[qubes-users] Qubes 4: Unable to get any DVM app to ever launch
Qubes 4.0 Whenever attempting to launch an app in a DVM, the result is always the same. The popup message comes up saying "Disp1234 has started", and then nothing happens. Then about two minutes later, another popup says "Disp1234 has halted". No app ever launches. It doesn't matter what app I try.. xterm, konsole, firefox, dolphin, thunar, tor browser, gedit, kwrite etc. Always the same behavior. Also doesn't matter if I try from Q Menu shortcuts, command line in dom0, command line in another AppVM.. no difference. Just the same type of message in the terminal, says it's launching, then shuts down two minutes later with no output. Doesn't make a difference either if I try to open a file in a DVM or just straight launching an app. Nothing ever opens. Launching apps regularly from normal AppVM's works perfectly all the time, just not DVM's. Slight correction: About 1 in 10 times, launching Firefox from a Fedora-template-based DVM succeeds. The other 9 times it fails. All other apps fail 10 out of 10 times. And launching any app (including Firefox) from a Whonix-ws-14-template-based DVM also fails 100% of the time as described above. How is this issue best investigated and resolved? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c5005b71-ad67-4d4c-9378-3ab0fc085895%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates broke an HVM qube
On Tuesday, October 30, 2018 at 10:13:40 PM UTC-4, drogo wrote: > On Friday, October 26, 2018 at 5:10:07 PM UTC-4, Mike Keehan wrote: > > On Fri, 26 Oct 2018 16:58:09 -0400 > > Kyaphas Hill wrote: > > > > > Sheesh, I should've thought of that. No luck though. Same result in > > > another terminal window. > > > > > > I tried updating by typing "sudo yum update -y && shutdown -h now" in > > > the blind. And while that command worked (it ran for a while, then > > > shut down), the problem still persists. > > > > > > > Hmm. Did you try resizing the terminal window by dragging a corner? > > I've a vague memory of seeing something like this in the past, but > > not on Qubes. > > > > Mike. > > > > > > > On Fri, Oct 26, 2018 at 6:39 AM Mike Keehan wrote: > > > > > > > On Thu, 25 Oct 2018 10:47:33 -0700 (PDT) > > > > drogo wrote: > > > > > > > > > I recently updated a fedora 28-based qube that I have running in > > > > > HVM mode. I also updated dom0 at about the same time. So I'm not > > > > > sure which update caused the issue. > > > > > > > > > > Now when I attempt to start the qube, the terminal for the > > > > > template (and its dependent appVM) will only display what looks > > > > > like static. Or if you're old enough, what the TV looked like > > > > > when you messed with the horizontal hold too far. :) > > > > > > > > > > The VM seems to be running, as if I type "shutdown -h now" in the > > > > > unintelligible terminal, the VM shuts down. > > > > > > > > > > Any tips? I'm hoping to avoid having to re-build this qube from > > > > > scratch. > > > > > > > > > > Thanks. > > > > > > > > > > > > > Try a different terminal emulator - xterm, xfce4-terminal. > > > > > > > > -- > > > > You received this message because you are subscribed to a topic in > > > > the Google Groups "qubes-users" group. > > > > To unsubscribe from this topic, visit > > > > https://groups.google.com/d/topic/qubes-users/nP_6mgtX0eY/unsubscribe. > > > > To unsubscribe from this group and all its topics, send an email to > > > > qubes-users+unsubscr...