Re: [qubes-users] Wine/PlayOnLinux Best Practices
On 31/01/17 22:24, mojosam wrote: it does protect you from user errors. e.g.: you have some malicious pdf in a vm. if you have noting to open the pdf, you can't accidentally open it and corrupt your vm. Isn't that the concept behind "attack surface"? If the code is there, something malicious might have the ability to call it. I think there was malware that was recently discovered that could exploit the floppy disk controller in either VMware or VirtualBox. but if there is something malicious able to call it, the malicious piece of code could download play on linux and then exploit the error. the case is: - there is something malicious - it can execute code hence it can install everything it wants to and exploit it (but that is not even necessary, since it only needs remote code execution to do anything it wants to do) in this case we already executed something and caused the malicious code to become active (e.g. opened it with a program) the case i mentioned was: - there is something containing malicious code (e.g. a pdf) - the code can't activate, since no piece of software parses this code the attack surface is created by the code you execute rather the code that is on the system. this is the case, because you only need remote code execution to own a qubes vm. (instead of remote code execution + privacy escalation) the only advantage of not installing software is: you can't be able to accidentally execute it and activate some malicious code (but here your action would extend the attack surface) at least this is my understanding of the situation. The bigger practical concern is that PlayOnLinux expanded my template by 800 MB. Is all of that cruft duplicated on the hard drive for every VM, or is it just accessed from the template as needed when the VM is activated? this depends on the location that stuff is stored at. if it is somewhere on /rw (e.g. /home/user) each cloned vm will have a duplicate. if play on linux downloads the stuff after its first execution, you can simply only execute it in vms using play on linux. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/98fffab0-8e22-061c-ddb5-e10afa59de4c%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Wine/PlayOnLinux Best Practices
> it does protect you from user errors. e.g.: > you have some malicious pdf in a vm. > if you have noting to open the pdf, you can't accidentally open it and > corrupt your vm. Isn't that the concept behind "attack surface"? If the code is there, something malicious might have the ability to call it. I think there was malware that was recently discovered that could exploit the floppy disk controller in either VMware or VirtualBox. The bigger practical concern is that PlayOnLinux expanded my template by 800 MB. Is all of that cruft duplicated on the hard drive for every VM, or is it just accessed from the template as needed when the VM is activated? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f4d36d7-ed84-40f2-b3aa-7b767e1334b3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Wine/PlayOnLinux Best Practices
Since this is in my regular Fedora 24 template, won't this codebase be included in every app VM I run, whether I'm running PlayOnLinux in that app VM or not? yes Presumably none of that code would be running, so there should be no problem (at least i can't see any problems) but it would still be accessible to malware that wanted to call it. for this the malware does need remote code execution. if it has remote code execution it simply can call sudo dnf install -y playonlinux it also could download anything and simply execute it as root. (root has no password) so not having something installed does not protect you if you would not call it anyways. it does protect you from user errors. e.g.: you have some malicious pdf in a vm. if you have noting to open the pdf, you can't accidentally open it and corrupt your vm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af70957f-600e-8bbc-dd72-c240d3972e4b%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Wine/PlayOnLinux Best Practices
I am in the process of installing PlayOnLinux into my Fedora 24 template. Currently, my only use for it is the Kindle app. I suspect I'll find further need for it in the future. My original plan was to just use the Kindle app in one of my existing app VMs. In the future, I might want some other application available in a different app VM. I was rather shocked to see that PlayOnLinux hogs 800 MB on my hard drive. I guess there's support in there for just about every freaking service that any Windows application might want. I had just assumed that that stuff would be installed on an as-needed basis (Maybe standalone Wine does this?). This got me thinking about attack surface. Since this is in my regular Fedora 24 template, won't this codebase be included in every app VM I run, whether I'm running PlayOnLinux in that app VM or not? Presumably none of that code would be running, but it would still be accessible to malware that wanted to call it. Related to that, if I am using a PlayOnLinux application, then whole hunks of that codebase would now be running in that app VM, so any preexisting malware/bugs would now be alive and fermenting within the app VM. To minimize these effects, I'm now thinking that the best thing to do is to install PlayOnLinux in a standalone VM and run all of its applications in that VM only. I'd kind of like to minimize the rampant spread of standalone VMs in my system, but it seems like this one might be justified. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/97c5f7a7-3666-47b0-bbd8-87de70c1148a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.