{{Header}}
{{title|title=
ToDo for Developers (archived)
}}
{{#seo:
|description=Archived TODOs
}}
{{devwiki}}
{{intro|
Archived TODOs
}}
= ARCHIVED 3 =
== bug: default_dispvm of Whonix-Workstation AppVMs not always being set properly ==
* https://forum.qubes-os.org/t/can-we-automatically-set-default-disposable-template-at-the-time-of-app-qube-creation/38336/9
** Fix: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/29, waiting for merge.
*** Merged.
== Whonix login issue ==
* https://forums.whonix.org/t/whonix-asks-for-login/22678
** Aaron: Could not reproduce, asked for more information.
*** No reply received for nearly a month. Archiving.
== USB insert versus black screen issue ==
* https://forums.kicksecure.com/t/black-login-screen-crash-after-inserting-external-hard-drive/1556
* please investigate and if possible please fix or document
* Aaron: Unable to reproduce, waiting for more info from Nurmagoz.
** Turns out to be an NVIDIA driver issue. Continuing discussion on how to best handle NVIDIA systems going forward. Archiving this ticket since the root cause has been identified, will make a new one if an action plan for NVIDIA systems is reached.
== Qubes Tor Browser Permission Issues ==
* any idea?
** https://forums.whonix.org/t/tor-browser-error-in-whonix-18-appvm-user-home-folder-permission-issue/22800
* Patrick: Fixed. Please review.
** Aaron: Reviewed, looks good.
== Qubes Tor Browwser - previously downloaded version bug ==
* as discussed
** Aaron: Fixed, commit pushed to tb-updater. This has been merged and released already.
== dbus method handling investigation ==
* as discussed
== packaging bug - main package depends on non-free package ==
* https://forums.kicksecure.com/t/guide-for-morphing-debian-13-xfce/1525
* bug: a main package having a dependency on a non-free package
* Aaron: Fixed, commits pushed to developer-meta-files, kicksecure-meta-packages, and qubes-template-kicksecure.
* Patrick: Merged.
== systemcheck - apparmor warnings from autologinchange ==
* Aaron:
** The same fix that caused the autologin issue also resulted in some "Permission denied" messages in systemcheck due to missing apparmor rules.
** Fixed, commit pushed to systemcheck.
* Patrick: Merged.
== use lockfile.sh in update-torbrowser ==
* Aaron:
** current architecture does not allow multiple concurrent instances
** add lockfile.sh to prevent issues if the user tries to do this
** Implemented, along with fixes for several other issues discovered along the way. Commits pushed to tb-updater and helper-scripts.
* Patrick: Merged.
== user-sysmaint-split gui session starting - fix ==
* happening after upgrading using developers repository
* non-Qubes, user session, starting LXQt broken
* maybe the recent changes in autologin change cause this?
* /etc/greetd/config.toml (auto generated)
[terminal]
vt = 7
[default_session]
command = "systemd-cat labwc -s /usr/libexec/desktop-config-dist/start-wlgreet-with-labwc -C /etc/greetd/labwc-config"
user = "_greetd"
[initial_session]
user = "user"
* /etc/greetd/config.toml.d/40_autologin.conf (auto generated)
[initial_session]
user = "user"
* config.toml lacks command =
* Aaron: Found and fixed issue, commits pushed to helper-scripts and user-sysmaint-split.
* Patrick: Merged.
== immutability wiki review ==
* please review, improve
* https://www.kicksecure.com/wiki/Dev/immutable
* https://www.kicksecure.com/wiki/immutable
* Aaron: Read through, made changes to both pages, using 3mdeb's documentation as a reference.
* Patrick: Please either reply inline here or by editing the wiki pages.
----
* Patrick: Can we call it stateless? Because stateless might mean something else:
** https://www.kicksecure.com/wiki/Dev/Stateless
** https://blog.verbum.org/2020/08/22/immutable-%E2%86%92-reprovisionable-anti-hysteresis/
** Aaron: This is effectively stateless; changes to /etc and /var will be thrown away. It's technically a special case of statelessness in which /home is thrown away too, but given that some distributions put /home in /var (Silverblue, for instance), this isn't really that big of a difference. Changes made in persistent mode obviously won't be thrown away, but live mode is effectively stateless per-boot.
*** Patrick: I think stateless means something else according to above links? A user downloading a new image getting a cleaner image with less history. Users who upgrade will have a slightly different image. For example, we might have forgotten an "rm_configfile".
**** Aaron: The form of "statelessness" supplied by live mode is very similar to that supplied by a live ISO, and both https://fedoraproject.org/wiki/StatelessLinux and https://people.redhat.com/dmalcolm/stateless/stateless-linux-HOWTO-en/ mention that live CDs are considered stateless. However, the form of statelessness provided by live mode is stronger than the general "everything but the home directory goes away on reboot" that it seems stateless systems are generally intended to have, and has different end goals than this form of statelessness generally pursues.
----
* Aaron: "No, prohibited by file permissions"
** Patrick: If file permissions were messed up, then writes would be possible. So it's not as good as if mounted as read-only. Perhaps we should mount root folders as read-only as an additional protection? (Plus use ephemeral overlay.)
*** Aaron: Yes, eventually. This will be necessary for Verified Boot to function properly.
**** Patrick: Ticket created: "immutable - mount as read-only when possible"
----
* Patrick: "An immutable system's filesystem is fundamentally unable to be modified by traditional means (creation, deletion, and modification of files, symlinks, etc.), even by the root account."
** Why would root be unable to modify the fileystem? Root can always re-mount as read-write and modify?
*** Aaron: Yes, but that would not be modification by traditional means. Root can directly modify filesystems at the block device level, remount things as read-write, rebuild images from scratch and provision them, etc., but it can't just do touch /a and have /a created because the filesystem is read-only. This was meant to differentiate permissions-based restrictions from mount-option- and filesystem-based restrictions.
**** Patrick: Clarified in wiki.
----
* Patrick: What is the difference between "immutable" and "image based"? It's currently not clear to me if these are used as synonyms.
** Aaron: They aren't synonyms. An immutable system is one where the core of the OS can't be modified, but this can be done without an image-based approach.
*** Patrick: Clarified in wiki.
----
* Patrick: Which modifications are required for Kicksecure user session, live mode to be considered immutable?
** Aaron: Kicksecure user session, live mode is stateless as opposed to immutable by design. "Immutable" is for when you *want* some state to persist, but don't want the OS to be changed. "Stateless" is for when you don't want state to persist at all, which is live mode's goal.
*** Patrick: Pending definition of stateless (mentioned above).
----
* Patrick: Which modifications are required for Kicksecure user session, persistent mode to be considered immutable?
** Aaron: We'd need to make /usr at the very least read-only (optionally with a writable overlay). Ideally we'd make a lot more than that read-only, since /usr/local, /etc, /var, etc. could be theoretically used to host malware. How this is implemented is up to us, we have plans in this regard for Verified Boot already.
*** Patrick: Ticket created. Same as above.
----
* Patrick: Which modifications are required for Kicksecure be considered an immutable Linux distribution?
** Aaron: Depends on one's exact definition of immutable. Technically we could claim to be immutable so long as persistent mode, user session was immutable, and the live modes were stateless. Persistent mode, sysmaint session being fully mutable would be strange though as it undoes many of the traditional reasons to have an immutable system (each OS installation is the same everywhere, impossible or at least more difficult to make damaging changes or difficult-to-track changes, etc), but our goals in being immutable are not the same as others (we only want to prevent malicious modifications).
----
* Aaron: "Live mode should not be trusted to prevent privileged malware from making persistent modifications to the system. The root filesystem, mounted read-only at /live/image, can be trivially remounted read-write by software that runs as root."
** Patrick: Correct. This is applicable to all immutable Linux distributions? If yes, needs to be pointed out to avoid the impression of a operating system specific issue.
*** Aaron: Technically no, this is not applicable to stateless distributions that use a fundamentally read-only filesystem such as SquashFS as the underlying image. Live ISOs are the most common example of this.
**** Patrick: "fundamentally read-only" is the critical term. I would argue both ISO and SquashFS can be "mounted" as read-write. It's not trivial for sure. Quote chapter [[Verified_Boot#ISO_Considerations|ISO Considerations]]:
**** It's hard to modify an ISO read/write. There is no public software available to really mount an ISO read/write. But it's possible in theory. The ISO should be considered read-write for attackers but read-only for the public. There is the Open Source growisofs tool. Also, other attacks are conceivable. Since [https://wiki.debian.org/RepackBootableISO Repacking an ISO] is documented in the Debian wiki, this can be used for both legitimate and malicious purposes and is much easier than mounting an ISO read/write.
**** Patrick: As for [https://unix.stackexchange.com/questions/80305/mounting-a-squashfs-filesystem-in-read-write SquashFS, it can be extracted, modified and repacked]. So in conclusion the risk of "privileged malware from making persistent modifications to the system" is still applicable independently of the underlying filesystem?
***** Aaron: This depends on a couple of factors, namely "practical vs. theoretical security" and presence of cryptographic verification. While in theory an attacker who gains root access might be able to modify a read-only filesystem to infect it in all manner of different ways (in-place modifications, repacking, etc.), it still requires a much higher amount of effort to modify anything, decreasing the number of interested attackers and increasing the possibility of attack failure. Furthermore, if Verified Boot is used, modifying the filesystem will simply break it rather than allowing persistent modification. Without using a fundamentally read-only filesystem, the effort of changing an "immutable" filesystem is dramatically lowered and Verified Boot is rendered
----
* Patrick: Could there be an image based operating system that is not considered immutable?
** Aaron: Yes, if the image used a read/write filesystem such as ext4 rather than a read-only filesystem.
** Patrick: Added to the wiki.
----
* Patrick: Could there be an immutable operating system that is not image based?
** Aaron: Yes, these already exist. blendOS, NixOS, and I believe Ubuntu Core all are examples.
** Aaron: Universal Blue is image-based, Fedora Silverblue seems to be. However, these images are used for ''deployment'', they aren't actually what the OS runs from. The files are still placed on a traditional filesystem that is simply mounted read-only (and can be mounted read-write and modified!). On Silverblue, I was able to remount /sysroot as read-write, then modify and save a file in the ostree repo, and the change persisted after a reboot. I was able to do the same on Universal blue (specifically the Aurora image).
----
* Aaron: Anything further to research/discuss here?
== server distro morphing issues ==
* 1) can break networking. caused by:
** ./debian/kicksecure-network-conf.links
** /dev/null /etc/systemd/network/99-default.link
** should probably not be done when using distro morphing
*** Aaron: Maybe we split just the link out into a separate package, kicksecure-network-conf-ifnames or similar?
**** Even if we did this, we'd still need to have something depend on kicksecure-network-conf-ifnames to prevent the config file from being removed during system upgrades (which could cause interfaces to change names and lock users out of remote systems). Therefore probably best to just omit from metapackages, install during image builds, and document installation for distro morphing.
**** Removed from metapackages, added to build system. Still need to add to documentation, holding off on this until I know whether we want to split NetworkManager and kicksecure-network-conf or not.
* 2) forced kicksecure-network-conf installation (can break networking because it pulls network-manager)
** Aaron: Maybe we should make kicksecure-network-conf not depend on network-manager anymore, and add that dependency to metapackages where we actually want to require (or at least strongly recommend) NetworkManager? Then the config can be shipped and will work in the event the user installs NetworkManager later.
*** Skipping for now, since kicksecure-network-conf is no longer mandatory. Can implement this if desirable.
* 3) forced dracut installation can break booting
** Aaron: Dracut is the only initramfs generator we support, we removed initramfs-tools support a while back. Thus figuring out how to get Dracut to work transparently here would be a better solution.
*** Patrick was able to get things working by adding rd.auto=1 rd.md=1 rd.md.conf=1 to the kernel command line.
**** rd.auto=1 looks dangerous - it will "enable autoassembly of special devices like cryptoLUKS, dmraid, mdraid or lvm." I believe this means that the user will be prompted to decrypt *all* LUKS volumes during bootup, rather than just those that are necessary to boot. Seems like it will also assemble everything related to LVM and mdraid. Need to test.
**** rd.md=1 is probably necessary.
**** rd.md.conf=1 will enable the use of the mdadm.conf file in the initramfs. Sounds useful, need to research what this file does.
*** Cannot reproduce boot failure with a simple RAID1 setup, need more information.
* 4) forced linux-image installation (due to tirdad dependencies) can break OpenVZ (and maybe other similar virtualizers / containers) due to
** Aaron: I wouldn't expect kernel installation to break a containerization platform. OpenVZ may be weird, but it seems to be effectively dead, no code changes in https://github.com/openvz since mid-2024, likely not worth supporting. That being said, a kernel may be "wasted space" in a container, though it might not be if a container may be converted to a VM later.
*** If we remove tirdad from dependencies, I guess we'll just document in the distribution morphing instructions that users who aren't working with containers should install it? And systemcheck will warn about its absence.
*** Removed tirdad from dependencies and documented.
* 5) documentation: needs both packages, apt-transport-tor tor because apt-transport-tor does not depend on tor
** Aaron: Documented.
* 6) extrepo command not functional. Needs upstream pull request.
** Aaron: PR submitted: https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/483
* 7) setup-dist on CLI show a login permission issue attempting to write the setup-dist state file
** Aaron: Caused by the user account (most likely not named user) not being present in the privleap group. Documentation update created.
== extrepo - separate ticket ==
* was already part of ticket "server distro morphing issues". split into separate ticket for brevity.
* https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/483
* extrepo has Kicksecure and Whonix key duplic, therefore both need to be updated
** Aaron: Updated key and removed a deprecated repo.
* Patrick:
** 1) Add onions to extrepo upstream yml files.
sudo extrepo enable kicksecure --tor onion
.onion URL requested, but the repository kicksecure does not have a .onion URL configured.
sudo extrepo enable whonix --tor onion
.onion URL requested, but the repository whonix does not have a .onion URL configured.
* 2) Update signing key yet again. (Now set to indefinite.)
* 3) Post a feature request to configure enabled_policies (reference: see /etc/extrepo/config.yaml) by command line.
* Aaron: Done.
** Key and URI updates: https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/484
** Feature request for command line configuration of repositories: https://salsa.debian.org/extrepo-team/extrepo/-/issues/10
== Rotate MOK keys for existing users ==
* Aaron:
** DKMS was, without our knowledge, generating MOK keys during the build process when tirdad is installed. This means that a large number of existing systems have MOK private keys that were generated during the build process and are therefore public.