@googlegroups.com. > > > > To post to this group, send email to qubes-users@googlegroups.com. > > > > To view this discussion on the web visit > > > > https://groups.google.com/d/msgid/qubes-users/20181026113932.3ba50a6e.mike%40keehan.net > > > > . > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > Moving the terminal windows around doesn't help. I decided to build another > HVM template from scratch, but got the same result when I set the kernel to > "none" and the virt_mode to "HVM". > > Then I tried setting the appVM back to PVH and a qubes kernel. It booted > fine. But of course my ZFS modules are compiled for the latest 4.18 distro > kernels, so they don't load. > > So, something about the distro kernel doesn't like the new updates for dom0? I meant resizing the terminal windows. Not just moving. Tried that on both. Fullscreen, minimize, etc. Thanks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3feb8e78-4295-443d-8e90-fa0c92a2a798%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates broke an HVM qube
On Friday, October 26, 2018 at 5:10:07 PM UTC-4, Mike Keehan wrote: > On Fri, 26 Oct 2018 16:58:09 -0400 > Kyaphas Hill wrote: > > > Sheesh, I should've thought of that. No luck though. Same result in > > another terminal window. > > > > I tried updating by typing "sudo yum update -y && shutdown -h now" in > > the blind. And while that command worked (it ran for a while, then > > shut down), the problem still persists. > > > > Hmm. Did you try resizing the terminal window by dragging a corner? > I've a vague memory of seeing something like this in the past, but > not on Qubes. > > Mike. > > > > On Fri, Oct 26, 2018 at 6:39 AM Mike Keehan wrote: > > > > > On Thu, 25 Oct 2018 10:47:33 -0700 (PDT) > > > drogo wrote: > > > > > > > I recently updated a fedora 28-based qube that I have running in > > > > HVM mode. I also updated dom0 at about the same time. So I'm not > > > > sure which update caused the issue. > > > > > > > > Now when I attempt to start the qube, the terminal for the > > > > template (and its dependent appVM) will only display what looks > > > > like static. Or if you're old enough, what the TV looked like > > > > when you messed with the horizontal hold too far. :) > > > > > > > > The VM seems to be running, as if I type "shutdown -h now" in the > > > > unintelligible terminal, the VM shuts down. > > > > > > > > Any tips? I'm hoping to avoid having to re-build this qube from > > > > scratch. > > > > > > > > Thanks. > > > > > > > > > > Try a different terminal emulator - xterm, xfce4-terminal. > > > > > > -- > > > You received this message because you are subscribed to a topic in > > > the Google Groups "qubes-users" group. > > > To unsubscribe from this topic, visit > > > https://groups.google.com/d/topic/qubes-users/nP_6mgtX0eY/unsubscribe. > > > To unsubscribe from this group and all its topics, send an email to > > > qubes-users+unsubscr...@googlegroups.com. > > > To post to this group, send email to qubes-users@googlegroups.com. > > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/qubes-users/20181026113932.3ba50a6e.mike%40keehan.net > > > . > > > For more options, visit https://groups.google.com/d/optout. > > > > > Moving the terminal windows around doesn't help. I decided to build another HVM template from scratch, but got the same result when I set the kernel to "none" and the virt_mode to "HVM". Then I tried setting the appVM back to PVH and a qubes kernel. It booted fine. But of course my ZFS modules are compiled for the latest 4.18 distro kernels, so they don't load. So, something about the distro kernel doesn't like the new updates for dom0? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc645b01-31b7-419b-80a8-9de1e46a3cdd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] USB webcam forwarding
