfgQ
SDgK42ZTz7D0yUwXu70GyZwHUh8Sd9frXakgGwWWRxmk2jyAm78mllnReIWsGgmD
C9OJrdpxbw2mrTdoDR0YGXd3VOA8vWLvNshquQnyGgxwX05AMg36vBYtcmeB1FUR
np0BEY4l0pCPUvzmoYGA3OzoTdTl6ueMQasVb7FOU0sPviekgCElM3puTY3Ii3gh
8demX6zl8KWDkaaz4RqTZpw5iGru37Qm+IkNkw1eh568CFXOhfCCuXucolKcYpg=
=S/Lk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116001424.GO17458%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-15 Thread yaqu

On Tue, 15 Nov 2016 23:06:48 +0100, yaqu 
wrote:

> You have tried to remove fedora-23 using dnf, while some appVMs still
> were using it as a template. Dnf has displayed an error, but also it
> has removed package, leaving it in qubes config (and not cleaning
> template's directory).

Anyway, I think it should be considered as a bug.

Steps to reproduce (assuming fedora-23-minimal is not installed):

$ sudo qubes-dom0-update qubes-template-fedora-23-minimal
$ qvm-create -t fedora-23-minimal -l red test-vm
$ sudo dnf remove qubes-template-fedora-23-minimal

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115232831.1615C2052A4%40mail.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Nov 15, 2016 at 02:47:29AM -0500, Jean-Philippe Ouellet wrote:
> On Mon, Nov 14, 2016 at 4:16 PM, Marek Marczykowski-Górecki
>  wrote:
> > You can temporarily set sys-firewall netvm to none. This will allow you
> > to shutdown/restart sys-net without consequences. Remember to change
> > sys-firewall netvm back to sys-net afterwards.
> 
> Good to know! I wish I'd thought of that earlier :)
> 
> >> Curiously, the wireless didn't hang while i had the 4.4 kernel in
> >> dom0, and now it hangs with 4.8 in dom0 and either 4.4 OR 4.8 in
> >> sys-net. This does not make sense to me, but it is indeed what I have
> >> observed. Perhaps it was also failing before and I just never noticed
> >> because the whole machine would hang so often.
> >
> > I'd guess the later... When it hangs, does the suspend before takes
> > usual not-so-long time, or is significantly longer?
> 
> Assuming you mean "when the wireless card attached to sys-net appears
> to hang, does immediately prior overall system resume appear to take
> longer?" then I have not noticed that to be the case. I will try to be
> more aware of that in the future.
> 
> What do you suspect that makes you ask this?

When suspending the system, dom0 ask each VM having any PCI device to
suspend itself (properly suspending the device etc). But there is a
timeout (AFAIR 30s) after which VM is simply paused. In that case, the
device/driver after resume most likely will be confused... In some cases
it reset the device and work just fine, in other cases driver reload is
needed, or even VM restart.

- - -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
- -BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYK5PbAAoJENuP0xzK19csk2UH/AyXaXCdIRa8a9y0so5ZQjkB
KijrMe6gn0zEZcQ3eFBLsSsHEl1wvN3tzY3uV/TA8iAzG3PhZ76Edcp6p7Nrifzp
Cg+AtDGUk1oPJIQDLUIbEtyDAQztfy8HfYMHviS+HmqH6zL3DGUYO2D/10zaXrhu
TTImi9EpSMMC2Z+LZGEtLf0fyFGZwvK3g5bN+Dzesav6EWNnku4uvw9PJgNtJFKb
TVqcGh7Aqn7gyC1/ZpMHO9bevXsQ7A8Y5X05B4k5ptnghUWq3U/Z5qTHBAxsEILP
XVp8x9SGRTMwib2Fi2HT4i8P26Y0M5bo/wGKrvZXKP5P/UPcsB+zf3tm5o2npqY=
=pGQ0
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYK5R8AAoJENuP0xzK19csuaIH/0Wxb0SyDtOsw/IzE57vbAeA
eKEBZcmK3i62iziHzLVX/Jnx72orPLH2rzFl9mQkeGmV+iqgmeQTcQSe5XHhJrjX
xVfr5RqbFHEDK9pED22BvQI2biFt+L0HGyWQuTcDsQneXUMNBZldFKcrIJ/sPZ+Z
e4FF42WLLwmXSa8aS8DMlcRQWLjoH3pgnhiSzNAYyTDCDeB9xWwzmsFClfP4RgAR
0pR4OW28439F/9EjUJR3fYymbi5CV/c8MLqUiniOTEr9FW1mn3Nr/rPaVXlzhnMJ
y1hk97dl9wQRalTJEBwoXF+Wo1jqovIx9IaiGU2B3y8ao332yCAVa+qP+FPIUss=
=wNCY
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115230147.GM17458%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Disposable VMs are not disposed of