** For users who are not using Secure Boot, or who are using Secure Boot but do not have a MOK key enrolled, delete the keys without confirmation so that DKMS will regenerate them the next time it needs keys.
** For users who are using Secure Boot and have MOK keys enrolled, use systemcheck to alert them that they need to delete, regenerate, and re-enroll the keys.
** Implemented code to fix, commits pushed to helper-scripts, sysmaint-panel, and systemcheck.
* Patrick:
** 1) dev_mode_function comments outdated?
*** Aaron: Yes, slightly. Updated.
** 2) systemcheck shouldn't take action. It's not guaranteed to be installed (mostly theoretical) but as per its name it should be safe to use and not take any actions by itself. Could you move the following elsewhere please?
safe-rm --force -- "${dkms_mok_public_file}"
safe-rm --force -- "${dkms_mok_private_file}"
* Aaron: Moved to legacy-dist.
** 3) ./* would be safer?
for mok_file in *; do
for mok_file in ./*.der; do
* Aaron: Agreed, that would be safer. Changed.
* 4) dotglob, nullglob useful?
** Aaron: Probably not, we check to make sure the string we're looking at is actually a file. mokutil doesn't output files that start with a . when running mokutil --export.
* 5) duplicate check?
if ! [ -d /sys/firmware/efi ]; then
if test -e /usr/share/qubes/marker-vm; then
reason="Not booted in EFI (UEFI) mode. Secure Boot is only available in EFI (UEFI) mode.
Qubes detected: yes
Qubes issue:
https://github.com/QubesOS/qubes-issues/issues/5241"
else
reason="Not booted in EFI (UEFI) mode. Secure Boot is only available in EFI (UEFI) mode."
fi
log error "$reason
Therefore Secure Boot is unavailable and there is no need to set up or enroll a MOK. Exiting."
dev_mode_function_ignore_error || return 1
fi
if ! [ -d /sys/firmware/efi ]; then
log error "UEFI is not in use, therefore no need to manage MOKs. Exiting."
dev_mode_function_ignore_error || return 1
fi
* Aaron: Yes. Removed duplicate.
* 6) DKMS upstream bug report
** Aaron: Filed: https://github.com/dkms-project/dkms/issues/574
* Patrick:
** 1) mok-rebuild-dkms needs to show a different message if no DKMS modules were installed, hence none required rebuild. Otherwise the current output is confusing.
*** Aaron: Good point, fixed.
* Aaron: Need to implement the above DKMS feature request.
** Implemented, submitted upstream at https://github.com/dkms-project/dkms/pull/575, upstream merged it.
== systemcheck - unclean login support ==
* how to reproduce: adduser user2 && sudo -u user2 zsh. Then run systemcheck.
* only better error reporting. Not necessarily full support.
* systemcheck should check if $(whoami) is a member of group privleap
* Aaron: Implemented, commits pushed to systemcheck.
* Patrick: Merged.
== dummy-dependency-mta bug ==
* dummy-dependency-mta makes it impossible to "sudo apt install postfix"
* required on servers
* currently only workaround dummy-dependency dummy-dependency-mta
* if unfixable, please document on [[Debian Packages]]
** Aaron: This is unfixable, Kicksecure 17 includes gpg-wks-server, which gained a dependency on default-mta | mail-transport-agent in Trixie, which was pulling in exim4-daemon-light. Therefore this is likely not able to be fixed. Documented.
== wlr-resize-watcher documentation review ==
* please review, improve https://www.whonix.org/wiki/Resize
** Aaron: Reviewed, made minor changes (mostly clarifying the steps to take after launching configure-dynamic-resolution).
== kvm ISO installation - /dev/disk/by-diskseq/2 is shown as "activating - tentative" ==
* Occurs with 18.0.8.7 ISO as well as newly built ISOs
* Causes an error message in systemcheck
* Possibly udev related?
* Aaron: Fixed for new images, commit pushed to derivative-maker.
** The underlying issue was that Dracut was not building a hostonly initramfs like we expected. Further discussion is needed to know how to best fix this on existing systems, several ideas shared in chat.
*** Renamed config file in dist-base-files to override dracut-config-generic's file. Commit pushed to dist-base-files.
* Patrick:
** needed? rm_conffile /etc/dracut.conf.d/30-dist-base-files.conf
*** Aaron: Yes. Added, commit pushed to dist-base-files.
* Patrick: Merged.
== user-sysmaint-split gui session starting - use symlinks ==
* 1) Perhaps mv isn't robust enough? Would it be possible, better to use symlinks instead? Maybe required anyhow one day for verified boot?
usr/libexec/user-sysmaint-split/sysmaint-boot: mv --verbose -- "${lightdm_state_backup_file}" "${lightdm_state_file}"
usr/libexec/user-sysmaint-split/sysmaint-boot: mv --verbose -- "${sddm_state_backup_file}" "${sddm_state_file}"
usr/libexec/user-sysmaint-split/sysmaint-boot: mv --verbose -- "${lightdm_state_file}" "${lightdm_state_backup_file}"
usr/libexec/user-sysmaint-split/sysmaint-boot: mv --verbose -- "${sddm_state_file}" "${sddm_state_backup_file}"
usr/libexec/user-sysmaint-split/sysmaint-boot-cleanup: mv --verbose -- "${lightdm_state_backup_file}" "${lightdm_state_file}" || {
usr/libexec/user-sysmaint-split/sysmaint-boot-cleanup: mv --verbose -- "${sddm_state_backup_file}" "${sddm_state_file}" || {
* 2) Better to auto generate these files on each boot?
* Aaron: Sent notes in chat. IMO, switching to symlinks is unlikely to provide substantially better robustness, and isn't necessary for Verified Boot.
== extrepo failing in Qubes templates ==
* https://forums.kicksecure.com/t/brave-isn-t-installing/1515
** Aaron: Turned out to be because our proxy handling was wrongly designed (pkexec doesn't pass the proxy environment variables to the commands it calls). Fixed, commit pushed to browser-choice.
* Patrick: Merged.
== autologinchange CLI version bug - /etc/lightdm ==
* if folder /etc/lightdm does not exist, grep shows an error.
* happens on distro morphed CLI systems without GUI / lightdm
** Aaron: Fixed, commit pushed to helper-scripts.
* Patrick: Merged.
== livecheck improvements ==
* https://forums.kicksecure.com/t/vm-and-grub-live/1504
* some sort of command line version so users can easily check this
** running /usr/libexec/helper-scripts/get_writable_fs_lists.sh directly is cumbersome and its output confusing (starts with empty line)
* implement livecheck-systray --gui versus livecheck-systray --cli?
* add some debug output
** log output of livecheck-systray to journalctl --user log so we can find out why it glitches?
** why stdout/stderr generated by livecheck-systray doesn't automatically end up in journalctl --user?
* Aaron: Implemented, commits pushed to helper-scripts and desktop-config-dist.
* Patrick: Will we be able to reasonbly easily debug https://forums.kicksecure.com/t/vm-and-grub-live/1504 on user systems? I.e. have a log that we can ask users to share to see what is going on?
** Aaron: Yes. The logs can be retrieved using journalctl --boot --user -u livecheck.service. They will include the directories considered "safe" and "unsafe" by get_writable_fs_lists.sh.
*** It might be possible to add more detailed logging by making get_writable_fs_lists.sh output details about why it believes each individual device is safe or not. This might be invasive though, and simply seeing the folder paths in the log output is probably enough to give the user a hint about what happened and why without needing that info. (I'm suspecting the issue this user is encountering is user error or perhaps hardware-related, not a bug in the code.)
* Patrick: Merged.
== bug: sdwdate-gui flooding logs when server is disabled ==
* User bug report on Matrix:
I think I tracked down the issue. Since I added disable=true (as per the docs), sdwdate_gui_server.py will exit and never create a socket (https://github.com/Kicksecure/sdwdate-gui/blob/43016ec5f960375fb986340b33dedee8de1b07cb/usr/lib/python3/dist-packages/sdwdate_gui/sdwdate_gui_server.py#L1165-L1169)
This code on the server will then timeout after 20 attempts since the socket is never created (https://github.com/Kicksecure/sdwdate-gui/blob/master/usr/libexec/sdwdate-gui/sdwdate-gui-qubes-proxy-helper)
However this code is running in every client and keeps calling a service that reports whether the socket exists or not forever (https://github.com/Kicksecure/sdwdate-gui/blob/43016ec5f960375fb986340b33dedee8de1b07cb/usr/libexec/sdwdate-gui/sdwdate-gui-qubes-proxy#L30-L42)
Which causes a huge amount of log spam since it's accepted once per second for every client.
* Aaron:
** Ideally, just setting disable=true should really disable things, so maybe it would be better to make sdwdate-gui.ConnectCheck return a "not ready, and won't ever be ready, stop trying" code of some sort, rather than just returning "yes, ready" or "no, not ready yet".
** Fix created, commit pushed to sdwdate-gui.
* Patrick: Merged.
== browser-choice - allow use on live ISO ==
* There is no web browser in Kicksecure ISO's user mode, by design.
* Installing a browser in this mode is currently impossible because browser-choice cannot install web browsers without pkexec.
* Add privleap actions to the live ISO only that allows installation of browsers without needing pkexec
* Add support for using these actions to browser-choice
* Aaron: Implemented, commits pushed to browser-choice, live-config-dist, and privleap.
* Patrick: Merged.
* Patrick: Possible to simplify live-config-dist privleap configuration? One to rule them all?
** Aaron: Moved privleap config to a non-active location in the browser-choice package, and added a systemd unit to live-config-dist that copies it into privleap's config directory at startup. Commits pushed to live-config-dist and browser-choice.
* Patrick: Merged.
== tb-updater potential permission issue ==
* review, fix what update-torbrowser should do if run inside Qubes Template under account user versus sysmaint versus root
* https://forums.whonix.org/t/rm-errors-when-running-update-torbrowser-on-a-fresh-whonix-workstation-18-template/22659
* https://forums.whonix.org/t/whonix-workstation-18-update-torbrowser-and-salt-template-management-beware-of-default-user-switch-to-sysmaint/22664
* add (privleap based) fix permissions fix
* existing function: tb_fix_permissions
* potential fix: adduser sysmaint user (requires syntax check)
** add account user to group sysmaint
** use add_groups_to_linux_user_account
* Aaron: Cannot reproduce, asked for additional information.
* Consider which permissions we want on /var/cache/tb-binary folder. User or sysmaint? Versus unrestricted admin mode. Maybe we should always drop privileges to account user.
* Aaron: Discussed, implemented additional sandboxing controls. Commits pushed to tb-updater, tb-starter, and helper-scripts.
* Patrick: Merged.
== second keyboard layout issue ==
* https://forums.kicksecure.com/t/add-second-language-to-layout/1474
* Marek has pointed out that what the user is trying to do in this scenario is unsupported, thus no fix for this is necessary.
* However, KDE keyboard layout settins are broken under Qubes, which is an actual issue. Reported a bug: https://github.com/QubesOS/qubes-issues/issues/10571
== usbguard.service unable to be disabled easily ==
* Aaron:
** https://forums.kicksecure.com/t/problems-with-kicksecure-18-in-qubes-os-usbguard-in-sys-qubes/1489
** Document the right way to disable USBGuard on the wiki if it isn't already documented
** usbguard-dbus.service also needs to be disabled. Documented on the wiki.
*** Follow-up note, usbguard-dbus.service is not running by default in a sysmaint session. Perhaps it should be?
**** Patrick: Probably yes. Please implement and notify forums.
***** Aaron: Done, commit pushed to user-sysmaint-split.
* Patrick: Merged.
== default speaker volume setting ==
* https://forums.kicksecure.com/t/system-sound-volume-at-100-post-install-18-0-8-7-feedback/1468
** Aaron: Implemented, commit pushed to desktop-config-dist.
*** I should add a config file to this before this is merged.
* Patrick: Merged. Blocked.
** Aaron: Unblocked, we've decided against adding a configuration file as discussed. However, crashes in sysmaint session with Failed to get sink information: No such entity.
** Aaron: Reverted for now, awaiting feedback from exfil on the forums. We might not want to implement this at all.
*** Turns out this is occurring on physical hardware, thus this is still worth fixing.
*** Implemented, commits pushed to desktop-config-dist and user-sysmaint-split.
* Patrick:
** 1) do_once file is creates prior setting the volume. Is this by design? It might make sense if we see a remote chance that this might fail but we want to book to only be blocked once, not twice at least. If so, please comment.
*** Aaron: Added comments.
** 2) use light_sleep? ("read -t 0.1" seems functional, so light sleep should be compatible with fractions indeed)
*** Aaron: Added floating-point compat to light_sleep (needed to fix a validation regex).
** 3) should discard stderr of "pactl get-default-sink" to avoid log spam?
*** Aaron: Yes, added.
** 4) seems hard to debug since it only runs once and we cannot instruct the user to manually run it. The systemd-detect-virt, wait, pactl get-default-sink, pactl set-sink-volume is therefore perhaps best if moved to usability-misc? Also useful to reduce code duplication.
*** Aaron: Split out the "wait for audio to become available" code into a new mini library/
** 5) user-sysmaint-split:
first it checks:
if command -v pactl &>/dev/null; then
pactl set-sink-mute @DEFAULT_SINK@ false || true
fi
but then it is attempting to run pactl anyhow
*** Aaron: Fixed.
** 6) What is the chance that pactl might hang forever? Should we use `timeout` or a (yet to be invented) timeout_wrapper?
*** Aaron: It's unknown whether pactl may hang, thus added a timeout.
* Aaron: Made revisions, commits pushed to desktop-config-dist, user-sysmaint-split, and helper-scripts.
* Patrick: Merged.
== battery icon not showing up on physical hardware systems ==
* https://forums.kicksecure.com/t/no-battery-status-indicator-18-0-8-7-feedback/1491
** Aaron: Bugfix created, commit pushed to vm-config-dist.
* Patrick: Merged.