I'm trying to use a C920 USB camera on a Thinkpad X1 Carbon 6gen, latest Qubes4. The VM is running debian-9, but i also tried fedora-26. I tried both connecting the camera directly to a USB port of the Thinkpad and via a powered USB hub. I attach it to my VM: user@browser $ lsusb Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 012: ID 046d:082d Logitech, Inc. HD Pro Webcam C920 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub user@browser $ ll /dev/video0 crw-rw+ 1 root video 81, 0 Oct 30 13:30 /dev/video0 user@browser $ cheese (cheese:3812): Gtk-WARNING **: Theme parsing error: cheese.css:7:35: The style property GtkScrollbar:min-slider-length is deprecated and shouldn't be used anymore. It will be removed in a future version (cheese:3812): GStreamer-CRITICAL **: gst_element_message_full_with_details: assertion 'GST_IS_ELEMENT (element)' failed ** Message: cheese-application.vala:211: Error during camera setup: No device found (cheese:3812): cheese-CRITICAL **: cheese_camera_device_get_name: assertion 'CHEESE_IS_CAMERA_DEVICE (device)' failed (cheese:3812): GLib-CRITICAL **: g_variant_new_string: assertion 'string != NULL' failed (cheese:3812): GLib-GIO-CRITICAL **: g_settings_schema_key_type_check: assertion 'value != NULL' failed (cheese:3812): GLib-CRITICAL **: g_variant_get_type_string: assertion 'value != NULL' failed (cheese:3812): GLib-GIO-CRITICAL **: g_settings_set_value: key 'camera' in 'org.gnome.Cheese' expects type 's', but a GVariant of type '(null)' was given ** (cheese:3812): CRITICAL **: cheese_preferences_dialog_setup_resolutions_for_device: assertion 'device != NULL' failed ^C user@browser $ lsusb Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub user@browser $ ll /dev/video0 ls: cannot access '/dev/video0': No such file or directory user@browser $ sudo dmesg [...] [ 1067.111409] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1067.999310] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1068.887291] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1069.775325] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1069.776403] usb 1-1: USB disconnect, device number 12 [ 1070.671126] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1071.559252] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1071.559340] usb usb1-port1: attempt power cycle [ 1072.759348] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1073.647189] usb usb1-port1: Cannot enable. Maybe the USB cable is bad? [ 1073.647296] usb usb1-port1: unable to enumerate USB device Qubes shows the device as still being attached to the VM. I can detach and reattach without problems. Forwarding the Thinkpad's internal camera works fine. Are failures with particular USB devices to be expected? Does anyone know a good external webcam that works? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6bfdfc43-c636-4547-8ecb-b5438e835158%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0 / Instalation Issue (Need Experts Help )
Dear All,
I was trying to install Qubes 4.0 on my HP Elitebook 2760p (Inter(R)i7-2640M
CPU) for a week and encounter the following error message:
dracut_pre_udev[469]: rpc.imapd: conf_reinit: open ("(null)",0_RDonly) failed
Would you kindly help me out..
Notes:
I have tried the following troubleshooting:
- Checked the Downloaded ISO CheckSum
- Tried UEFI mode and Legacy mode
- Tried Several USB Drives Pens from different Manufactures and Size
- Burned the ISO So Many times Using Rufus, Lili
- Burned the ISO using MBR (BIOS or UEFI)
- Burned the ISO using GPT (UEFI non CSM)
- BIOS Updated ( tried the installation before and after the update)
- Tried both HDD and SDD as a target installation medium to be.
- VT-x is enabled as well as TPM, Multi Core CPU, HT Technology and VTd.
- I then burned Ubuntu ISO using the same equipment just to be sure and it
works fine and installed on my machine.
Nothing solved the problem
Thanks in Advance..