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Nov 15, 2016 at 02:37:14PM +, IX4 Svs wrote:
> On Tue, Nov 15, 2016 at 1:14 AM, Marek Marczykowski-Górecki <
> marma...@invisiblethingslab.com> wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > On Tue, Nov 15, 2016 at 12:34:19AM +, Alex wrote:
> > > This is the second time I encounter this freaky issue on R3.1:
> > >
> > > Start a DispVM Firefox, login to a website, close Firefox, observe the
> > disposable VM is gone from the VM manager. Fine so far.
> > >
> > > Launch a new disposable Firefox which creates a new VM with a different
> > name (dispN) - notice with horror that you are already logged on to the
> > website you had logged on to from the terminated VM.
> > >
> > > Surely this is not supposed to happen. How to troubleshoot?
> >
> > I believe you've hit this issue:
> > https://github.com/QubesOS/qubes-issues/issues/2200
> >
> > The issue is fixed in R3.2, but it hasn't been yet backported to R3.1...
> > For now, make sure that files in /var/lib/qubes/appvms/fedora-23-dvm (or
> > other - depending on what template you use for DispVM) are owned by your
> > user. Then recreate DispVM savefile with qvm-create-default-dvm.
> >
> >
> All files in /var/lib/qubes/appvms/fedora-23-dvm are owned by my user,
> group qubes - but volatile.img is -rw-r--r-- while all other files are
> -rw-rw-r-- (so, group can't write to it). I changed this with chmod 664
> volatile.img but on running qvm-create-default-vm the permissions are reset
> to their earlier state - and volatile.img is not group-writeable.
> 
> Should people on R3.1 just chmod 664 volatile.img right after recreating
> the DVM?

Above permissions looks ok - if the file is owned by your user, being
group writable does not matter. Maybe it was owned by root during
previous qvm-create-default-dvm call, but now is ok?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYK5IvAAoJENuP0xzK19csYscH/RskSBghAdBbvwZm/UMc69RP
Raz6H3WRRRGCytN0Jfri+QiGWhQdugclWH2tyn9uUlzKFeNA4AE3GD7oT/bUc5Zf
8XJYV4JTWOEQN4TnfprDwksRQGyuPyfLAUUuiOyRqE2e2AaexXg7ZDTKNrQGG8qq
X0+pV3nE1U7Fw4WclGIohFb6PCtUR8ILvJ4fzODnH97V2K65qP3+/LqmryeEMTMu
2rr1VsI+y2CDjp3b6vOQQdyeWbaMa/OrkK7rXG+TS2SCV2g6C8UhCWBCMZ8OSWZZ
GEVrSH8yI0LgWSahbkN0biai68N+GDoGEFfKH/WkNhXBAUGr18Su6/R4FcIy0Ec=
=yyJR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115225439.GL17458%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Does Qubes log login attempts?

On Tue, Nov 15, 2016 at 12:16:10PM -0800, RJ P wrote:
> Also just learned the 'last' command - https://linux.die.net/man/1/last
> Yeah I'm still sort of a nubie you can say. :-/
> 

try journalctl - you want the xscreensaver and audit units.
e.g journalctl -t xscreensaver

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115212644.GB24354%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-15 Thread taii...@gmx.com

So you know AFIAK OPOWER8+ systems have a emulation layer for x86 that 
works quite well, on the TALOS page you can see them playing a modern 3d 
game with it via pass thru video although obvious you wouldn't want to 
emulate a VMM.


Xen isn't the be all-end all of virtualization, there are many other 
solutions and some of them work better. (I could never get pass thru 
video to work with xen, only qemu-kvm and I used libvirt for the 
management layer)


There are plenty of non ME systems out there that are new enough to be 
useful for gaming, only AM4/FM2 have PSP but all the other AMD procs 
don't have PSP. The KGPE-d16 for instance is an opteron blob free 
coreboot/libreboot board that is quite nice for a performance 
workstation. For a laptop there is always the novena and a few other 
blob free ones, and if you don't want ME you can buy a non PSP AMD laptop.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/410acebe-d934-b6b3-6656-f24461c13ae6%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fresh R3.2 install, no /etc/default/grub

2016-11-15 Thread Daniel Moerner

On Tue, Nov 15, 2016 at 3:48 PM, Marek Marczykowski-Górecki <
marma...@invisiblethingslab.com> wrote:
> I guess you have installed the system in UEFI mode. In that case, kernel
> parameters are in /boot/efi/EFI/qubes/xen.cfg.

Hi Marek,

Thank you for the quick response. That hint and a bit more searching helped
me find this earlier discussion on the mailing list:
https://groups.google.com/forum/#!msg/qubes-users/KTRlrc9vC1U/ajxXQtBPBAAJ

Editing xen.cfg and then relocating the initramfs produced by dracut solved
the problem. Perhaps someone with permission could add a link to that
discussion to the wiki page.