== research sandboxing technique pros and cons ==
* option 1: vm-app-manager
** Implies nested virtualization
* option 2: sandbox-app-launcher (Bubblewrap)
* option 3: unsandboxed with AppArmor confinement
* determine how the options can work (in isolation or combined), and what we do and don't want to support
* necessary to determine how we want to solve the Tor Browser "Open in Folder" button breakage
* resources:
** https://forums.kicksecure.com/t/separate-some-user-applications-from-the-operating-system/1120
** https://forums.kicksecure.com/t/for-apps-persmission-default-block-all/1165
* [[Install_Software#Flatpak_Breaking_the_Native_Sandbox_of_Applications|Flatpak Breaking the Native Sandbox of Applications]]
** [[vm-app-manager]]
** [[sandbox-app-launcher]]
** related tickets...
** [[#per-app UID sandboxing]]
** [[#stackable wrappers]]
** [[#check out bubblejail]]
** [[#sandbox-app-launcher]]
** [[#automated test suite - cli version]]
** [[#apparmor.d review]]
* points to consider:
** if incompatible with Qubes, lowers the value a lot
** if breaks native application (browser) sandboxing, lowers the value a lot
** todo research: is it worse to use nested virtualization (adds attack surface) versus not using nested virtualization (less containment)?
* Aaron: This is complete for now, we have a semi-clear idea of how sandboxing would work that we can experiment with and potentially start implementing in the future.
== qvm-tags migration issue ==
* https://forums.whonix.org/t/qubes-4-2-4-3-whonix-17-18-denied-sdwdate-gui-connectcheck-from-anon-whonix-to-sys-whonix/22656
* Aaron: Waiting for info, this seems to be already handled, but requires a reboot or qubesd restart to trigger the tagging. This probably can be "fixed" by documenting the behavior, assuming there isn't any deeper issue involved.
** Confirmed, this does just need the docs to be checked.
** Patrick updated the docs.
== VirtualBox non-functional on Kicksecure 18 on Secure Boot systems ==
* https://forums.kicksecure.com/t/virtualbox-error-kernel-driver-not-installed-rc-1908/1453
* User followed the steps from https://www.kicksecure.com/wiki/Secure_Boot without success.
* Aaron: Workaround found: https://forums.kicksecure.com/t/virtualbox-error-kernel-driver-not-installed-rc-1908/1453/8
** Document and add to Wiki? Integrate into virtualbox-intaller-cli somehow?
* Patrick: Please implement as discussed.
** [[Debian]] (briefly mention architecture specific installation of mokutil and link to [[Secure Boot]]
** systemcheck:
*** report missing mokutil.
*** report missing MOK key
*** report missing MOK key symlinks (maybe)
*** Maybe only in applicable situations? For example, in Qubes: verbose and info level only.
* Aaron: Implemented all task aspects listed here, plus adding the /var/lib/shim-signed/mok symlinks. Commits pushed to systemcheck and usability-misc.
** Aaron: Unsure what approach we want to use for automating MOK key setup. Concerns with a Calamares-based approach shared in chat. This should be moved back to TODO once we've decided what to do here.
*** Patrick: Good now since integrated into usability-misc?
* add a sanity tests to Non-Qubes and Qubes build process to make sure we don't ship autogenerated keys created during the build process [DONE]
* should not run inside chroot because we do not want to ship autogenerated keys [DONE]
* [[Secure Boot]] wiki page still mentions dkms_test, which isn't installed by default and probably should not be. Any replacement? [TODO]
* please review
** Aaron: Reviewed, fixed indentation in one spot in systemcheck.
* Aaron: Implemented a button for setting up and enrolling the MOK easily. Commits pushed to sysmaint-panel, systemcheck, and helper-scripts.
** Possible todo item, do we want to add a test to systemcheck to see if the MOK is enrolled?
** Patrick: Please implement.
*** Aaron: Implemented, commits pushed to helper-scripts, sysmaint-panel, systemcheck, and privleap. Issues with some recent changes mentioned in chat.
== install button in sysmaint-panel too small ==
* Aaron:
** The "Install System" button at the top of sysmaint-panel is small and stuck to the left side of the display.
** Make it span the width of the display like it used to.
** (This was a consequence of making sysmaint-panel generate it's main window dynamically, which avoided some UX issues but created an issue here.)
*** Fixed, commit pushed to sysmaint-panel.
* Patrick: Merged.
== windows installer - improvements ==
* make Hyper-V less easy to miss
** currently it is easy to click "continue" while the setting is still at "do nothing". Options might not be shown on the screen and may be hidden below the taskbar (invisible).
** solution: no option selected by default?
** and/or require the user to choose an option
** if not doable: have an option that shows a popup that tells the user to choose an option
* allow window maximizing / do not block window maximizing
* reason: users tend to not read these messages at all.
* rewording suggestions:
old:
Do Nothing
Do not modify Hyper-V configuration. This is the safest option
Disable Hyper-V
Disable Hyper-V and all Windows features that rely on it. May reduce host security
Re-enable Hyper-V security features
Re-enable Hyper-V and several Windows security features that rely on it. May improve host security
new:
Select an option.
Keep Current Setting
Make no changes to Hyper-V. No security change. This is the safest option.
Improve VirtualBox Stability (Reduces System Security)
Disable Hyper-V and Windows features that rely on it. Reduces overall system security. Improves VirtualBox stability and performance.
Increase System Security (Reduces VirtualBox Stability)
Re-enable Hyper-V and related Windows security features. Increases system security. May reduce VirtualBox stability and performance. This is useful if Hyper-V has been previously disabled.
* Aaron: Implemented, commit pushed to Whonix-Installer. However, two serious issues were found that may make continued work on this installer difficult or not worthwhile:
** It is possible to crash the installation by clicking the checkbox for viewing installation details while the OVA file is being unpacked. The reason why this occurs is unclear, it seems to be a memory management issue, but the place where it occurs doesn't make much sense. The "Application.ProcessMessages" mechanism being used to allow the UI to update might not be a safe way of doing things (re-entrancy problem?).
** Windows Smart App Control blocks the installation of Whonix-Starter because it is unsigned and Microsoft's heuristics didn't declare the application safe after looking at it.
* Patrick: Merged.
== review and improve pre and colors ==
* /usr/libexec/helper-scripts/pre.bsh
* /usr/libexec/helper-scripts/get_colors.sh
* please review
** ignore the awkward file extension which is for some other time to correct (sh vs bsh)
* please improve in case of any issues
** Aaron: Found one possible bug in pre.sh and fixed it, all other changes were for readability. Commit pushed to helper-scripts.
* Patrick: More changes. Please re-review.
** Aaron: Reviewed, tested pre.bsh using new test script, made minor changes and pushed to helper-scripts.
* Patrick: Merged.
== login wiki page - colors ==
* document [[Systemcheck#Physical_Security_Check_-_Meaning_of_Colors|Physical Security Check - Meaning of Colors]]
* Aaron: Documented.
== antivirus forum discussion ==
* please comment
* https://forums.whonix.org/t/installation-of-antivirus-scanners-by-default/9755
* Aaron: Researched, posted a comment.
== genmkfile debdistfile broken ==
* this went wrong: https://github.com/Kicksecure/security-misc/commit/5e45248eb63ecb4b7f924ff9fcba6b40f5bf1244
** should have been a simple single line append. instead 2 files got changed a lot.
* already fixed in git
* the question is, why results differ widely between us?
* Aaron: Found issue, use of find without sort in genmkfile led to different results on different machines. Fix pushed to genmkfile.
* Patrick: Merged.
== misc AI review #3 ==
* most seems unnecessary
* https://github.com/assisted-by-ai/tb-updater/pull/1
* https://github.com/assisted-by-ai/tb-updater/pull/2
* https://github.com/assisted-by-ai/tb-updater/pull/3
* Aaron: Integrated the useful parts of these, commits pushed to tb-updater.
* Patrick: Merged.
== keyboard layout change and disk encryption ==
* We allow the user to change the keyboard layout. set-system-keymap is even able to change the keyboard layout in the initramfs, where the disk decryption prompt appears.
* We also allow the user to change the disk encryption passphrase.
* If a passphrase contains characters that cannot be typed with a particular keyboard layout, and the layout is set to the problematic layout, the user will be locked out of their system and will need to boot from an external drive to recover.
* Example: user installs with language set to German, includes ß character in the passphrase, then changes keyboard layout to US English
* Example 2: user usually has their keyboard set to US English, but temporarily changes keyboard layout to Spanish, then changes their encryption passphrase to include a ñ character
* Try to add safeguards to set-(console|system)-keymap and crypt-pwchange to avoid this scenario
** Aaron: Done, commits pushed to helper-scripts and live-config-dist. Also created documentation at https://www.kicksecure.com/wiki/Keyboard_Layout#Changing_the_system_or_console_keymap_when_using_Full_Disk_Encryption.
*** Did not make changes to crypt-pwchange, as I'm not sure what safeguards could be put in place there. There isn't a reliable way to read the current keymap from labwc that I can tell, heuristic methods based on config file parsing may be unreliable and give false alarms or fail to give alarms when needed. Warning the user if they are about to set a passphrase that can't be typed using the current console keymap might be useful, but would also require knowing the physical keyboard the user has (which may be difficult) and would likely require parsing XKB keymap files, which is non-trivial.
* Patrick: review...
* please close the if as early as possible:
if /usr/bin/luks-path-check /; then
if /usr/bin/luks-path-check /; then
## TODO: "true" or log output
return 0
fi
* please output what is happening:
if ! tty >/dev/null; then
## Can't prompt user for confirmation, bail out
return 1
fi
* use &>/dev/null?
if ! tty >/dev/null; then
* Aaron: Implemented all requested changes, also added some extra true debug messages in a couple other situations. Commit pushed to helper-scripts.
* Patrick: Merged.
== fil-c bug report ==
* explain Debian downstream packaging issues
* common conventions
* link to Debian RFP
* Aaron: Created: https://github.com/pizlonator/fil-c/issues/185
** Also sent a link to the Debian RFP.
== systemcheck broken by privleap /usr/local/etc support ==
* privleapd now outputs an expected "INFO:" message informing the user that "/usr/local/etc/privleap/conf.d" does not exist. This breaks a systemcheck test.
* Possible fix; ignore lines that start with "INFO:" in the appropriate systemcheck test?
** Fixed, but not in systemcheck. Instead, silenced the message about missing config dirs when running in privleapd in check-config mode. Commits pushed to privleap.
* Patrick: Merged.
== 351-socks-auth-extensions - review ==
* please search code base for: random_socks_user_name
* implement, if sensible:
** https://spec.torproject.org/proposals/351-socks-auth-extensions.html
** https://spec.torproject.org/socks-extensions.html
* note: curl socks user name in Qubes source code (was reverted)
* Tor began implementing format type [30] in 0.4.9.1-alpha.
* already implemented in dist-installer-cli
* Patrick: Assigned to myself.
* Patrick: Please review dist-installer-cli code related to random_socks_user_name. If looking okay, I'll port the rest of the code base.
** Aaron: Looks good to me, although I would suggest renaming random_socks_user_name to random_socks_password.
*** Patrick: Done.
* Patrick: Done. Please review.
** Aaron: Looks good.
== revert failsafe ==
* please revert dist-base-files and grub-live failsafe (as discussed a while ago)
** Aaron: I think this already was reverted? I don't see 'failsafe' in file names or file contents in either mentioned repo.
* Patrick: Resolved as discussed.
== bug: virtualbox-installer-cli enables non-torified VBox repo ==
* Aaron:
** dist-installer-cli is supposed to detect if the system has torified updates enabled, and torify repositories like VirtualBox's.
** This did not work on my development VM. Investigate further.
** Found the bug, fixed it, commit pushed to usability-misc.
* Patrick: Merged.
== dist-installer-cli function disable_kvm_virt_at_load improvements ==
* check if kernel modules are actually loaded before attempting to run "modprobe -r" to avoid spurious error messages
* assigned to Patrick
* done
* please review
** Aaron: Looks good for the most part, made one minor improvement to lsmod_deterministic. Commit pushed to helper-scripts.
* Patrick: Merged.
== Whonix-on-UTM - double .raw filename extension ==
* https://forums.whonix.org/t/whonix-on-mac-m1-arm-user-support-still-unsupported-at-time-of-writing/11310/441
** Aaron: Fixed, commits pushed to derivative-maker and libvirt-dist.
== pcmanfm-qt race condition with wlr_resize_watcher ==
* Under KVM, occasionally wlr_resize_watcher will resize the display at the exact wrong time, and cause pcmanfm-qt to end up stuck in the upper-right corner of the screen.
* Try to detect when pcmanfm-qt is supposed to be starting, and make wlr_resize_watcher wait to resize the display until it has started if possible.
* Aaron: Attempted fix created, seems to work at first glance. Commit pushed to vm-config-dist.
* Need to handle cases where pcmanfm-qt is missing. Function wait_for_required_processes needs a timeout.
** Aaron: Implemented additional timeout, commit pushed to vm-config-dist.
* Patrick: Merged.
== virtualbox - failure to load libwayland-client.so and libX11.so ==
* Follow-up to systemcheck journal warning documentation task
## TODO: Investigate further.
## Aug 03 23:48:39 localhost kernel: 23:48:39.520137 main rtldrNativeLoad: dlopen('libwayland-client.so', RTLD_NOW | RTLD_LOCAL) failed: libwayland-client.so:
## Aug 03 23:48:39 localhost kernel: 23:48:39.520555 main rtldrNativeLoad: dlopen('libX11.so', RTLD_NOW | RTLD_LOCAL) failed: libX11.so: cannot open shared obj
journal_ignore_fixed_list+=( "rtldrNativeLoad: dlopen('libwayland-client.so', RTLD_NOW | RTLD_LOCAL) failed: libwayland-client.so:" )
journal_ignore_fixed_list+=( "rtldrNativeLoad: dlopen('libX11.so', RTLD_NOW | RTLD_LOCAL) failed: libX11.so: cannot open shared obj" )
* Aaron: These warnings no longer seem to occur with VirtualBox 7.2.4 on the host, and the latest VirtualBox guest additions in Debian Trixie. Commented out the ignore lines. Commit pushed to systemcheck.
== virtualbox - ata1.00: Read log 0x00 page 0x00 failed, Emask 0x01 ==
* Follow-up to systemcheck journal warning documentation task
## TODO: Likely just lack of support for an ATA feature in some hypervisors, but needs further research.
## Apr 25 10:30:25 localhost kernel: ata1.00: Read log 0x00 page 0x00 failed, Emask 0x1
journal_ignore_fixed_list+=( "ata1.00: Read log 0x00 page 0x00 failed, Emask 0x1" )
* [[Dev/VirtualBox#ata1.00:_Read_log_0x00_page_0x00_failed,_Emask_0x1|ata1.00: Read log 0x00 page 0x00 failed, Emask 0x1]]
* Aaron: Added link to documentation. Commit pushed to systemcheck.