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/4528e998-4123-46ec-95f3-d489c731fca2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Boot failure after update / boot loop
On Tuesday, October 30, 2018 at 5:39:21 AM UTC, Alchemist wrote: > Do you dual boot with Windows? > > If you do, the reason is that by default the Windows 10 installer will set > the /boot/efi partition to 100mb which... is really not enough space. > > > So keep that in mind. I made the changes and now it's happy. So, after changing the kernel to boot in /boot/efi/EFI/qubes/xen.cfg, what exactly did you do to solve the problem? Did you change the size of /boot/efi without reformatting your HD and re-installing qubes? If so, how? Please tell me. :) By the way, I remember that when I installed Qubes 4 (after having used an older one) I also increased the size of the separate EFI boot partition. I'll have to check that out. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/722a7851-62de-486e-bf12-4d434d65b945%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] About X.Org vulnerability and Qubes
On Mon, 29 Oct 2018, Sphere wrote: > https://threatpost.com/x-org-flaw-allows-privilege-escalation-in-linux-systems/138624/ > > > It is said that leveraging the vulnerability is possible from a remote > SSH session. Say an attacker was able to successfully gain a remote SSH > session in an untrusted VM, do you think it would be possible to gain > full control through qubes' implementation of X.org? This is a built-in assumption in Qubes OS design. That is, that VMs may/will get compromized due to bugs like this... > I checked around and if I understand it right, qubes utilizes X.org in > order to integrate the display of PVH VM applications to what the user > can/must see. > > Because of this, what's in my mind right now is that it's possible to > leverage this vulnerability to gain full control but since I don't have > an idea of the codes or how exactly qubes' implementation of X.org > works, I would like to kindly ask for your thoughts about this matter. ...but it does not lead to dom0 or cross-VM compromize because of how the GUI isolation works (the GUI isolation does not run over X.org but is implemented using a very simple protocol based on memcpy from X.org buffers). > Earlier I was about to remove setuid of Xorg but I thought it has a good > chance of breaking my desktop environment altogether and that would be > alot of trouble for me. If you're worried about the VMs themselves having being compromised, you can backup everything and use the "paranoid restore" mode after a clean reinstall of Qubes. -- i. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1810300735590.21103%40whs-18.cs.helsinki.fi. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How can I install Anti Evil Maid in Qubes?
Hi Could anyone help me to guide through this whole process step by step, please? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c20c6bbe-4eef-4adb-b16c-60877e3270eb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: off topic - invite codes to 'riseup'
Looking for one invite as well. Thank you in advance, -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7e162475-4616-499e-8093-2857fa5bcfc1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Re: Re: Qubes User Forum
On 10/30/18 2:59 PM, Zrubi wrote: > I would say it is not a problen until the mail gets > delivered :) > > But, this is one of the reasons that this is a PoC project: > we well only see - if start testing it. > Also there is redundant "RE:" prefix on the subject. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/62e3ed47-e59d-88c7-7794-e90373981ce8%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Re: Re: Qubes User Forum
I would say it is not a problen until the mail gets delivered :) But, this is one of the reasons that this is a PoC project: we well only see - if start testing it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e1.5bd863c5%40qubes-os.info. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Re: Qubes User Forum