Thanks!
Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPSgt5n7GNcAC7-1LDWaJGVwtyhOL_zYxzNntvXmTFP%3D4Goxpg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote:
> On 11/15/2016 07:20 AM, Unman wrote:
> >On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote:
> >>On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:
> >>>Following the instructions for the 'vm-sudo' doc, I get the following error
> >>>in Debian 9:
> >>>
> >>>/usr/lib/qubes/qrexec-client-vm failed: exit code 1
> >>>sudo: PAM authentication error: System error
> >>>
> >>>
> >>>Also, in the Debian 8 template the instructions don't match, as there
> >>>appears to be no file '/etc/pam.d/common-auth'.
> >>>
> >>>Chris
> >>>
> >>Where did you get that template? The file is present in the default 3.2,
> >>and even in a minimal-no-recommends template for Debian-8.
> >>
> >>I'll look at the Debian-9 issue now.
> >>
> >I'm afraid I don't see this issue in a Debian-9 template.
> >Can you check your editing?
> >
> >Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth
> >command, and making sure you get the expected output.
> >You should see the prompt(from the policy) and then  output from dom0.
> >
> >unman
> >
> 
> Thanks for checking. However, I triple-checked my editing in Debian 9 and
> Debian 8 template is 'stock' basically nothing added to it.
> 
> The qubes.VMAuth request said 'Request refused'. The doc appears to have a
> typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that
> causes '$anyvm' to disappear from the output. This line should use single
> quotes instead.
> 
> Chris

You're right about that typo. Once you fixed it what happened?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115210433.GA24354%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fresh R3.2 install, no /etc/default/grub

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Nov 15, 2016 at 12:30:44PM -0800, dmoer...@gmail.com wrote:
> Hi,
> 
> I just completed a fresh R3.2 install on a Lenovo X1 Carbon 3rd generation 
> (20BSCT01WW). Thanks to all the devs for their amazing work on this release. 
> So far as I can tell, everything works out of the box. (One of my favorite 
> features is the ease of implementing VM-by-VM VPNs.)
> 
> I want to enable TRIM for the SSD, following 
> https://www.qubes-os.org/doc/disk-trim/. However, there is no 
> /etc/default/grub in dom0. I realized that grub2-tools is supposed to provide 
> /etc/default/grub and grub2-mkconfig. So I installed that in dom0. But there 
> is still nothing in /etc/default/grub. Where can I find the default 
> /etc/default/grub file?
> 
> Thanks for any help you might be able to provide, I hope to pass it on in the 
> future to other users.

I guess you have installed the system in UEFI mode. In that case, kernel
parameters are in /boot/efi/EFI/qubes/xen.cfg.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYK3SPAAoJENuP0xzK19csnegH/iEE/W0XJMQEi5WgFQFVzHKM
1xWxGpdHgRKbTWWTHxoTm7yN6GHCDLoVOVtK4jlVjo+PMGOqUDZ5gKYhIiZhWnAs
zoS1B/1v4hAHJrzbhXt9akQ2WcifTqBdU+czsP4+mUOJiiZrbATnnJrdRtEPdeLt
NnoIGA9+pHtZjQfFGyeYAVO3d8n47+z0TSD1TGH9pGYzWU+8XhY+ryOs5cOUv3XJ
qfLAd1RK6NfIMlNNK9fuUC7KOTDfK1ePLiwQFkQkdusUyyS8FJn/oTHyAAV0d6N1
hFTOLPS6LuckDJsLOZYLtUlzgdBuF9dN4GY7lslB4AIL5cy5i3R2AufmHQ7hIQw=
=U9KN
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115204815.GD3417%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Fresh R3.2 install, no /etc/default/grub

2016-11-15 Thread dmoerner

Hi,

I just completed a fresh R3.2 install on a Lenovo X1 Carbon 3rd generation 
(20BSCT01WW). Thanks to all the devs for their amazing work on this release. So 
far as I can tell, everything works out of the box. (One of my favorite 
features is the ease of implementing VM-by-VM VPNs.)

I want to enable TRIM for the SSD, following 
https://www.qubes-os.org/doc/disk-trim/. However, there is no /etc/default/grub 
in dom0. I realized that grub2-tools is supposed to provide /etc/default/grub 
and grub2-mkconfig. So I installed that in dom0. But there is still nothing in 
/etc/default/grub. Where can I find the default /etc/default/grub file?

Thanks for any help you might be able to provide, I hope to pass it on in the 
future to other users.

Best,
Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/558124b9-f75b-46df-bbe0-564fe560c83e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Does Qubes log login attempts?