== qubes-whonix-workstation - XGetWindowAttributes warning ==
* Follow-up to systemcheck journal warning documentation task
## TODO: Only occurs in Qubes-Whonix-Workstation. Occurs even if input event buffering is turned off entirely via `qvm-features anon-whonix -D gui-events-max-delay`. Cause is unknown.
## Dec 11 05:57:15 host qubes-gui[1307]: XGetWindowAttributes for 0x200005 failed in handle_create, ret=0x0
journal_ignore_fixed_list+=( "XGetWindowAttributes" )
* Aaron: Added info from Marek about the likely source of this. Commit pushed to systemcheck.
== support disabling ipv6 on Whonix 18 ==
* https://forums.whonix.org/t/how-to-disable-ipv6-in-whonix-18/22584
* Aaron: Discovered it was already possible to disable IPv6, I was just doing it wrong. Shared a method of doing it on the forums, unsure if a more thorough solution should be pursued or if I should just document the existing method on the wiki.
** Patrick has confirmed we should investigate allowing disabling IPv6 at the kernel level.
** Implemented, commits pushed to helper-scripts, user-sysmaint-split, anon-gw-anonymizer-config, anon-ws-disable-stacked-tor, and whonix-firewall.
* Patrick: Please revert whonix-firewall changes as discussed.
** Aaron: Done, commit pushed to whonix-firewall.
* https://www.whonix.org/wiki/IPv6
== live-build - grub.cfg GRUB configuration - loopback.cfg ==
* add https://www.supergrubdisk.org/wiki/Loopback.cfg compatibility (as as Debian Live ISO)
* Requires fixes in live-build and Dracut to make work:
** live-build is specifying the wrong kernel parameter for loopback booting when using dracut - it's using findiso when it should be using iso-scan/filename. A fix for this has been integrated into my fork of live-build. MR to upstream here: https://salsa.debian.org/live-team/live-build/-/merge_requests/376
** dracut is failing to run udevadm trigger during its device scanning, so even when it finds the ISO and attaches it as a loopback device, it never finds it. Only appears to be a problem on Debian Bookworm, Trixie works just fine.
*** Task is on hold until we migrate to Trixie.
** (Side note: At least on QEMU, loopback mounts in GRUB fail with out-of-memory errors if the system uses UEFI. With BIOS it works fine. Not quite sure why this happens, very well may be an issue with QEMU's implementation of UEFI hardware or my usage thereof.)
* Aaron: This is now working out-of-the-box with the Kicksecure 18 ISO on BIOS systems. On EFI systems, a bug in GRUB 2.06 prevents loopback ISO boot, but there is a workaround: https://github.com/supergrub/supergrub/issues/134
* https://forums.kicksecure.com/t/install-on-usb-dont-boot/574
== live-build - policy-rc.d handling ==
* https://salsa.debian.org/live-team/live-build/-/merge_requests/409
* Aaron: Got this to a mergeable state, waiting for feedback.
* Merged, archiving.
== Qubes R4.2 default_dispvm bypass ==
* https://github.com/QubesOS/qubes-issues/issues/10328
** Aaron: Waiting on https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25 for this as I intend to backport this to R4.2 to solve this.
** Fix merged, unsure when this will be backported to R4.2 or if any additional effort is needed to do this. Asked Marek in the Qubes Matrix room about next steps for this.
** Archiving, as we do not intend on backporting this to R4.2 after all.
== kvm shared folders - switch to virtiofs ==
* virtio-9p is broken, it's not possible to write files to the shared folder with an Ubuntu host.
** This turns out to only be the case if the shared folder is not world-writable.
* virtiofs doesn't appear to have major security issues, it has some behavior that may lead to issues due to social engineering or similar, but these aren't huge problems if the user keeps the host secure and is aware of virtiofs's behavior
* Change documentation to instruct the user to use virtiofs
* Adjust vm-config-dist to try to mount virtiofs on KVM first
* Aaron: Done, kept virtio-9p support both in code and in documentation.
== wiki updates ==
* since version 18 got released as stable...
* 1) update wiki package names to new names
kicksecure-xfce # done on kicksecure and whonix wiki
kicksecure-cli # done on kicksecure and whonix wiki
kicksecure-nonvm-gui-lxqt-recommended # done on kicksecure and whonix wiki
kicksecure-nonvm-gui-lxqt # done on kicksecure and whonix wiki
kicksecure-host-lxqt # done on kicksecure and whonix wiki
kicksecure-lxqt-host # done on kicksecure and whonix wiki
kicksecure-lxqt-vm # done on kicksecure and whonix wiki
== ks/whonix 18 user bug reports #2 ==
* https://forums.whonix.org/t/whonix-18-cli-kvm-setup-dist-fails-due-to-missing-anon-connection-wizard/22607
** Aaron: Already handled by Patrick.
* https://forums.whonix.org/t/whonix-18-0-7-5-major-release-upgrade-testers-wanted/22469/22
** Aaron: Filed a bug report upstream: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44465
* https://forums.whonix.org/t/new-identity-in-gateway-not-working/22549
** Aaron: Probably something to ask troubadoour for help with. Unsure if this should be worked on while troubadoour is still refactoring anon-connection-wizard.
* Weird error observed in systemcheck's CLI output while testing on Qubes: cat: /sys/class/block/xvdi/removable: Permission denied This is on a Whonix-Workstation 18 template, with a USB drive's filesystem passed through to the qube and mounted at /mnt. The USB is formatted exFAT without a partition table.
** Aaron: Fixed, was an apparmor issue. Commit pushed to systemcheck.
* https://forums.kicksecure.com/t/sdwdate-broken-after-upgrade-to-kicksecure-18-missing-seccomp-syscalls-statx-fstatfs-epoll-pwait2/1412
** Broken into its own ticket.
** Aaron: Fixed, commit pushed to sdwdate.
* https://forums.kicksecure.com/t/solved-no-soundcards-on-intel-meteor-lake-p-hd-audio/1423
** Aaron: Fixed, commit pushed to kicksecure-meta-packages.
* Patrick: All merged.
== sudo: unable to resolve host host ==
* Kicksecure 18
* using remove-sysmaint and normal boot results in sudo: unable to resolve host host: No address associated with hostname
** problem 1: sudo trying to resolve a hostname, could this cause unintentional network access? Try to disable sudo hostname resolution, if possible, sane
*** Aaron: Was possible, commit pushed to security-misc. Only added to security-misc-desktop out of fear of breaking server installations.
** problem 2: hostname not able to be resolved, see if this can cause other problems and how to mitigate it
*** Aaron: Can leak the hostname in cleartext to the DNS server (which of course may proceed to leak it to upstream DNS servers). Can also result in FQDN-based rules in the sudoers file failing to function properly. See: https://superuser.com/a/429890/1734781
** problem 3: host hostname being used on Kicksecure, this was supposed to be Whonix-specific? Check Kicksecure hostname configuration
*** Aaron: Can't immediately see how this could normally happen. Maybe the end-user attempted to morph Whonix to Kicksecure?
* Patrick: Merged.
== sysmaint-panel - use package-installed-check ==
def is_package_installed(package_name):
return subprocess.run(
[
"bash",
"-c",
"source /usr/libexec/helper-scripts/package_installed_check.sh; "
+ f"pkg_installed '{package_name}'"
],
check=False
).returncode == 0
* please port to package-installed-check script (already existing) because it has a simpler API
* Aaron: Done, commit pushed to sysmaint-panel.
* Patrick: Merged.
== sdwdate seccomp issues ==
* https://forums.kicksecure.com/t/sdwdate-broken-after-upgrade-to-kicksecure-18-missing-seccomp-syscalls-statx-fstatfs-epoll-pwait2/1412
* Aaron: Done, commit pushed to sdwdate.
* Patrick: Merged.
== privleap - /usr/local/etc support ==
* change the hardcoded config directory to a config directory list, add /usr/local/etc/privleap/conf.d to the list
* Aaron: Done, commit pushed to privleap.
* Patrick: Merged.
== strict_config_parser AI review ==
* run helper-scripts strict_config_parser library through ChatGPT, see if it catches any issues
** Aaron: Done, enhanced tests in strict_config_parser.
* Patrick: Merged.
== Whonix VirtualBox/KVM dynamic resolution ==
* Introduce a config file for wlr_resize_watcher that specifies whether dynamic resolution changes are allowed or not
* If this is disabled, the resolution should never be changed from the default
* If the user changes the guest window size with dynamic resolution enabled by the virtualizer, while dynamic resolution is disabled in the guest, send a notification and refuse to update the guest resolution
* This should only apply to Whonix, not Kicksecure
* Aaron: Implemented, commits pushed to helper-scripts, sdwdate-gui, sysmaint-panel, vm-config-dist, and anon-apps-config.
** The new strict_config_parser library could potentially use some help from ChatGPT review, will make a follow-up task for that. (Regression tests seem to indicate it works OK but ChatGPT usually catches something.)
* Patrick: Merged.
== wiki updates #2 ==
* Fix .list → .sources in apt repository mentions: https://forums.whonix.org/t/onionize-repositories-instructions/22600
* Aaron: Done, updated the following pages:
https://www.kicksecure.com/w/index.php?title=APT_Repository&stable=0
https://www.kicksecure.com/w/index.php?title=About&stable=0
https://www.kicksecure.com/w/index.php?title=Chrome&stable=0
https://www.kicksecure.com/w/index.php?title=Chroot&stable=0
https://www.kicksecure.com/w/index.php?title=Debian&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/APT&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Derivative-Maker&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/git&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Install_Backport&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Install_Unstable&stable=0
https://www.kicksecure.com/w/index.php?title=Install_Software&stable=0
https://www.kicksecure.com/w/index.php?title=Onionizing_Repositories&stable=0
https://www.kicksecure.com/w/index.php?title=Operating_System_Software_and_Updates&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Non-functional_Onion_Services&stable=0
https://www.kicksecure.com/w/index.php?title=Project-APT-Repository&stable=0
https://www.kicksecure.com/w/index.php?title=Session&stable=0
https://www.kicksecure.com/w/index.php?title=Signal&stable=0
https://www.kicksecure.com/w/index.php?title=Tor&stable=0
https://www.kicksecure.com/w/index.php?title=Tor_Versioning&stable=0
https://www.kicksecure.com/w/index.php?title=VirtualBox/Other_Versions&stable=0
https://www.kicksecure.com/w/index.php?title=VirtualBox/Troubleshooting&stable=0
https://www.kicksecure.com/w/index.php?title=Waydroid&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Project-APT-Repository-Add_Easy&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Project-APT-Sources-Add&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Torify_apt_traffic&stable=0
https://www.kicksecure.com/w/index.php?title=Template:VirtualBox_Host_Software_Installation_Debian&stable=0
https://www.whonix.org/w/index.php?title=Onionizing_Repositories&stable=0
https://www.whonix.org/w/index.php?title=Template:Project-APT-Sources-Add&stable=0
https://www.whonix.org/w/index.php?title=Template:VirtualBox_Host_Software_Installation_Debian&stable=0
https://www.whonix.org/w/index.php?title=Cwtch&stable=0
https://www.whonix.org/w/index.php?title=I2P&stable=0
https://www.whonix.org/w/index.php?title=Install_Software&stable=0
https://www.whonix.org/w/index.php?title=Install_Tor_Browser_Outside_of_Whonix&stable=0
https://www.whonix.org/w/index.php?title=Other_Operating_Systems&stable=0
https://www.whonix.org/w/index.php?title=Project-APT-Repository&stable=0
https://www.whonix.org/w/index.php?title=Qubes/UpdatesProxy&stable=0
https://www.whonix.org/wiki/RetroShare
https://www.whonix.org/w/index.php?title=UniStation&stable=0
https://www.whonix.org/w/index.php?title=Template:Install_Unstable&stable=0
https://www.whonix.org/w/index.php?title=Template:Non-functional_Onion_Services&stable=0
https://www.whonix.org/w/index.php?title=Template:Project-APT-Repository-Add_Easy&stable=0
https://www.whonix.org/w/index.php?title=Template:Tor_Browser_Remove_Proxy_Settings&stable=0
https://www.whonix.org/w/index.php?title=Template:Torify_APT_traffic&stable=0
== systemd bug report ==
* as discussed
* Aaron: Report made.
== auto mounting ==
* please update with current implementation: https://forums.whonix.org/t/disk-usb-automount-in-kicksecure/8728
* Aaron: Discovered that removable media automount was not being properly disabled. Fixed, commits pushed to kicksecure-base-files, anon-gw-base-files, anon-ws-base-files, and legacy-dist.
* Aaron: Update posted.
* Patrick: Merged.
* 2) update [[Debian Packages]] (remove Whonix 17, verify package names)
** Aaron: Do we really want to remove Kicksecure/Whonix 17 entirely? It's still supported, and will be until Qubes R4.2 EOL as I understand it.
*** As per discussion in chat, removing Kicksecure/Whonix 17 documentation where convenient.
* 3) search/replace gdm3
** Aaron: Done, but documentation mentioning LightDM will also need updated, and it is unclear to me whether we are keeping or removing Kicksecure 17 documentation. See above.