On 10/30/18 2:42 PM, donoban wrote: > Just testing it. It seems nice and probably a better way for > search old threads. > > Thanks :) > Looking at mail headers: ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=fail (google.com: domain of dono...@riseup.net does not designate 74.208.4.196 as permitted sender) smtp.mailfrom=dono...@riseup.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=riseup.net Received: from mout.perfora.net (mout.perfora.net. [74.208.4.196]) by gmr-mx.google.com with ESMTPS id p24si196393otk.4.2018.10.30.06.42.28 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Oct 2018 06:42:28 -0700 (PDT) Received-SPF: fail (google.com: domain of dono...@riseup.net does not designate 74.208.4.196 as permitted sender) client-ip=74.208.4.196; Received: from infong-us27.perfora.net ([74.208.57.168]) by mrelay.perfora.net Is this not problematic? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58f05639-c4ac-b7d9-9305-c45b362439a2%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Re: Qubes User Forum
Just testing it. It seems nice and probably a better way for search old threads. Thanks :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/df.5bd85fc4%40qubes-os.info. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes User Forum
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/30/18 1:54 PM, 'awokd' via qubes-users wrote: > Zrubi wrote on 10/30/18 12:02 PM: >> I just wondering If my instructions was not clear about how to >> get access to the forum interface? Or just nobody cares? >> >> >> I would accept if nobody is interested, but I see a lot of >> registration "attempt" in the logs... >> > I am pretty set in my ways, so hadn't tried it before. :) Anyways, > when I attempted just now, I went to password reset and put in my > email address but it says "e-mail address not found in database". > I've posted several emails to qubes-users since 10/23 so am not > sure why it's not finding me. > Yeah, you are one of the many users affected by this issue: https://www.spamresource.com/2014/04/google-groups-rewriting-from-addres ses.html So your email address have been replaced to the mailing list's own address by google. The result is: From: "'awokd' via qubes-users" nice, isn't it? :D I will gonna create a user for the affected users manually... (till it's gonna be resolved somehow) - -- Zrubi -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlvYVcAACgkQVjGlenYH FQ18Sw//XPub2+pdlBBJ78Np2IoUdyOiWGlE4yWGO3PlHOaPEHbuVAbXriwH0HUC D1SDOxEYyjgkxZSEl3nczgT9cElZeAYsso8/z8pohpmtVCsYN39JeYaPw3M3faDs SM52J8zVCG30ua8cNXvkfSDSiCoGf0swReTJ9Upi5t9+KCVnpMGenoyxyfr+A5OS vLtq8a9I6UFDM1Z2eMM8/20gmIz5ka2/z53k7LDlY/zn7A84M2rn/Es2ZyN1HflG Liq/aHz4d5VSWwHw8SpJSTC1nmKLIvjJ6k/b0Fr6vBTnGtvUJLNCmF976GV53JeG 3GjSahGuUDEvr7le81Etg4CvWXZXz1fPqZjdTQBZtKg8ym9+z0HIVEu93cbeLgHQ tvZ/wYpxF4NwboMpjR8HFgnjPIVGyVitHvT9jJfaxKBeU+evq0IUh2sQ6qtrQOYE lBWRBu14x8QZJz5XWLpndJXirz/M5YQT3BH165vvI/cYaC/IoW/4WZ/aOCB5XEj5 E1kVtODA9pmhzfStiMUy1RHxrQtPF+BkbpjqvMswpPCr3i8upYrAE6VVSj8n4ul2 +23pNcrNcU7IGtZYCf+7anNjajUxJnMRTz9xKiCJPhDf4BMWGnWSKk7AlJyPrdq2 6rwm2bzjiZ346Tb4GDKY9UhufY8Pmd0zCQo8ZUvNopcNXU+ufrQ= =jbMY -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36fe7035-df22-3bfe-38a2-9f00a5c3e709%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes User Forum
Zrubi wrote on 10/30/18 12:02 PM: I just wondering If my instructions was not clear about how to get access to the forum interface? Or just nobody cares? I would accept if nobody is interested, but I see a lot of registration "attempt" in the logs... I am pretty set in my ways, so hadn't tried it before. :) Anyways, when I attempted just now, I went to password reset and put in my email address but it says "e-mail address not found in database". I've posted several emails to qubes-users since 10/23 so am not sure why it's not finding me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6deac8d9-f392-d254-fce4-970bcc481546%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Unman please help with internet connection
On Fri, Oct 26, 2018 at 12:30:00PM +0100, unman wrote: > On Thu, Oct 25, 2018 at 08:01:23PM +0300, Squares wrote: > > > > > > > > Hi. I want to get this VM configuration: Internet <-- OpenBSD(VM1) <-- > > Firewall(VM2) <-- AppVM(VM3) I use OpenBSD as a NetVM. I call it VM1. I > > assigned the PCI network card to this VM, and it has an em0 interface > > to connect to the internet. I'd like this OpenBSD VM to be the NetVM > > for other Qubes, so I created a new debian AppVM (VM2), which has no > > NetVM of its own, and I made it the NetVM of Openbsd(VM1): OpenBSD(VM1) > > --> VM2 This made it possible to get an xnf0 interface in OpenBSD(VM1). > > I have enabled IP forwarding and enabled Nat for xnf0, and I can ping > > google