2016-11-15 Thread RJ P

OK, never mind about the login attempts I found them. They are in 
/var/log/lightdm/lightdm.log

But I still need the xscreensaver login attempts log. Also the lightdm.log only 
displays [+69.22s] and not the time and date. Is there a way to change that? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d4fb429-c6dd-4b3e-9735-76b0663b86f9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-15 Thread Grzesiek Chodzicki

W dniu niedziela, 13 listopada 2016 23:26:10 UTC+1 użytkownik yaqu napisał:
> On Sun, 13 Nov 2016 12:30:25 -0800 (PST), Grzesiek Chodzicki
>  wrote:
> 
> > W dniu niedziela, 13 listopada 2016 20:54:06 UTC+1 użytkownik yaqu
> > napisał:
> > > 
> > > It looks like you do not have this package installed (or you have
> > > executed this command in VM instead of dom0).
> > > 
> > > To get a list of templates installed from rpm in dom0, you can use
> > > this command:
> > > [user@dom0 ~]$ rpm -qa | grep template
> > 
> > I did execute it in dom0, fedora-23 was installed by default when I
> > installed Qubes on my PC.
> 
> Please, check if your fedora-23 template was really installed from rpm
> (and it wasn't cloned from previous version and upgraded to f23):
> 
> [user@dom0 ~]$ qvm-prefs fedora-23 | grep rpm
> installed_by_rpm   : True
> 
> You can also check this using Qubes VM Manager (in VM settings, tab
> Basic, under "General").
> 
> If your fedora-23 template was not installed from rpm, you can remove
> it using Qubes VM Manager or using command:
> 
> [user@dom0 ~]$ qvm-remove fedora-23
> 
> -- 
> yaqu

qvm-prefs does return true for installed_by_rpm, moreover using qvm-remove 
causes the "this package was installed by rpm" message to appear.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f34cec9e-bbaa-419c-b612-e1d583dfe051%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] isolated workflows - image converter - trusted jpg

2016-11-15 Thread '019438'1094328'0914328'09143

Hello,

thanks for the feedback, now I can understand the behavior.  

I would appreciate very much the same isolated work low for pictures / graphics 
like the PDF and the overwriting helps to keep the disk size tiny and the 
appendix secured really help to organize the files from the first step.

Now I deleted manual the unsecured files and proceed with my work-flow and so I 
don't know, which files are now processed and which one are still waiting...

Very nice is, that I can select more than one file and run this task in the 
background: Select & forget

Many times photos get compressed better via JPG and grafics via PNG, I have 
seen also in other tasks very oversize huge files, if the format is not fitting 
to the content - I think this would be good to keep it in mind, so the quality 
should be ok and the size tiny - if possible.

Thanks and Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dda700db-488b-4e01-b3a5-6c4599fd0a1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

On Tue, Nov 15, 2016 at 03:39:15PM +0100, Zrubi wrote:
> On 11/15/2016 02:46 PM, Andrew David Wong wrote:
> 
> > Licensing is a tricky issue. I'm not sure whether the Windows license 
> > allows you to clone Windows VMs or to run multiple Windows AppVMs from a 
> > single Windows TemplateHVM. That's a question for the lawyers. Maybe others 
> > around here have information about it.
> 
> If we are talking about a normal (OEM) desktop license you are allowed
> to RUN a SINGLE instance of windows VM.
> 
> This means you are fine with running a single HVM instance.
> 
> 
> Because of windows OS licencing is bound to the hardware. In case of
> qubes, the hardware is a virtual one. Moreover if you are try to run a
> template based windows you will face a technical issue You can't
> activate your windows permanently, because:
> 
> - activate the template itself
> One may think that this should be ok. and it is. Your template will be
> activated - but You only use the template for OS updates. Once you start
> an AppVM based on this template, that's gonna be a NEW virtual hardware
> which will break the activation.
> 
> - activate the AppVM
> You can do it for sure. However you have to do it on EVERY startup. Not
> sure how many activation will be tolerated by Microsoft.
> 
> 
> Conclusion:
> Windows is not designed to be run as a template based VM.
> 
> 
> 
> -- 
> Zrubi

This is true for oem licenses. It would be possible to acquire an add-on
under Software Assurance and run up to 4VMs, and that is probably the best
route to follow for template based Windows qubes.

In a business environment this might already be available. N.B, if you
want to connect to MS server products from multiple VMs that could open
a separate can of worms.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115151758.GB21534%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] isolated workflows - image converter - trusted jpg

On Tue, Nov 15, 2016 at 06:00:21AM -0800, '091823'04918'032948'1093248018243 
wrote:
> Hello,
> 
> wow cool, I found out that now QR32 also can convert pictures into a trusted 
> image.
> 
> Only I got confused, because after the conversion, I got two files:
> 
> i) xy.jpg
> ii) xy_untrusted.jpg
> 
> In the PDF work flow it was the opposite:
> 
> i) xy.pdf
> ii) xy_trusted.pdf
> 
> I liked the last work flow much better, because after the conversion, I can 
> see it, that this conversion took really place!
> (especially after the copying around from files, so it will be easy to lost 
> the overview...)
> 
> I don't found some docu for the untrusted.jpg, this means I must wipe the 
> xy_untrusted.jpg and keep the xy.jpg, which is now the 100% dead jpg picture, 
> right?
> 
> Merci for this very nice new feature and Kind Regards
> 
> 
> 
> 
> P.S. Do I need also some Safty Linux Converter fro MP3 and MP4, or are this 
> files always 100% dead, without any kind of embedded objects by default?
> 

Yes, you're right - they are handled and named inconsistently.
Perhaps this should be changed.
Also, if I remember correctly, the pdf converter will arbitrarily
overwrite another PDF with the same name. 