*** Aaron: LightDM now taken care of on Kicksecure and Whonix wikis.
* Aaron: Progress so far:
Pages done:
https://www.kicksecure.com/w/index.php?title=Chroot&stable=0
https://www.kicksecure.com/w/index.php?title=Debian&stable=0
https://www.kicksecure.com/w/index.php?title=Debian_Packages&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Derivative-Maker&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Linux_Installer&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Metapackages&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/user-sysmaint-split&stable=0
https://www.kicksecure.com/w/index.php?title=Debian_Tips&stable=0
https://www.kicksecure.com/w/index.php?title=Desktop&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Automatic_Updates&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Build_Documentation/images&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/About_Debian_Packaging&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/audio&stable=0
https://www.kicksecure.com/w/index.php?title=ISO&stable=0
https://www.kicksecure.com/w/index.php?title=Keyboard_Layout&stable=0
https://www.kicksecure.com/w/index.php?title=Language&stable=0
https://www.kicksecure.com/w/index.php?title=Mental_Model&stable=0
https://www.kicksecure.com/w/index.php?title=Other_Desktop_Environments&stable=0
https://www.kicksecure.com/wiki/Recovery
https://www.kicksecure.com/w/index.php?title=Secure_Downloads&stable=0
https://www.kicksecure.com/wiki/Sysmaint
https://www.kicksecure.com/wiki/Timezone
https://www.kicksecure.com/wiki/Tuning
https://www.kicksecure.com/w/index.php?title=Unrestricted_admin_mode&stable=0
https://www.kicksecure.com/w/index.php?title=Verify_the_images_using_Linux&stable=0
https://www.kicksecure.com/wiki/VirtualBox
https://www.kicksecure.com/w/index.php?title=VirtualBox/Troubleshooting&stable=0
https://www.kicksecure.com/w/index.php?title=Virtualization_Platform_Security&stable=0
https://www.kicksecure.com/w/index.php?title=Template:RAM_Adjusted_Desktop_Starter&stable=0
https://www.kicksecure.com/wiki/VirtualBox/Manual_VM_Import
https://www.kicksecure.com/wiki/Linux#Option_A)_Install_the_installer_from_the_from_the_Kicksecure_APT_repository
https://www.kicksecure.com/w/index.php?title=Comparison_with_Others&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/VirtualBox&stable=0
https://www.kicksecure.com/w/index.php?title=Default_Passwords&stable=0
https://www.kicksecure.com/wiki/Login
https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks
https://www.kicksecure.com/w/index.php?title=Broken_Boot&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Strong_Linux_User_Account_Isolation&stable=0
https://www.kicksecure.com/wiki/System_Requirements
https://www.kicksecure.com/w/index.php?title=Installation_of_Debian_based_Linux_distributions_in_a_folder_chroot&stable=0
https://www.kicksecure.com/w/index.php?title=Root&stable=0
https://www.kicksecure.com/wiki/Software
https://www.kicksecure.com/w/index.php?title=Deep_scan_ready&stable=0
https://www.kicksecure.com/w/index.php?title=Contributors&stable=0
https://www.kicksecure.com/wiki/Dev/secureblue
https://www.kicksecure.com/w/index.php?title=Software&stable=0
https://www.kicksecure.com/w/index.php?title=Browser&stable=0
https://www.kicksecure.com/w/index.php?title=KVM&stable=0
https://www.whonix.org/w/index.php?title=Common_CLI_Commands&stable=0
https://www.whonix.org/w/index.php?title=Debian_Packages&stable=0
https://www.whonix.org/w/index.php?title=Desktop&stable=0
https://www.whonix.org/wiki/Dev/Build_Documentation/images
https://www.whonix.org/w/index.php?title=Dev/Gateway&stable=0
https://www.whonix.org/w/index.php?title=Dev/Windows_Installer&stable=0
https://www.whonix.org/w/index.php?title=Vanguards&stable=0#Update
https://www.whonix.org/w/index.php?title=Features&stable=0
https://www.whonix.org/w/index.php?title=Language&stable=0
https://www.whonix.org/w/index.php?title=Other_Desktop_Environments&stable=0
https://www.whonix.org/wiki/Dev/Project_Networking
https://www.whonix.org/w/index.php?title=KVM&stable=0
https://www.whonix.org/w/index.php?title=Protocol-Leak-Protection_and_Fingerprinting-Protection&stable=0
https://www.whonix.org/w/index.php?title=Qubes/Disposables&stable=0
https://www.whonix.org/w/index.php?title=RAM&stable=0
https://www.whonix.org/w/index.php?title=Remote_Administration&stable=0
https://www.whonix.org/w/index.php?title=Sysmaint&stable=0
https://www.whonix.org/wiki/VirtualBox/Manual_VM_Import
https://www.whonix.org/w/index.php?title=Whonix-Gateway&stable=0
https://www.whonix.org/w/index.php?title=Whonix-Workstation&stable=0
https://www.whonix.org/w/index.php?title=Template:Open_a_product_gw_terminal&stable=0
https://www.whonix.org/w/index.php?title=Template:RAM_Adjusted_Desktop_Starter&stable=0
https://www.whonix.org/w/index.php?title=Contributors&stable=0
https://www.whonix.org/w/index.php?title=Dev/Xfce&stable=0
https://www.whonix.org/w/index.php?title=Dev/Installation_from_Repository&stable=0
https://www.whonix.org/w/index.php?title=USB_Installation&stable=0
https://www.whonix.org/w/index.php?title=Keystroke_and_Mouse_Deanonymization&stable=0
https://www.whonix.org/w/index.php?title=Dev/anon-ws-disable-stacked-tor&stable=0
https://www.whonix.org/w/index.php?title=Other_Gateways&stable=0
https://www.whonix.org/w/index.php?title=Essential_Tests&stable=0
TODO:
- Audit pretty much everything else on Whonix wiki
* 4) X11
** Aaron: Done on Kicksecure and Whonix wikis.
* 5) evdev
** Aaron: Does not occur on Kicksecure wiki, done on Whonix wiki.
* 6) [[Deep_scan_ready|Deep Scan Ready]]
** Aaron: Reviewed, made minor changes.
* Aaron: Further updates may be needed in a few spots, but the first pass of wiki updates is now done. mw-multi-wiki run complete.
== ks/whonix 18 user bug reports #2 ==
* https://forums.whonix.org/t/whonix-18-cli-kvm-setup-dist-fails-due-to-missing-anon-connection-wizard/22607
** Aaron: Already handled by Patrick.
* https://forums.whonix.org/t/whonix-18-0-7-5-major-release-upgrade-testers-wanted/22469/22
** Aaron: Filed a bug report upstream: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44465
* https://forums.whonix.org/t/new-identity-in-gateway-not-working/22549
** Aaron: Probably something to ask troubadoour for help with. Unsure if this should be worked on while troubadoour is still refactoring anon-connection-wizard.
* Weird error observed in systemcheck's CLI output while testing on Qubes: cat: /sys/class/block/xvdi/removable: Permission denied This is on a Whonix-Workstation 18 template, with a USB drive's filesystem passed through to the qube and mounted at /mnt. The USB is formatted exFAT without a partition table.
** Aaron: Fixed, was an apparmor issue. Commit pushed to systemcheck.
* https://forums.kicksecure.com/t/sdwdate-broken-after-upgrade-to-kicksecure-18-missing-seccomp-syscalls-statx-fstatfs-epoll-pwait2/1412
** Broken into its own ticket.
** Aaron: Fixed, commit pushed to sdwdate.
* https://forums.kicksecure.com/t/solved-no-soundcards-on-intel-meteor-lake-p-hd-audio/1423
** Aaron: Fixed, commit pushed to kicksecure-meta-packages.
* Patrick: All merged.
== sudo: unable to resolve host host ==
* Kicksecure 18
* using remove-sysmaint and normal boot results in sudo: unable to resolve host host: No address associated with hostname
** problem 1: sudo trying to resolve a hostname, could this cause unintentional network access? Try to disable sudo hostname resolution, if possible, sane
*** Aaron: Was possible, commit pushed to security-misc. Only added to security-misc-desktop out of fear of breaking server installations.
** problem 2: hostname not able to be resolved, see if this can cause other problems and how to mitigate it
*** Aaron: Can leak the hostname in cleartext to the DNS server (which of course may proceed to leak it to upstream DNS servers). Can also result in FQDN-based rules in the sudoers file failing to function properly. See: https://superuser.com/a/429890/1734781
** problem 3: host hostname being used on Kicksecure, this was supposed to be Whonix-specific? Check Kicksecure hostname configuration
*** Aaron: Can't immediately see how this could normally happen. Maybe the end-user attempted to morph Whonix to Kicksecure?
* Patrick: Merged.
== sysmaint-panel - use package-installed-check ==
def is_package_installed(package_name):
return subprocess.run(
[
"bash",
"-c",
"source /usr/libexec/helper-scripts/package_installed_check.sh; "
+ f"pkg_installed '{package_name}'"
],
check=False
).returncode == 0
* please port to package-installed-check script (already existing) because it has a simpler API
* Aaron: Done, commit pushed to sysmaint-panel.
* Patrick: Merged.
== sdwdate seccomp issues ==
* https://forums.kicksecure.com/t/sdwdate-broken-after-upgrade-to-kicksecure-18-missing-seccomp-syscalls-statx-fstatfs-epoll-pwait2/1412
* Aaron: Done, commit pushed to sdwdate.
* Patrick: Merged.
== privleap - /usr/local/etc support ==
* change the hardcoded config directory to a config directory list, add /usr/local/etc/privleap/conf.d to the list
* Aaron: Done, commit pushed to privleap.
* Patrick: Merged.
== strict_config_parser AI review ==
* run helper-scripts strict_config_parser library through ChatGPT, see if it catches any issues
** Aaron: Done, enhanced tests in strict_config_parser.
* Patrick: Merged.
== Whonix VirtualBox/KVM dynamic resolution ==
* Introduce a config file for wlr_resize_watcher that specifies whether dynamic resolution changes are allowed or not
* If this is disabled, the resolution should never be changed from the default
* If the user changes the guest window size with dynamic resolution enabled by the virtualizer, while dynamic resolution is disabled in the guest, send a notification and refuse to update the guest resolution
* This should only apply to Whonix, not Kicksecure
* Aaron: Implemented, commits pushed to helper-scripts, sdwdate-gui, sysmaint-panel, vm-config-dist, and anon-apps-config.
** The new strict_config_parser library could potentially use some help from ChatGPT review, will make a follow-up task for that. (Regression tests seem to indicate it works OK but ChatGPT usually catches something.)
* Patrick: Merged.
== wiki updates #2 ==
* Fix .list → .sources in apt repository mentions: https://forums.whonix.org/t/onionize-repositories-instructions/22600
* Aaron: Done, updated the following pages:
https://www.kicksecure.com/w/index.php?title=APT_Repository&stable=0
https://www.kicksecure.com/w/index.php?title=About&stable=0
https://www.kicksecure.com/w/index.php?title=Chrome&stable=0
https://www.kicksecure.com/w/index.php?title=Chroot&stable=0
https://www.kicksecure.com/w/index.php?title=Debian&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/APT&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/Derivative-Maker&stable=0
https://www.kicksecure.com/w/index.php?title=Dev/git&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Install_Backport&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Install_Unstable&stable=0
https://www.kicksecure.com/w/index.php?title=Install_Software&stable=0
https://www.kicksecure.com/w/index.php?title=Onionizing_Repositories&stable=0
https://www.kicksecure.com/w/index.php?title=Operating_System_Software_and_Updates&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Non-functional_Onion_Services&stable=0
https://www.kicksecure.com/w/index.php?title=Project-APT-Repository&stable=0
https://www.kicksecure.com/w/index.php?title=Session&stable=0
https://www.kicksecure.com/w/index.php?title=Signal&stable=0
https://www.kicksecure.com/w/index.php?title=Tor&stable=0
https://www.kicksecure.com/w/index.php?title=Tor_Versioning&stable=0
https://www.kicksecure.com/w/index.php?title=VirtualBox/Other_Versions&stable=0
https://www.kicksecure.com/w/index.php?title=VirtualBox/Troubleshooting&stable=0
https://www.kicksecure.com/w/index.php?title=Waydroid&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Project-APT-Repository-Add_Easy&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Project-APT-Sources-Add&stable=0
https://www.kicksecure.com/w/index.php?title=Template:Torify_apt_traffic&stable=0
https://www.kicksecure.com/w/index.php?title=Template:VirtualBox_Host_Software_Installation_Debian&stable=0
https://www.whonix.org/w/index.php?title=Onionizing_Repositories&stable=0
https://www.whonix.org/w/index.php?title=Template:Project-APT-Sources-Add&stable=0
https://www.whonix.org/w/index.php?title=Template:VirtualBox_Host_Software_Installation_Debian&stable=0
https://www.whonix.org/w/index.php?title=Cwtch&stable=0
https://www.whonix.org/w/index.php?title=I2P&stable=0
https://www.whonix.org/w/index.php?title=Install_Software&stable=0
https://www.whonix.org/w/index.php?title=Install_Tor_Browser_Outside_of_Whonix&stable=0
https://www.whonix.org/w/index.php?title=Other_Operating_Systems&stable=0
https://www.whonix.org/w/index.php?title=Project-APT-Repository&stable=0
https://www.whonix.org/w/index.php?title=Qubes/UpdatesProxy&stable=0
https://www.whonix.org/wiki/RetroShare
https://www.whonix.org/w/index.php?title=UniStation&stable=0
https://www.whonix.org/w/index.php?title=Template:Install_Unstable&stable=0
https://www.whonix.org/w/index.php?title=Template:Non-functional_Onion_Services&stable=0
https://www.whonix.org/w/index.php?title=Template:Project-APT-Repository-Add_Easy&stable=0
https://www.whonix.org/w/index.php?title=Template:Tor_Browser_Remove_Proxy_Settings&stable=0
https://www.whonix.org/w/index.php?title=Template:Torify_APT_traffic&stable=0
== systemd bug report ==
* as discussed
* Aaron: Report made.
== auto mounting ==
* please update with current implementation: https://forums.whonix.org/t/disk-usb-automount-in-kicksecure/8728
* Aaron: Discovered that removable media automount was not being properly disabled. Fixed, commits pushed to kicksecure-base-files, anon-gw-base-files, anon-ws-base-files, and legacy-dist.
* Aaron: Update posted.
* Patrick: Merged.
== misc lxqt work ==
* as discussed
** Aaron: Done.
* Patrick: Merged.
== lxqt localization packages ==
* install by default, to make non-English installations work better
* Aaron: Done, commits pushed to developer-meta-files and kicksecure-meta-packages.
* Patrick: Merged.
== gvfs-backends - install by default if safe ==
* enables PCManFM-Qt's "Admin mode" feature
* ensure this does not allow access to root files without root privileges before enabling
* Aaron: Confirmed that admin mode was non-functional in user sessions even with gvfs-backends installed. Added gvfs-backends to GUI images, commits pushed to developer-meta-files and kicksecure-meta-packages.
* Patrick: Merged.
== fix qterminal trying to save bookmarks into other user accounts ==
* Aaron: Discovered bug while working on software recommendations wiki page
* Aaron: Fixed, commits pushed to desktop-config-dist and legacy-dist. Looked for similar bugs in desktop-config-dist, kicksecure-base-files, anon-gw-base-files, and anon-ws-base-files, did not find any.
* Patrick: Merged.
== Qubes-Whonix - investigate hung shutdown debug logs ==
* new user slice checker caught something, investigate and see what's holding up shutdown
* https://openqa.qubes-os.org/tests/162679/file/system_tests-qubes.tests.integ.dispvm.TC_20_DispVM_whonix-workstation-18.test_010.guest-test-inst-dvm.log
* Aaron: May have identified the problem, attempted fix pushed to msgcollector.