from the xnf0 interface, meaning that it has internet access: > > ping -I xnf0 8.8.8.8 I made VM2 the NetVM for VM3. VM1 --> VM2 <-- VM3 > > I enabled IP forwarding in VM2 and I tested some IPtables > > configurations for allowing forwarding between the 2 interfaces in VM2. > > I made it possible to ping the xnf0 interface in VM1 from VM3. But when > > I can't ping an internet address. Could you please tell me what I need > > to do in VM2 so that I can make VM2 act like a regular firewall VM, > > even theough it is a default Qubes NetVM? Thanks. > > > > > > SO you have the basic structure in place. > Little more is needed. As I recall, setting DNS on the qubes downstream > of fw, and routing correctly between the qubes and openBSD. > Also there is an unholy mix of iptables and nftables, although I *may* > have tidies that up. > I'm away from home at the moment. When I get back I'll check the > openBSD setup, and post back, probably tomorrow evening. > > cheers > > unman Sorry it took so long to get back to you. Here's what I do: On VM2: ip route add default via iptables -I FORWARD -i vif+ -o vif+ -j ACCEPT - Note that this allows *all* traffic to pass between qubes connected to VM2 - adjust as you wish. iptables -t raw -I PREROUTING -i -j ACCEPT iptables -t nat -I PR-QBS -p udp --dport 53 -j DNAT --to 9.9.9.9 That's it. You'll find that qubes attached to VM2 will use DNS server 9.9.9.9, and traffic will exit via VM1 You can (and should) have a firewall running on VM1. Obviously, you can harden this a good deal. With this set-up you can use standard qubes networking and the rules will be enforced on VM2. I always prefer it when there's no need to reconfigure qubes or the Qubes networking infrastructure, so you can switch a qube between this and standard arrangement or vpn as you wish. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181030122905.c7tmcv3ngaex7k4n%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes User Forum
I just wondering If my instructions was not clear about how to get access to the forum interface? Or just nobody cares? I would accept if nobody is interested, but I see a lot of registration "attempt" in the logs... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/db.5bd8483a%40qubes-os.info. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Installation Problem
On Mon, 29 Oct 2018 15:32:41 -0400 Andy Powell wrote: >Well that clears it up! Thanks!!! > >Very surprising...guess I’ll go to another distro. Bye Qubes! > >> On Oct 29, 2018, at 2:51 PM, Fidel Ramos wrote: >> >> ‐‐‐ Original Message ‐‐‐ >>> On Monday, October 29, 2018 6:20 PM, Andy Powell wrote: >>> >>> Hello Qubes group! >>> >>> I’m trying to install Qubes but it fails after “Test this media & install >>> Qubes R4.0” at “Loading initrd.img” >>> >>> I’m on a 2012 MacBook Pro, running Parallels (which I guess may be the >>> issue, as 100% of your documentation refers to VirtualBox...do you support >>> other hypervisors?) >>> >>> I’ve followed everything as best I can and am stuck in an infinite loop. No >>> issues running other major OS VMs (Ubuntu, Mint, Fedora, various Win, etc) >>> >>> Please help! Thank you! >>> >>> —Andy >> >> Running QubesOS inside a virtual machine is not supported, and as you found >> out it won't work in most configurations. >> >> If you want to try out Qubes in your machine you could install it into a USB >> drive or USB HDD (i.e. put the installer into a USB drive, boot the >> installer, then install into a *different* USB drive). It will be slower, >> but you can see if it works with your hardware. > Qubes is, essentially, a Xen hypervisor (bare metal virtual machine host). It has added complexity to provide a more complete separation of programs and data, and further compartmentalize different areas of sensitivity such as general web browsing, password safe keeping, etc. You can configure different application VMS for different purposes and keep your information more secure than even a general virtual machine host such as Unix/VirtualBox or Windows/VMWare. Attempting to run a Xen hypervisor inside of a VirtualBox or VMWare VM is illogical. Qubes is not just another flavor of Linux. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181030065821.4e07e89f%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] About X.Org vulnerability and Qubes