It's up to you if you keep the original "untrusted" image. There might
be value in that.

As to mp3/mp4, absolutely NOT dead, and can easily carry embedded
objects. Definitely not to be trusted. If you are concerned always open
them in a dispVM.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115143553.GA21534%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

2016-11-15 Thread Zrubi

On 11/15/2016 02:46 PM, Andrew David Wong wrote:

> Licensing is a tricky issue. I'm not sure whether the Windows license allows
> you to clone Windows VMs or to run multiple Windows AppVMs from a single
> Windows TemplateHVM. That's a question for the lawyers. Maybe others around
> here have information about it.

If we are talking about a normal (OEM) desktop license you are allowed
to RUN a SINGLE instance of windows VM.

This means you are fine with running a single HVM instance.

Because of windows OS licencing is bound to the hardware. In case of
qubes, the hardware is a virtual one. Moreover if you are try to run a
template based windows you will face a technical issue You can't
activate your windows permanently, because:

- activate the template itself
One may think that this should be ok. and it is. Your template will be
activated - but You only use the template for OS updates. Once you start
an AppVM based on this template, that's gonna be a NEW virtual hardware
which will break the activation.

- activate the AppVM
You can do it for sure. However you have to do it on EVERY startup. Not
sure how many activation will be tolerated by Microsoft.

Conclusion:
Windows is not designed to be run as a template based VM.

--
Zrubi

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/cd40817b-6a1b-06dd-4ea8-4939b13616c9%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.

signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Disposable VMs are not disposed of

2016-11-15 Thread IX4 Svs

On Tue, Nov 15, 2016 at 1:14 AM, Marek Marczykowski-Górecki <
marma...@invisiblethingslab.com> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Tue, Nov 15, 2016 at 12:34:19AM +, Alex wrote:
> > This is the second time I encounter this freaky issue on R3.1:
> >
> > Start a DispVM Firefox, login to a website, close Firefox, observe the
> disposable VM is gone from the VM manager. Fine so far.
> >
> > Launch a new disposable Firefox which creates a new VM with a different
> name (dispN) - notice with horror that you are already logged on to the
> website you had logged on to from the terminated VM.
> >
> > Surely this is not supposed to happen. How to troubleshoot?
>
> I believe you've hit this issue:
> https://github.com/QubesOS/qubes-issues/issues/2200
>
> The issue is fixed in R3.2, but it hasn't been yet backported to R3.1...
> For now, make sure that files in /var/lib/qubes/appvms/fedora-23-dvm (or
> other - depending on what template you use for DispVM) are owned by your
> user. Then recreate DispVM savefile with qvm-create-default-dvm.
>
>
All files in /var/lib/qubes/appvms/fedora-23-dvm are owned by my user,
group qubes - but volatile.img is -rw-r--r-- while all other files are
-rw-rw-r-- (so, group can't write to it). I changed this with chmod 664
volatile.img but on running qvm-create-default-vm the permissions are reset
to their earlier state - and volatile.img is not group-writeable.

Should people on R3.1 just chmod 664 volatile.img right after recreating
the DVM?

Thanks

Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTcfU6%2B4L5KZOjCpaB5UQfo%2BjhoD-%2Bu5SgPoWHVqA-caiQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] isolated workflows - image converter - trusted jpg

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-15 06:00, '091823'04918'032948'1093248018243 wrote:
> Hello,
> 
> wow cool, I found out that now QR32 also can convert pictures into a trusted 
> image.
> 
> Only I got confused, because after the conversion, I got two files:
> 
> i) xy.jpg
> ii) xy_untrusted.jpg
> 
> In the PDF work flow it was the opposite:
> 
> i) xy.pdf
> ii) xy_trusted.pdf
> 
> I liked the last work flow much better, because after the conversion, I can 
> see it, that this conversion took really place!
> (especially after the copying around from files, so it will be easy to lost 
> the overview...)
> 
> I don't found some docu for the untrusted.jpg, this means I must wipe the 
> xy_untrusted.jpg and keep the xy.jpg, which is now the 100% dead jpg picture, 
> right?
> 
> Merci for this very nice new feature and Kind Regards
> 

That does indeed appear to be an oversight. Tracking here:

https://github.com/QubesOS/qubes-issues/issues/2437

> P.S. Do I need also some Safty Linux Converter fro MP3 and MP4, or are this 
> files always 100% dead, without any kind of embedded objects by default?
> 