* Patrick: Merged.
== enable qterminal multi-line paste warnings ==
* similar feature used to be enabled with Xfce-Terminal
* feature exists in qterminal but is not enabled yet
* enable system wide, use legacy-dist do_once to enable for each existing user account
** Aaron: Implemented, commits pushed to desktop-config-dist and legacy-dist.
* Patrick: Merged.
== wiki webp generation ==
* Aaron: Uploaded a new screenshot to https://www.kicksecure.com/wiki/File:Gui-preview.jpg, but for some reason only the thumbnail renders?
** Patrick: webp are stale on the server.
* Patrick: Fixed.
== security-misc failsafe ==
* 1) in case of known oops, a script security-misc-relax that requires root would make sense
** invent security-misc-relax: undo all effects of /usr/libexec/security-misc/panic-on-oops
*** easier to use
*** 2) add to sysmaint-panel
* 3) add a failsafe (or better name) boot option which skips panic-on-oops (and in the future other things, if needed)
** slightly harder to use, for more severe cases where kernel panics before having a chance to boot the system
* Aaron: All complete, commits pushed to security-misc, sysmaint-panel, user-sysmaint-split, dist-base-files, and grub-live. Notes about boot menu concerns shared in chat.
* Patrick: My mistake. Miscommunication. I should have said "boot parameter" instead of "boot mode".
* Patrick: Please revert trixie branch to Kicksecure upstream for dist-base-files, grub-live and user-sysmaint-split.
** Aaron: Reverted and force-pushed.
* Patrick: Done.
== Qubes /usr/libexec/security-misc/block-unsafe-logins failed ==
* https://forums.whonix.org/t/rejecting-passwordless-sensitive-account-user/22440/7
** Aaron: Unable to reproduce, waiting for user feedback.
** Aaron: Issue identified, Qubes OS limitation that is scheduled to be worked on in the future. Secondary issue, user-sysmaint-split getting uninstalled if the template is booted in "unrestricted mode".
*** Should we hide this option in the template boot menu? Should we rename it to discourage users from booting templates using it?
*** Current plan: make unrestricted admin mode do nothing in templates. Make systemcheck notify the user about this on bootup.
**** Aaron: Implemented, commits pushed to systemcheck and user-sysmaint-split.
* Patrick: Merged.
== log analysis ==
* log shared privately
** Aaron: Mentioned what looked wrong in the log, but am not able to reproduce the issue on my end.
* Patrick: Done.
== systemcheck - document ignored systemcheck warning messages ==
* /etc/systemcheck.d/30_default.conf contains a lot of ignored warnings/errors
* please add comments on top why that line is being ignored
* add links to upstream issues
* in unknown cases, please investigate, report upstream
* in case of unknowns, high effort, rabbit holes, please create follow-up issues
* Aaron: Documented most items, marked those that are not yet documented. Commit pushed to systemcheck.
* Patrick: Merged.
== user session shutdown issue ==
* https://openqa.qubes-os.org/tests/161078/file/system_tests-qubes.tests.integ.dispvm_perf.TC_00_DispVMPerf_whonix-workstation-18.test_001.guest-test-inst-dvm.log
* increase systemd verbosity, if possible, and/or
* add helper systemd unit (to usability-misc) that will show which units are failing to terminate once systemd sends sigterm
* Aaron: Implemented, commit pushed to usability-misc. Will require that it is explicitly enabled on testing systems.
* Patrick: Merged.
== Qubes Tor Browser automatic updates ticket comment ==
* please comment: https://github.com/QubesOS/qubes-issues/issues/9983#issuecomment-3619503494
** Aaron: Replied, also asked TPO about more frequent polling for new versions.
== unicode - carriage returns related improvements ==
* https://github.com/Kicksecure/helper-scripts/issues/28
* 1) stdisplay
* 2) grep-find-unicode-wrapper - Patrick already added \r. Please review.
* 3) Consider that file names themselves might also contain unicode. Therefore when outputting the names of files, unicode should be stripped.
* Aaron: Done, commits pushed to helper-scripts.
* Patrick: Merged.
== misc AI review #2 ==
* https://github.com/assisted-by-ai/qubes-whonix/pull/1
** Aaron: Integrated useful change from this, commit pushed to qubes-whonix.
* https://github.com/assisted-by-ai/helper-scripts/pull/2
** Aaron: Integrated useful changes from this, commit pushed to helper-scripts.
* https://github.com/assisted-by-ai/helper-scripts/pull/3
** Aaron: Implemented roughly the same idea differently than ChatGPT did, commit pushed to helper-scripts.
* https://github.com/assisted-by-ai/Whonix-Installer/pull/2 - refactoring might not be worthwhile
** Aaron: Should likely be rejected, see comments for rationale.
* https://github.com/assisted-by-ai/qubes-whonix/pull/2
** Aaron: Partially merged in, but part of it needs more discussion.
* Patrick: new ones since last commenting here...
* https://github.com/assisted-by-ai/helper-scripts/pull/4
** Aaron: Integrated useful changes from this, commit pushed to helper-scripts.
* https://github.com/assisted-by-ai/helper-scripts/pull/5 (probably not worthwhile)
** Aaron: Rejected, appears unnecessary after looking at Tor's source code.
* https://github.com/assisted-by-ai/helper-scripts/pull/6
** Aaron: Rejected, see comments for rationale.
* https://github.com/assisted-by-ai/helper-scripts/pull/7
** Aaron: Implemented one useful thing from this, commit pushed to helper-scripts.
* https://github.com/assisted-by-ai/helper-scripts/pull/8
** Aaron: Added all test cases. Commit pushed to helper-scripts.
* https://github.com/assisted-by-ai/helper-scripts/pull/9
** Aaron: Implemented useful changes from this, commit pushed to helper-scripts.
* https://github.com/assisted-by-ai/helper-scripts/pull/10
** Aaron: Rejected, see comments for rationale.
* https://github.com/assisted-by-ai/security-misc/pull/1
** Aaron: Integrated useful changes from this, commit pushed to security-misc.
* Patrick: All merged.
== trixie-port - Qubes - sys-net - sdwdate-gui-qubes@.service - systemd protocol error ==
sudo journalctl --boot -u sdwdate-gui-qubes@0-1443-1000.service | cat
Dec 04 08:59:46 sys-net systemd[1]: Starting sdwdate-gui-qubes@0-1443-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1443/UID 1000)...
Dec 04 08:59:57 sys-net systemd[1]: sdwdate-gui-qubes@0-1443-1000.service: Failed with result 'protocol'.
Dec 04 08:59:57 sys-net systemd[1]: Failed to start sdwdate-gui-qubes@0-1443-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1443/UID 1000).
* Patrick: Fixed. But still more issues.
[WARNING] [systemcheck] systemd units check result: 1 systemd units failed to load. These might be stuck in state failed, activating or deactivating. Output of leaprun read-systemctl-logs-failed-units-pretty:
########################################
UNIT LOAD ACTIVE SUB JOB DESCRIPTION
● sdwdate-gui-qubes@1-1483-1000.service loaded activating start start sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000)
Legend: LOAD → Reflects whether the unit definition was properly loaded.
ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
SUB → The low-level unit activation state, values depend on unit type.
JOB → Pending job for the unit.
1 loaded units listed.
########################################
[root ~]# systemctl status sdwdate-gui-qubes@1-1483-1000.service
○ sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy
Loaded: loaded (/usr/lib/systemd/system/sdwdate-gui-qubes@.service; static)
Active: inactive (dead)
Dec 04 09:24:22 sys-net systemd[1]: Starting sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000)...
Dec 04 09:24:32 sys-net systemd[1]: Started sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000).
Dec 04 09:24:32 sys-net systemd[1]: sdwdate-gui-qubes@1-1483-1000.service: Deactivated successfully.
zsh: exit 3 systemctl status sdwdate-gui-qubes@1-1483-1000.service
[root ~]# journalctl --boot -u sdwdate-gui-qubes@1-1483-1000.service | cat
Dec 04 09:24:22 sys-net systemd[1]: Starting sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000)...
Dec 04 09:24:32 sys-net systemd[1]: Started sdwdate-gui-qubes@1-1483-1000.service - sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000).
Dec 04 09:24:32 sys-net systemd[1]: sdwdate-gui-qubes@1-1483-1000.service: Deactivated successfully.
[root ~]#
* systemd probably does not like that a Type=notify unit can exit
systemctl --no-legend --no-pager --no-block --state=failed,activating,deactivating list-units ● sdwdate-gui-qubes@49-1483-1000.service loaded
activating start start sdwdate graphical user interface - Qubes socket proxy (PID 1483/UID 1000) can we avoid getting stuck in that state?
* Aaron: Fixed as discussed, commit pushed to sdwdate-gui.
* Patrick: Merged.
== helper-scripts - sanitize-string and strip-html improvements ==
* sanitize-string
** please add pipe support
** currently: "sanitize-string: Usage: sanitize-string string [max_length]",
*** would be better to have string length as mandatory first argument? Perhaps nolimit as a keyword? Please update code base.
* strip-html
** please add pipe support
* integrate minimally into tests
* Aaron: Done, commits pushed to helper-scripts and all repositories that used sanitize-string or strip-html (in either library or executable form).
* Patrick: Merged.
* small lint issue: https://github.com/Kicksecure/helper-scripts/actions/runs/19847500678/job/56867679739
** Aaron: Fixed.
* Should sanitize-string act like stcatn, i.e. always ensure there is a trailing newline at the end?
** Aaron: Unsure. I would initially argue no, strings may legitimately not contain a trailing newline. If in the future we need to sanitize a string and ensure it is terminated with a newline, we should add a new option to sanitize-string to do this.
* AI:
Additional security concerns in strip-markup
Terminal/console escape injection remains possible. The sanitizer removes only markup tags and replaces <, >, and & with underscores when it detects suspicious transformations, but it leaves all other control characters untouched. Because StripMarkupEngine runs with convert_charrefs = True, an attacker can supply inputs containing HTML entities for escape characters (e.g., � for ESC), which will be decoded and written back out unchanged via sys.stdout.write. This can produce ANSI escape sequences in logs or terminals, enabling log forgery or malicious terminal control even though HTML tags were stripped.
Not safe for contextual HTML output. The “sanitization” only removes tags and (in the fallback path) converts <, >, and & to underscores; it does not escape quotes, backticks, or other characters that are dangerous in attribute, JavaScript, or CSS contexts. If the supposedly “clean” output is later interpolated into HTML attributes or script blocks, an attacker can inject payloads such as javascript:... URLs or string-breaking quotes that lead to XSS despite markup stripping.
* Aaron:
** The terminal/console escape injection issue is possibly not a problem, because Python's HTML parser discards (some) entities that encode the ESC character rather than emitting the character they encode. Nonetheless, added defense-in-depth code to sanitize_string to ensure stray escapes are sanitized after HTML parsing is complete. Commits pushed to helper-scripts.
** The contextual HTML output concern is not a worry since sanitize_string is not designed to make strings that are safe to place into the attribute of an HTML element.
* Patrick: Merged.
* Patrick:
** ./usr/lib/python3/dist-packages/stdisplay/stsponge.py - temporary file should be deleted?
** temp_file.close() is redundant due to "with"?
*** Aaron: Outdated, stsponge.py no longer uses temp files.
* bug: running "strip-markup" as is without any input will hang forever
** Aaron: Discussed in chat, we've decided to consider this intended behavior.
== possibly outdated bridges in anon-connection-wizard ==
* Aaron: User reported the following warning in Tor's log when trying to connect to Tor via a bridge:
[WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 192.95.37.142:443 ID=
│ RSA_ID=CDF2E852BF539B..................("general SOCKS server failure") [1 duplicate hidden]
* Aaron: Can reproduce. However, using bridges obtained from The Tor Project instead of hardcoded bridges works and does not display the warning. Bridges may be outdated?
** Apparently fixed by syncing list of bridges with Tor Browser. Commits pushed to anon-connection-wizard and tor-control-panel.
* Patrick: Merged.
== more keyboard layout adjustments ==
* Ensure non-English encrypted ISO installations can still be decrypted on boot using an ISO built from the latest packages
* Ensure that GRUB keyboard layouts appear in VM and ISO builds
** Aaron: Both are working. Reviewed, polished set-keyboard-layout.sh and related scripts. Commits pushed to helper-scripts, live-config-dist, usability-misc, and derivative-maker.
* Patrick: Merged.
== ks/whonix 18 user bug reports ==
* https://forums.kicksecure.com/t/systemcheck-incorrectly-warns-that-full-disk-encryption-fde-is-absent/1381
** Aaron: Fixed, commit pushed to systemcheck.
*** Patrick: Merged.
* https://forums.whonix.org/t/whonix-18-0-7-5-major-release-upgrade-testers-wanted/22469/7
** Aaron: Posted some suggestions for improving the UX of the "Manage Software" feature of sysmaint-panel. Good to implement?
*** Patrick: Sounds great! Please implement.
**** Aaron: Implemented, commit pushed to sysmaint-panel.
***** Patrick: Merged.
* Aaron: New since last update:
* https://forums.whonix.org/t/whonix-18-0-7-5-major-release-upgrade-testers-wanted/22469/11
** Fixed by Patrick.
* https://forums.whonix.org/t/whonix-18-0-7-5-major-release-upgrade-testers-wanted/22469/14
** Aaron: Can't reproduce issue with 7z archives. RAR support in lxqt-archiver seem to be broken upstream, filed a bug report.
== fix VirtualBox green turtle ==
* Test with Windows Home, if possible.
* Test with Windows Pro.
* Document how to use VirtualBox with Hyper-V.
** https://www.virtualbox.org/manual/topics/AdvancedTopics.html#hyperv-support
** This is important because it is the future.
** It is also important because it requires fewer changes to Windows. It does not require disabling Windows security features.
** Using VirtualBox with Hyper-V might not be possible on Windows Home.
*** There are mixed reports about whether Windows Home supports "full" Hyper-V. The Home edition might use Hyper-V internally, which causes issues for VirtualBox. ("green turtle")
* Document how to use VirtualBox with VirtualBox's native virtualization ("blue chip" symbol instead of "green turtle").