On Mon, Oct 29, 2018 at 10:33:18PM -0700, Sphere wrote: > https://threatpost.com/x-org-flaw-allows-privilege-escalation-in-linux-systems/138624/ > > It is said that leveraging the vulnerability is possible from a remote SSH > session. Say an attacker was able to successfully gain a remote SSH session > in an untrusted VM, do you think it would be possible to gain full control > through qubes' implementation of X.org? > > I checked around and if I understand it right, qubes utilizes X.org in order > to integrate the display of PVH VM applications to what the user can/must see. > > Because of this, what's in my mind right now is that it's possible to > leverage this vulnerability to gain full control but since I don't have an > idea of the codes or how exactly qubes' implementation of X.org works, I > would like to kindly ask for your thoughts about this matter. > > Earlier I was about to remove setuid of Xorg but I thought it has a good > chance of breaking my desktop environment altogether and that would be alot > of trouble for me. > This is just another vulnerability - if you give someone else access to your Qubes machine, local or remote, you've diminished your security. In this particular case, each qube runs its own Xserver, which may be vulnerable, but you've already given someone else access to that qube. Would it be possible to leverage that for an attack on dom0? That would require an exploit on qubes_gui and vchan, and *that* would be available to the external user whether this exploit existed or not. Of course, the long awaited GUI domain would help to mitigate attacks against X, but it isn't here yet. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181030115511.khb74fojvvwlu74o%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Ubuntu templates
On Mon, Oct 29, 2018 at 09:07:40PM -0700, Patrick wrote: > On Saturday, October 27, 2018 at 9:51:56 PM UTC-5, unman wrote: > > On Fri, Oct 26, 2018 at 03:23:34PM -0700, Patrick wrote: > > > On Monday, October 8, 2018 at 9:28:26 AM UTC-5, unman wrote: > > > > It's now straight forward to build templates for bionic as well as > > > > xenial, > > > > using qubes-builder. > > > > > > > > If you want to try them out before building, I've uploaded freshly built > > > > templates for 4.0, including a fairly hefty xenial-desktop template. > > > > You can find details at https://qubes.3isec.org > > > > > > > > Updated packages are available from the repositories there, if you > > > > already have a working template. > > > > > > > > unman > > > > > > Hi, I came to find this answer too, what is the best way to install an > > > ubuntu vm? > > > > > > Also, just fyi, I want to run the VMware-Horizon-Client in order to run > > > VDI. Documentation says it's tested on ubuntu and Red Hat. > > > > > > Thanks, > > > Patrick > > > > > You can build your own template using qubes-builder. > > Instructions for that are in the docs: > > https://www.qubes-os.org/doc/qubes-builder > > > > Use ./setup to select the ubuntu version you want, then make qubes-vm and > > make template will produce a new template. > > Actually, the build is broken at the moment while I figure out how best > > to deal with incorporating apt-transport-https in to the build, and mix > > in security updates. > > > > In the meantime you can download some prebuilt Ubuntu templates from > > https://qubes.3isec.org/ > > > > Whatever route you take, transfer the template to dom0 and install it > > using dnf install > > > > unman > > Thanks Unman, > > Only, what's the difference between bionic and xenial? Sorry. Anyway I'm > using 64 bit, qubes 4.0 on an Acer Aspire 5 - AS15 > > Thanks. > They are different code names for Ubuntu releases. https://www.wikipedia.org/wiki/Ubuntu_version_history may help unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181030112740.k4tairop63oxfbux%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: About X.Org vulnerability and Qubes
you can always clone a template and try such changes. Each vm runs its own X server, which is already distrusted by dom0, so the chain would have to include an attack that works over vchan. Future versions of qubes might default to wayland instead of X11, only because fedora probably will, and there wont be any reason to change that. appvms will probably continue to use X for a long time. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/72fa4988-0b44-4913-9df7-4ffcb5192711%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