I think it's fair to say that *any* time complex input is being parsed, there's 
the potential for malicious input to be crafted to exploit a bug in whatever 
program is doing the parsing.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYKxxXAAoJENtN07w5UDAwAJIQAItCCYhGa7ry9GOEZRdXE9ps
cfSov4ghYnNFA1K1aZATxJa6h9h2v5GbdYhZGPIFE1Bp5kqghZ2Rfhl/S5koIY4I
XaWypv1gWAX95I3eG7WGX03sBp2tfSufe8yqJjevzXlttgS/Lg2fOnFmPPGGbS99
WV0KIXd+SFkG4NZ2EfN/dTA6ST0NlszaR680ZAa36ii9GVGMdWL3DqhjEslYYhWi
alYrqdD9odKq92uGNRFw8jA0+iSwYIICzCfDbLr0HKBy/8bCmYzGBLCCsa/HixN7
ek6PdZP9d6ZrcbeYt50hkar+RrC617Xj7k696XXiArkfD97NIweMYb4ksC8rcntm
zytsnLj72mXq1RJoxQFsOn73jmCfSbSktuQzFhDXarhh9nXDwgPtAfJLFKPs4fX+
U3odhxPuVPjKGtcXvUE3oxkePBSYUAW4tn1wVmjUgwpuYXh/dLKWuc2RgoPiCVWC
JsL/jzPY/ze8P2nHkBF/4Kj5nvJQEYLjtoueYCAJVPOdYUqGuZ2xP84vrpoNM/CN
YVQsminN6jOUOrP+nrmtffzupkCJ6gIig4kY/cdBRcxTgNlrQsnsSG4Ot1iUeQ6w
CIONUm4rq3BbwvUCujO2wetaPY+k0eqyFSkwSHOKOJLI9YdfTBoi3Jxr2jkRfcBI
DKVSjVCjqskcykYAuoPB
=nsan
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6cac380f-0b2d-d7df-249b-64de24b985d9%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] isolated workflows - image converter - trusted jpg

2016-11-15 Thread '091823'04918'032948'1093248018243

Hello,

wow cool, I found out that now QR32 also can convert pictures into a trusted 
image.

Only I got confused, because after the conversion, I got two files:

i) xy.jpg
ii) xy_untrusted.jpg

In the PDF work flow it was the opposite:

i) xy.pdf
ii) xy_trusted.pdf

I liked the last work flow much better, because after the conversion, I can see 
it, that this conversion took really place!
(especially after the copying around from files, so it will be easy to lost the 
overview...)

I don't found some docu for the untrusted.jpg, this means I must wipe the 
xy_untrusted.jpg and keep the xy.jpg, which is now the 100% dead jpg picture, 
right?

Merci for this very nice new feature and Kind Regards




P.S. Do I need also some Safty Linux Converter fro MP3 and MP4, or are this 
files always 100% dead, without any kind of embedded objects by default?


 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b5d7c23-3499-4f2e-adda-de6277d1d2d1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router

2016-11-15 Thread amadaus

amad...@riseup.net:
> We see much correspondence in these forums about installing a VPN within
> Qubes. Surely, the most secure place for VPN is to install on a Router?
> I say these things after reading the following paper [
> https://cryptome.org/2013/12/Full-Disclosure.pdf ] in which a group of
> hackers demonstrate that the majority of routers (in-particular those
> provided by ISP's] have backdoors to government agencies. These
> adversary's are able attack our LAN and its devices; including the
> ability to intercept VPN and Tor traffic.
> The solution they say is to isolate these rogue routers in the
> Militarized Zone by creating a DMZ [demilitarized zone]. Achieved by
> installing a 2nd router [flashed with open source firmware such as
> OPenWRT]. It is here, on the router, that we should enable and run OpenVPN.
> Thoughts on this paper and it's conclusions are welcomed
> 
Thanks everyone for your contributions.
Implicit in most of your replies is a distinct distrust of the
modems/routers provided to us.
If anyone is interested, the solution we adopted to securing our LAN is
copied from this blog;
https://tokyobreeze.wordpress.com/2015/02/01/create-a-nsa-and-hacker-proof-home-network-that-you-control/
This guy uses a couple of cheap routers loaded with OpenWRT which sit
behind his infected Modem. His 2nd routed utilises OpenVPN Client and is
configured to protect "high value" devices.
We've successfully copied this configuration and it seems!! to work. -
unless you know better??