** This might be useful for users on Windows Home edition.
** Add the required commands to fix the VirtualBox "green turtle" in the wiki: [[VirtualBox/Green_Turtle_Issue]]
** Documentation on how to manually change the settings is useful for understanding but should not be the ultimate goal.
** All steps should be executable using command-line commands only, as there are too many steps to perform manually.
** Consider accomplishing this using Windows Intune.
** Write a batch script (if not using Windows Intune).
** Add an option to the Windows Installer to do this.
** If unsolvable, document everything learned or attempted. This might assist others in continuing the work. Collect any helpful links and add quotations from useful information.
* Essentially, explore and document both approaches: using VirtualBox with Hyper-V and using VirtualBox with its native virtualization while disabling Windows' Hyper-V.
* Aaron: Current research:
** Intune is not free and does not work on home editions of Windows, thus not usable.
** PowerShell scripting would likely make quick work of this, but unfortunately Microsoft prevents one from running PowerShell scripts without taking explicit (and IIRC convoluted) steps to enable them, as a security feature.
** Probably the easiest solution is to use a batch file and then execute it as administrator (which is tricky but not impossible; requires calling a ShellExecuteExW function in the Windows API with the "runas" verb, see https://learn.microsoft.com/en-us/windows/win32/shell/launch, this should trigger a UAC prompt, then the script should be able to run and do whatever it needs to).
** Batch files for disabling Hyper-V and re-enabling virtualization-based security under Windows 11 Home have been created. Still need to wire them into Whonix-Installer itself.
* todo: add debug output to script in case there are issues, users can post the debug output
** Aaron: Done.
* todo: run hypervisorlaunchtype auto and hypervisorlaunchtype Off to work around windows bug experienced by Patrick
** Aaron: Done.
* todo: run at the end for debugging Get-CimInstance Win32_ComputerSystem | Select-Object HypervisorPresent
** add link as comment: https://forums.ea.com/discussions/battlefield-6-technical-issues-en/unable-to-run-in-a-virtual-machine-please-exit-the-vm-and-try-again-121/12789008
* todo: add these commands?
** https://forums.ea.com/discussions/battlefield-6-technical-issues-en/unable-to-run-in-a-virtual-machine-please-exit-the-vm-and-try-again-121/12789008
*** Aaron: Likely unnecessary, but should be kept in the task list for reference.
* todo: disable firmware protection
** Aaron: Done.
* todo: explain commands and potential failures as echo comments
** Aaron: Done.
* todo: add separator output between lines
** Aaron: Done.
* todo: allow the script to be executed by the installer
** option: enable, disable
** default: none (require user choice)
** show link to the related wiki page
Fix VirtualBox green turtle issue which can cause grave VirtualBox stability and performance issues by fully disabling Windows Hyper-V?
Notes:
* Security impact: This unfortunately also disables necessarily various Windows security features.
* Root issue caused by: VirtualBox, Microsoft Windows
* Root issue not caused by: VM guest operating systems such as Whonix.
Alternatives:
* Linux based host operating systems are unaffected. See host operating system selection.
* Perhaps try out Kicksecure (on USB)?
* Or Whonix-Host in the future? (Not yet available at time of writing.)
https://www.kicksecure.com/wiki/VirtualBox/Green_Turtle_Issue
https://www.kicksecure.com/wiki/Host_Operating_System_Selection
https://www.kicksecure.com
https://www.kicksecure.com/wiki/USB_Installation
https://www.whonix.org/wiki/Whonix-Host
* Aaron: Implemented, commit pushed to Whonix-Installer.
* Patrick: Merged.
== trixie-port - systemcheck test for CPU stall ==
* assigned to Patrick
* Done. Implemented.
== sdwdate-gui - json decode bug ==
+ /usr/libexec/helper-scripts/terminal-wrapper 'leaprun sdwdate-log-viewer'
sdwdate_status_changed: WARNING: Could not parse JSON from sdwdate
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/sdwdate_gui/sdwdate_gui_client.py", line 393, in sdwdate_status_changed
status_dict: dict[str, str] = json.load(f)
10:36, 1 November 2025 (UTC)[[Special:Contributions/127.0.0.1|127.0.0.1]] 10:36, 1 November 2025 (UTC)^^^
File "/usr/lib/python3.13/json/__init__.py", line 293, in load
return loads(fp.read(),
cls=cls, object_hook=object_hook,
parse_float=parse_float, parse_int=parse_int,
parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
File "/usr/lib/python3.13/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)[[Special:Contributions/127.0.0.1|127.0.0.1]]^^^
File "/usr/lib/python3.13/json/decoder.py", line 345, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)10:36, 1 November 2025 (UTC)^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/json/decoder.py", line 363, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
sdwdate_status_changed: WARNING: Could not parse JSON from sdwdate
* Patrick: Not seen in a while. Might already be fixed. If the code does not have any obvious issues, this is probably alright.
* Aaron: May have been fixed by accident when porting sdwdate_gui_client to asyncio/pyinotify. Code doesn't appear to have obvious issues in this area.
** Are there any "Unexpected error" messages in the journal from sdwdate-gui? If not, this is probably no longer an issue. I'm not finding errors like this in a Kicksecure 18 VM on my end.
== Qubes misc review ==
* https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25
** The code on this one is mostly good but has one major flaw; any time a DispVM or NetVM somehow ends up set to None, the code is designed to always honor that and never change it away from None, as a security feature. This seems good on the surface, but there are way too many instances where the code winds up with a default DispVM of None, which ends up causing somewhat broken behavior:
*** Templates are created before whonix-workstation-18-dvm, and so both Whonix-Gateway and Whonix-Workstation templates end up with a default DispVM of None even though they're supposed to be able to have a default DispVM of whonix-workstation-18-dvm.
*** StandaloneVMs created by cloning a template end up with a default DispVM of None because their parent template had a default DispVM of None as well.
*** I'm pretty sure cloned templates will have the same problem.
** Two ideas come to mind:
*** Maybe we just live with this? It's better than the wrong default DispVM being set at least.
*** Maybe we don't honor the default DispVM being set to None, and force it back to an appropriate value if possible? If a user really wants to disallow the use of DispVMs in a particular qube, they can use qrexec policy.
** What would really be nice is if there was two different kinds of "None" in Qubes, one for "the user explicitly set this to None" and one for "the OS set this to None because there was no better option at the time". But unfortunately we don't have that.
** Tested, awaiting merge.
* Merged, archiving.
== Qubes - sdwdate-gui - needed tags for qrexec aren't set on Whonix standalone ==
* https://github.com/QubesOS/qubes-issues/issues/9508
** Will be fixed by https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25.
*** Merged, archiving.
== trixie-port - ISO - static network configuration broken in user session ==
* in Qubes, but might be a general bug related to static network configuration
* no network card seen in user session
* Aaron: Cannot reproduce, details shared in chat.
* Patrick: See two videos provided by user.
* Aaron: Reproduced issue, discovered root cause ("All users may connect to this network" was disabled). Documented that one should not disable this setting with user-sysmaint-split installed, and documented how to fix the system after this happens.
== privleapd restart bug ==
* hit this in Kicksecure for Qubes by changing privleapd configuration and restarting it a lot
sudo genmkfile install && sudo systemctl restart privleapd && systemcheck --verbose --function check_kernel_messages
/usr/share/genmkfile/make-helper-one.bsh: INFO: install
/usr/libexec/systemcheck/systemcheck: WARNING: Cannot communicate with privleapd. File '/run/privleapd/comm/user' does not exist. Cannot use privleap.
You might be able to create a privleap socket by executing: sudo leapctl --create 'user'
* privleapd and leaprun is still functional but shows this error
* when running "leaprun log-checker-kernel" after this, no error shown
* therefore could be a race condition, i.e. using leaprun too early after restarting privleapd?
* when injecting a "sleep 1", i.e. "sudo genmkfile install && sudo systemctl restart privleapd && sleep 1 && systemcheck --verbose --function check_kernel_messages" there is no such issue
* Aaron: Fixed, commit pushed to privleap.
* Patrick: Merged.
== kloak - Tor Browser scrolling issue ==
* https://github.com/Whonix/kloak/issues/10
** Aaron: Fixed, commits pushed to kloak.
* Patrick: Merged.
== ai review misc ==
* https://github.com/assisted-by-ai/whonix-firewall/pull/1
** Aaron: Done, commit pushed to whonix-firewall.
* Patrick: Merged.
== simplify whonix-firewall restarter ==
* as discussed
** Aaron: Implemented, commit pushed to whonix-firewall.
* Patrick: Merged.
== trixie - screen unlock broken ==
* https://forums.kicksecure.com/t/unable-to-unlock-screen-locker-after-setting-a-user-password/1379/4
** Aaron: Fix: https://github.com/ArrayBolt3/security-misc/commit/0534a34ed7246793db384518cfbecb3adfcb7f3e
* Patrick: Merged.
== misc journal errors ==
* VirtualBox: probably unfixable? add to journal ignore on virtualbox?
** Aaron: Likely unfixable on most affected desktop hardware unless the BIOS is updated. Microcode can't be applied within virtual machines, thus this is likely not able to be fixed in VirtualBox.
** Hiding it only when running in a virtual machine seems like it would make sense. We should show this when running on bare metal though.
** Implemented, commit pushed to systemcheck.
Speculative Return Stack Overflow: WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options.
* the following might be hardware issues and nothing an be fixed in the code unless you notice something
Nov 24 10:13:50 host systemd[1641]: Starting updatecheck.service - System update checker (user service)...
Nov 24 10:13:50 host updatecheck-daemon[1910]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: start.
Nov 24 10:13:50 host systemd[1641]: Started updatecheck.service - System update checker (user service).
Nov 24 10:13:50 host updatecheck-daemon[1910]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: First start. Therefore waiting for 2 minutes for first updatecheck.
Nov 24 10:16:33 host updatecheck-daemon[1910]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: loop start.
Nov 24 10:16:39 host updatecheck-daemon[8321]: /usr/bin/updatecheck: INFO: No updates available.
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Watchdog timeout (limit 7h)!
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Killing process 1910 (updatecheck-dae) with signal SIGABRT.
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Main process exited, code=dumped, status=6/ABRT
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Failed with result 'watchdog'.
Nov 25 05:26:31 host systemd[1641]: updatecheck.service: Scheduled restart job, restart counter is at 1.
Nov 25 05:26:31 host systemd[1641]: Starting updatecheck.service - System update checker (user service)...
Nov 25 05:26:31 host updatecheck-daemon[17124]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: start.
Nov 25 05:26:31 host systemd[1641]: Started updatecheck.service - System update checker (user service).
Nov 25 05:26:31 host updatecheck-daemon[17124]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: First start. Therefore waiting for 2 minutes for first updatecheck.
Nov 25 07:59:13 host updatecheck-daemon[17124]: /usr/libexec/systemcheck/updatecheck-daemon: INFO: loop start.
Nov 25 07:59:13 host updatecheck-daemon[17163]: /usr/bin/updatecheck: updatecheck: Software updates check failure: 'leaprun system-ready-check' failed.
Nov 25 07:59:13 host updatecheck-daemon[17163]: Debugging information:
Nov 25 07:59:13 host updatecheck-daemon[17163]: - system_ready_check_output: 'ERROR: Could not connect to privleapd!'
Nov 25 07:59:13 host updatecheck-daemon[17163]: To view log, run:
Nov 25 07:59:13 host updatecheck-daemon[17163]: journalctl --boot --user -u updatecheck.service
Nov 25 07:59:13 host updatecheck-daemon[17163]: Please run systemcheck.
Whonix-Workstation
VirtualBox
Windows host
no green turtle
Nov 24 10:14:51 host sdwdate[1567]: 2025-11-24 10:14:51 - sdwdate - INFO - Sleeping for 131 minutes, ok.
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Watchdog timeout (limit 3h 20min)!
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Killing process 1567 (sdwdate) with signal SIGABRT.
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Main process exited, code=dumped, status=6/ABRT
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Failed with result 'watchdog'.
Nov 24 13:34:51 host systemd[1]: sdwdate.service: Consumed 2.063s CPU time, 102.3M memory peak.
Nov 24 13:35:01 host systemd[1]: sdwdate.service: Scheduled restart job, restart counter is at 1.
Nov 24 13:35:01 host systemd[1]: Starting sdwdate.service - Secure Distributed Web Date...
Nov 24 13:35:02 host systemd[1]: Started sdwdate.service - Secure Distributed Web Date.
Nov 24 13:35:02 host sdwdate[15405]: 2025-11-24 13:35:02 - sdwdate - INFO - sdwdate (Secure Distributed Web Date) started. PID: 15405
sudo journalctl | grep stuck
Nov 19 11:07:44 host kernel: watchdog: BUG: soft lockup - CPU#2 stuck for 2381s! [swapper/2:0]
Nov 19 22:28:10 host kernel: watchdog: BUG: soft lockup - CPU#2 stuck for 38019s! [swapper/2:0]
Nov 22 11:35:36 host kernel: watchdog: BUG: soft lockup - CPU#1 stuck for 47763s! [swapper/1:0]
Nov 22 11:46:12 host kernel: watchdog: BUG: soft lockup - CPU#1 stuck for 449s! [swapper/1:0]
Nov 24 07:50:14 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 59412s! [swapper/0:0]
Nov 24 08:51:46 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 3437s! [swapper/0:0]
Nov 24 10:01:18 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 3496s! [swapper/0:0]
Nov 24 10:12:05 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 526s! [swapper/0:0]
Nov 25 05:26:29 host kernel: watchdog: BUG: soft lockup - CPU#0 stuck for 46634s! [swapper/0:0]
Nov 24 13:55:19 host privleapd[1293]: send_action_results: INFO: Action 'sdwdate-sync-hwclock' requested by account 'sdwdate' completed
Nov 25 07:59:13 host systemd[1]: privleapd.service: Watchdog timeout (limit 10s)!
Nov 25 07:59:13 host systemd[1]: privleapd.service: Killing process 1293 (privleapd) with signal SIGABRT.
Nov 25 07:59:13 host systemd[1]: Starting privleapd.service - privleap - Limited Privilege Escalation Framework...
Nov 25 07:59:13 host systemd[1]: Started privleapd.service - privleap - Limited Privilege Escalation Framework.
Nov 25 07:59:14 host privleapd[17276]: handle_control_create_msg: INFO: Handled CREATE message for account 'user', socket created
* Aaron: The above looks like either a slow RTC, or memory thrashing left for a very long time that eventually (partially?) resolved itself, or both. (Some of those soft lockups in a swapper kernel thread last for over half a day.)
** My main Kicksecure development virtual machine has one watchdog timeout for sdwdate, but with no time jump immediately before it.Likely hardware-related or specific to this setup. All of the timeouts above have a time jump before them.