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/015a80f8-3cf1-1efc-54fb-e42a3ef3d47e%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] CVE-2016-4484: Cryptsetup Initrd root Shell

2016-11-15 Thread Valko

Is it possible attack scenario with Qubes OS?
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html#impact

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50fad1de-35b5-4fc0-b75c-695943ee5d9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-15 03:52, pixel fairy wrote:
> management is interested in qubes, but still need windows for some tasks.
> this means buying a laptop that comes with windows, but still can run qubes
> well. any recommendations? any license issues to be aware of?
>

As far as I'm aware, any laptop with VT-x should be able to handle a Windows
VMs, and in general, most laptops comes with Windows. So, you're basically just
looking for a laptop that has good Qubes compatibility. Take a look at the
following:

System Requirements: https://www.qubes-os.org/doc/system-requirements/
Hardware Compatibility List (HCL): https://www.qubes-os.org/hcl/

If you plan to be using the same machines for Qubes 4.x, you should also take
into consideration the updated requirements for Qubes-certified hardware, which
will go into effect for 4.x:

https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

Licensing is a tricky issue. I'm not sure whether the Windows license allows
you to clone Windows VMs or to run multiple Windows AppVMs from a single
Windows TemplateHVM. That's a question for the lawyers. Maybe others around
here have information about it.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYKxG1AAoJENtN07w5UDAw0K8QAL6Be8uc70CalsVbMGR1A49y
rbf12cEp9kcaQdJl0zaGJhoD+UEGA3PbiSWDb2BwryMOyHPHdNLPysmVPDiE4NSh
gtFJbxxeXI9EoR1gm2TQewrkEMSYhQWPkGoRLZ5otWQuAmCLEtBcT7nrKKQXkENP
ZmmnjIjtYHXNAPL9Pcs5UMwBkuipQFEYQluXyn/cW7248qKupq4fgcNnU7R1kaKi
vIWHBHlZUvYtZwjM+dYrcn5tSAN56iioIcdFngl6UtzHIObKXX3olENtVQHPSEvu
cjkOic9EyHs+n9RiKLqyRzGH5E++OJBvW+doju1oURGbqSCugXWOa7ApdwqTZqeO
Z4E/FCLExuL+sUEWBDIvAAH2fT7IclOoXPtEoTiLbi76isKO38F7YiC+RyoraJZM
RaHTSPsZzYoEOwkzS1gqiw83kSFiKsRJO6ko/H7feGshDmHht1fW/D7JfJ9qrZ7a
/oc63EmcqIYr5dAl3LIEebcJaG+QZsbVKNB+oVqAwN1uq2BKHRfVnNmEzbUyByCV
AYv65IoPYYV5N3RcTKfLCc8/wPWXZw445K4kPg5SXUNjTr2UGp6WX7bYhnQpWJre
vvs8jn9UNDtOEXwiK/5B0gx6PKpGoW8Q75n771Ti5yOMPbPzvCK7mWB/nr4lMp20
VhLBMNEItM8JRIC9taq+
=lTFN
-END PGP SIGNATURE-

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/4cdc9b09-77c3-a924-8c3d-fe26e28a71e8%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote:
> On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:
> > Following the instructions for the 'vm-sudo' doc, I get the following error
> > in Debian 9:
> > 
> > /usr/lib/qubes/qrexec-client-vm failed: exit code 1
> > sudo: PAM authentication error: System error
> > 
> > 
> > Also, in the Debian 8 template the instructions don't match, as there
> > appears to be no file '/etc/pam.d/common-auth'.
> > 
> > Chris
> > 
> 
> Where did you get that template? The file is present in the default 3.2,
> and even in a minimal-no-recommends template for Debian-8.
> 
> I'll look at the Debian-9 issue now.
> 

I'm afraid I don't see this issue in a Debian-9 template.
Can you check your editing?

Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth
command, and making sure you get the expected output.
You should see the prompt(from the policy) and then  output from dom0.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115122028.GA20798%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:
> Following the instructions for the 'vm-sudo' doc, I get the following error
> in Debian 9:
> 
> /usr/lib/qubes/qrexec-client-vm failed: exit code 1
> sudo: PAM authentication error: System error
> 
> 
> Also, in the Debian 8 template the instructions don't match, as there
> appears to be no file '/etc/pam.d/common-auth'.
> 
> Chris
> 

Where did you get that template? The file is present in the default 3.2,
and even in a minimal-no-recommends template for Debian-8.

I'll look at the Debian-9 issue now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115115513.GA20562%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] recommendation for a laptop to use windows in qubes?

2016-11-15 Thread pixel fairy

management is interested in qubes, but still need windows for some tasks. this 
means buying a laptop that comes with windows, but still can run qubes well. 
any recommendations? any license issues to be aware of?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/87cd4812-5707-473a-89e6-adfbeb9fd33a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] PAM errors after disabling password-less root

2016-11-15 Thread Chris Laprise

Following the instructions for the 'vm-sudo' doc, I get the following 
error in Debian 9:


/usr/lib/qubes/qrexec-client-vm failed: exit code 1
sudo: PAM authentication error: System error


Also, in the Debian 8 template the instructions don't match, as there 
appears to be no file '/etc/pam.d/common-auth'.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6c39f545-b517-3c16-3312-6a3cf39976ba%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] EFI / UEFI guest

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 07:22:15PM -0800, TheGrandQubes wrote:
> Hi, 
> 
> I was wondering what the status is for allowing for EFI / UEFI guest VM (ie 
> an appvm or HVM being able to use EFI rather than bios). 
> This feature seems to have been implemented in Xen 4.4, "but not build in by 
> default" whatever that means. Here is the reference: 
> https://wiki.xen.org/wiki/OVMF
> 
> Is there currently a way to make OVMF work in Qubes? Or another way to use 
> EFI for an HVM instead of Bios? 

Currently it isn't possible, because the only qemu version supported in
stubdomain is the old qemu-traditional. We're working on getting new
version there in Qubes 4.0. If we manage to do that, it will be simpler
to have OVMF working, but will still require some work - currently not
on the roadmap for Qubes 4.0...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKtJ5AAoJENuP0xzK19cscasH/0O4TRk07t0o7CodEs1PL1I6
S63BPssWC9YrNC5XHGS/4DmPseoEA1oeWiDW3sFSd5oaPAVrUh0dHIaEKh+8pKmY
RMGWVNa+CAW/bAl7a6241DBdnIQKXE03lOXLQ5oN0gUS0RF/zZOW3FDfPJEGmNS1
cDI3NZSvBDcb13Ufpi4gjzQEjR5Phv7nmKmBiAlQ477AsZ34hQf1VniOBPMM+pYj
Hn3XtQrFBtVGCeyRt7AtI7lAaiDMOO4NnP6S7anx4cW1R/s8r4uvLzELUvgNWaOs
7Phm/aruCeEiJGudDT2g+FTjvTAbTsXP0kHyGlmreDPsQQmgr9r7SECJ2d1EhGQ=
=WTJS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115091641.GD17458%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Attaching a block to a DVM in dom0 script

2016-11-15 Thread Vít Šesták

Thank you, it seems to do exactly what I was looking for. (I will probably use 
trap in order to ensure the DVM is destroyed.)

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/369f094a-fb07-4163-960e-de62f8c26f05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Disguising Qubes VMs

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-14 17:02, Sec Tester wrote:
> A thought on security through obfuscation.
> 
> Right now in terminal is you type: "uname -r" we get the kernel version, 
> which has "qubes" in the name.
> 
> Straight away the attacker, knows he's dealing with a qubes VM. Could we not 
> name the kernels to match their original OS?
> 
> And following that same concept, disguise any other tell tale signs this is a 
> VM on Qubes. QubesIncoming, could just be called received.  Use non qubes 
> unique process or packet names. This would also include renaming Xen stuff. 
> Hiding any obvious qubes unique directories deeper into the file system.
> 
> Of course if an attacker specifically tries to tell if they are in a VM its 
> impossible to 100% hide it, but if an attacker does a quick check and thinks 
> they're on a standard debian desktop, memory attacks & dom0 are never a 
> target.
> 
> Just an idea.
> 

In addition to what Marek and Unman have said, I'd just like to point out that, 
currently, there's no guarantee of privacy (in the sense of a concerted effort 
to achieve non-fingerprintability) in any VM that is not a Whonix VM. When you 
require privacy, use a Whonix VM.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYKs//AAoJENtN07w5UDAwhEEP/3pzpBhQVSSmPlkVtSLngNb5
zF1jk2pSEuxkdm1pmguc9MnCERqqyjpaE9xWZAASE1l2+d1ra4CeL4hi0gdN4RC2
AFp2CPOLT6QcAVzmJX6g+GS/nmv0eseeSPxKAwYdfEWgbC0dNXAya+45lalSX07R
1nBonpZKaKqq2nXVuCt3DoDbiCv7g8ko3BeC59loJreizGLpqDaxv63O8nsQBEfR
ylKYUkarVWHKFjv59gRyc7BI5LFa9uc09CW7AkIODsVWAeVUkPvu+54wZKjuChIf
kfaz+PsMrhTeCqUftl9ldsXKoUltDfWOoZX/nTlGR4pkLmwOEm4bZuWHFD4fEnUW
uX/5ou/xs0ZEeHbnd51/4i0yQeIeb1cnskuEMnKHL8aSRwLvdOCYbYuwcEis124v
TCRRwY9j1F6MDdO/owvJaBIwM9UbXWszLWDe/lELRt5C4AdUNyWPzL3jyH3o8aqi
SAk6gd3PM0Q0uVkKARpDIK95KiGvI/fY3MbQYDEKu84aORysPBUdCANW1jZTl4rD
Lln5xrDZHVPSIOFWmh8fk+8xKrDMb7R16BWvK8i2QGNbKs60DFxkl+yOgwAk9u8Z
dy6pNI8LompgzctlMastFGs0KObx+k00w6qWQQ2Z3JcafTnVXkxL8EedOUikEcwH
h0xhozZvhDreRPSYPydJ
=4exQ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bdd34ebe-7dcc-794a-3814-1000fff77482%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] macbookpro 11,3 installer keeps returning to grub menu