** Likely hardware-related, the result of too little or improperly set up swap space, and/or sdwdate may be occasionally having very bad luck when syncing time from Tor. (The last possibility would not explain the swapper lockups, but might explain the time jumps. In combination with the lockups though, and given the pool mechanism we use, I don't expect this to be the case.)
* Patrick: Merged.
== set-system-keymap should run set-grub-keymap ==
* please implement, if sane
* Aaron: Implemented, commit pushed to helper-scripts.
* Patrick: Merged.
== tor-ctrl - minor bugs ==
* end-of-options broken. not functional as documented in its man page.
tor-ctrl -- GETINFO version
* please install tor-ctrl in Kicksecure by default
* Aaron: Fixed bug, moved tor-ctrl's to a different metapackage. Commits pushed to tor-ctrl, developer-meta-files, kicksecure-meta-packages, and anon-meta-packages.
* Patrick: Merged.
== Qubes - sys-whonix - broken dom0 qvm-template ==
* https://github.com/QubesOS/qubes-issues/issues/8303#issuecomment-3591073202
* sys-whonix booted into sysmaint session
* qubes.TemplateSearch qrexec action is prohibited in PERSISTENT Mode - SYSMAINT Session.
* todo: convert the following to a (partial) standalone script and show an error popup and enter into journal?
rpc_block_template="#!/bin/bash
printf '%s\n' '${rpc_config_file} qrexec action is prohibited in PERSISTENT Mode - SYSMAINT Session.'"
* Aaron: Implemented, commit pushed to user-sysmaint-split.
* Patrick: Merged.
== tb-updater - auto detect version always ==
* issue currently: lots of build issues, especially on Qubes infrastructure
* treat hardcoded tbb version number as a minimum version number. as a minimum version number sanity check.
* even in --postinst mode, try auto detect version from remote. as long as higher than hardcoded version, that shall be acceptable.
* The already implemented last seen version numbers shall also be kept in use as a sanity test.
* Aaron: Implemented, commit pushed to tb-updater. Tested by installing Tor Browser on an existing VM both with up-to-date and outdated hardcoded version numbers, works. Also tested by rebuilding Whonix VMs for VirtualBox with an unchanged hardcoded version, works correctly there also.
* Patrick: Merged.
== trixie-port - black desktop background and sometimes missing task bar ==
* VirtualBox
* 18.0.7.0
* after a few reboots into user session/sysmaint session, Whonix-Gateway desktop background turns black - task bar still functional
* after a few reboots into user session/sysmaint session, Whonix-Workstation desktop background turns black - task bar broken
* non-issue: virtualbox screen resize, still working great
* lxqt-panel can be manually started: yes, all good.
** after reboot: lxqt-panel works normally again
* Aaron: Cannot reproduce problem with lxqt-panel. Issue with pcmanfm-qt desktop turning black is known and happens when the first shutdown in user mode is done from the CLI with reboot or shutdown now, will debug and create a solution now.
** Black screen issue fixed, commit pushed to desktop-config-dist.
* Patrick: Merged.
* bug: Black desktop background remains. Worth fixing? (The lock file nowadays removed does not exist on my system (anymore?).)
** Aaron: Added a followup fix to desktop-config-dist.
* Patrick: Merged.
* Patrick: 18.0.7.0, VirtualBox, LXQt bug: black screen is back.
* (The task bar is apparently being restored, because the task bar is overlapping the "Computer" desktop icon.)
* Aaron: Cannot reproduce even after several reboots using the reboot command in a terminal in user mode. The taskbar overlapping the "Computer" desktop icon is expected when PCManFM-Qt settings are damaged though, so it does sound like this is the same bug as previously.
** Was the system fully up-to-date when it broke? Was it already previously broken and just isn't managing to automatically fix itself after updates despite the heuristics we added?
* Patrick: Correction. Version was 18.0.7.6. Wasn't previously broken since 18.0.7.6. Fails to automatically fix itself.
* Patrick: Made some changes to start-lxqt-session.
* Patrick: Provided debug information in chat.
* Aaron: Reproduced issue with further information. Fix pushed to desktop-config-dist.
* Patrick: Merged.
== Qubes - user-sysmaint-split - kernel modes - Standalone VM bug ==
* QVMM shows user session boot option only for Standalone VM
* bug: Standalone doesn't inherit boot options from Template
* user might report bug at Qubes
* Aaron: Could not reproduce bug by making a new standalone from a Whonix-Workstation 18 template.
** Found Qubes bug report, asked for clarification on the issue.
** [https://github.com/QubesOS/qubes-issues/issues/10438 Upgrading Kicksecure StandaloneVM will result in sysmaint-persistent (root) boot is missing #10438]
** Reply received, do further investigation.
* Closed, and follow-up bug closed as user error. Archiving.
== trixie port - sdwdate permission issues ==
* qubes-public, Marek:
ok, I have real systemcheck results now, there are a couple issues found in sys-whonix, but overall nothing major IMO: https://openqa.qubes-os.org/tests/156993/file/whonixcheck-whonixcheck-sys-whonix.log
sdwdate[2269]: PermissionError: [Errno 13] Permission denied: '/var/lib/sdwdate/time-replay-protection-utc-unixtime'
* Aaron: Unable to reproduce. The file shown above is owned by sdwdate:sdwdate on my release-upgraded sys-whonix qube, AppArmor permits sdwdate to access it, and the error above does not show in the output of systemcheck --verbose --leak-tests.
* Aaron: Reproduced in Whonix-Gateway 18 template downloaded from Qubes community template repo. Somehow the entire /var/lib/sdwdate directory is owned by debian-tor:UNKNOWN (uid 108, gid 120).
** Fix created, pending review and merge: https://github.com/QubesOS/qubes-core-agent-linux/pull/615
*** Merged.
== user-sysmaint-split versus Qubes Video Companion is broken on Whonix-Workstation ==
* please comment how this could be resolved
* https://github.com/QubesOS/qubes-issues/issues/10163
* https://forums.whonix.org/t/qubes-sudo-su-root-hardening-development-discussion/8561/73
* Aaron: Fix: https://github.com/QubesOS/qubes-video-companion/pull/33
** Merged.
== kloak - update wiki and forums ==
* please post an update in the forums what was done and what might be missing (useful for release announcement)
** https://forums.whonix.org/t/better-mouse-obfuscation/21445
*** Aaron: Update posted.
* please also update the wiki in case anything is no longer up-to-date
** https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymization
*** Aaron: Documentation updated.
== 18.0.7.5-developers-only - ISO boot broken ==
* todo
* Fixed.
== permission-hardener bug - pkexec restore issue ==
* anon-whonix in unrestricted admin mode
[ERROR] [systemcheck] Check 'pkexec /usr/libexec/systemcheck/pkexec-test' result: System misconfiguration detected. No need to panic. This is not a severe issue. However, other tests may be affected due to this.
The following command:
pkexec /usr/libexec/systemcheck/pkexec-test ; echo $?
did not produce an empty output with an exit code of zero, indicating an unexpected result.
exit_code: 127
privilege_escalation_tool_output:
pkexec must be setuid root
chmod-calc /usr/bin/pkexec
Permissions for: '/usr/bin/pkexec'
Type: Regular File
Owner: root
Group: root
Octal Permissions: 755
File Size: 30952 bytes
Link Count: 1
Hidden File: No
ACLs: none
Extended Attributes: none
Capabilities: None
Immutable (chattr +i): No
Symlink: No
Parent Folder Symlink: No
Category Read Write Execute
Owner Yes Yes Yes
Group Yes No Yes
Public Yes No Yes
Special Attributes:
SUID: Not Set
SGID: Not Set
Sticky Bit: Not Set
* Aaron: pkexec doesn't actually have its SUID bit set until its postinst script runs. If security-misc, pkexec, and user-sysmaint-split are all installed in the same apt invocation, and security-misc gets configured first, it will see pkexec as having permissions 755 and will save that in the existing_mode database before changing its permissions to match user-sysmaint-split's policy. Then when permission-hardener protections are removed, permission-hardener applies those incorrect permissions to the file.
** No good way to solve this using Debian packaging known, there isn't a way to enforce postinst script order of execution without using Pre-Depends, and a package does not seem to be able to trigger itself.
** Resolved for new builds by saving a pre-populated existing_mode database when security-misc is installed. This handles many common executables, we can expand the database if needed later.
** Commits pushed to security-misc.
* Patrick: Merged.
== Qubes performance - qubes-whonix systemd units ==
* maybe /usr/lib/systemd/system/qubes-whonix-sysinit.service can be abolished, if sensible. This might speed up the boot process a bit.
* scan code base for:
** /run/qubes-service/whonix-gateway
** /run/qubes-service/whonix-workstation
* for example
** /usr/lib/systemd/system/qubes-whonix-remote-support.service
## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC
## See the file COPYING for copying conditions.
[Unit]
Description=Qubes-Whonix Remote Support
Documentation=https://github.com/Whonix/qubes-whonix
ConditionPathExists=|/run/qubes-service/whonix-gateway
[Service]
Type=forking
ExecStart=/usr/bin/qvm-connect-tcp 22:dom0:22
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
Could maybe be replaced by:
## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC
## See the file COPYING for copying conditions.
[Unit]
Description=Qubes-Whonix Remote Support
Documentation=https://github.com/Whonix/qubes-whonix
## Not inside TemplateVM.
ConditionPathExists=!/run/qubes/this-is-templatevm
## Whonix-Gateway
ConditionPathExists=/usr/share/anon-gw-base-files/gateway
## And ( NetVM OR ProxyVM )
ConditionPathExists=|/run/qubes/this-is-netvm
ConditionPathExists=|/run/qubes/this-is-proxyvm
[Service]
Type=forking
ExecStart=/usr/bin/qvm-connect-tcp 22:dom0:22
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
* Aaron: This did indeed look possible. Implemented throughout the codebase.
== sdwdate-gui-qubes systemd unit stuck in state starting ==
* see chat
* Aaron: Switched to using a notify service here, also fixed up the systemd-notify wrapper. Commits pushed to helper-scripts, msgcollector, systemcheck, and sdwdate-gui.
== trixie-port - address systemcheck log warnings ==
* there are a number of journal messages in systemcheck output in Non-Qubes-Whonix
* there might be others for Qubes-Whonix
* Whonix-Gateway, non-Qubes:
Nov 21 15:34:16 host pipewire[1803]: mod.rt: RTKit error: org.freedesktop.DBus.Error.ServiceUnknown
* Aaron: Added more lines to /etc/systemcheck.d/30_default.conf, commit pushed to systemcheck.
* Patrick: Merged.
== trixie-port - disable lxqt power manager systray icon by default for VM images ==
* todo
* Aaron: Automatically done as part of disabling LXQt power management. See completed task below.
== trixie-port - lxqt-powermanagement - power management still enabled in VBox ==
* Battery watcher and idleness watcher are still active
* lxqt-powermanagement appears to forcibly write configuration in ~/.config/lxqt/lxqt-powermanagement.conf that enables power management regardless of the contents of $XDG_CONFIG_DIRS
* Aaron asked in #lxqt:matrix.org if there's some way to work around this behavior (other than writing to the user's configuration under /home)
* Aaron: Culprit found, runCheckLevel=1 needed to be set in desktop-config-dist's lxqt-powermanagement.conf. Added the setting, new installations should now obey system-wide power management settings. Existing installations that already have an autogenerated user-specific lxqt-powermanagement.conf will not have this, fixing things for those users may be hard since there is no way to distinguish intentional configuration from auto configuration for existing Kicksecure/Whonix 18 users.
** Maybe we can detect if runCheckLevel is explicitly set in a user-specific lxqt-powermanagement.conf file and wipe the file if so? That would override settings for existing users, but wouldn't cause further problems after that.
* Patrick: Merged.
== trixie-port - sdwdate-gui - broken inside sys-net ==
* only during boot
systemctl list-units --failed
UNIT LOAD ACTIVE SUB DESCRIPTION >
● sdwdate-gui-qubes@0-1531-1000.service loaded failed failed sdwdate graphical user interface - Qubes socket proxy (PID 1531/>
* this is probably because sys-net starts before sys-whonix
* Aaron: Fixed (and fixed a bug I noticed while working on this), commits pushed to sdwdate-gui.
== trixie-port - GRUB - boot menu style lost after installation of serial-console-enable result ==
* Kicksecure
* VirtualBox
* after installing serial-console-enable, system has been reset to standard GRUB boot menu
* Patrick: This is to be expected. Nothing very bad happening. Caused by:
GRUB_TERMINAL="console serial gfxterm"
* Patrick: Probably no action required except documentation.
** Aaron: Documented at https://www.kicksecure.com/wiki/Recovery#Serial_Console
== usbguard - test in Qubes ==
* Does usbguard and usbguard-notifier work for you in Qubes?
* Aaron: Mostly; notifications were not working because qubes-notification-agent and listing USB devices using the usbguard CLI was not working because list permissions were not present. Fixed both with pushes to developer-meta-files, kicksecure-meta-packages, and security-misc.
* Aaron: usbguard-notifier allows users to ad-hoc allow and deny USB devices when they are attached. Should we allow the qubes and sudo groups to have modify permissions in usbguard as well to allow this to work?
** https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/49
** Patrick: Added modify permissions.
* TODO: Please test.
** Aaron: Tested, works.
== trixie-port - Qubes - ISO - fails to boot - black screen ==
* 18.0.7.0
* Qubes
* 4 GB = initial RAM = total RAM
* dynamic memory balloon: disabled
* sysmaint related messages in console visible, after that
* fails to boot: black screen
* as per: https://www.kicksecure.com/wiki/Qubes#HVM
* Aaron: Issue appeared to be related to the display resolution - 1920x1080 seems to be too high for labwc to handle. Resolutions other than 1024x768 may work, but may also behave strangely.
** Pushed a commit to vm-config-dist to make wlr_resize_watcher set a default resolution of 1024x768 under Xen.
* Patrick: Merged.
* Patrick: Please report issues to Qubes, and wherever else useful.
* Aaron: Filed reports:
** https://github.com/QubesOS/qubes-issues/issues/10425
** https://github.com/QubesOS/qubes-issues/issues/10424
* https://github.com/QubesOS/qubes-issues/issues/10426
== sys-whonix - replace-ips - where to bind - Tor restarts at boot versus IPv6 ==
* todo
* sys-whonix: for eth1, use static IPv4 and IPv6 address, if sensible
* make sure replace-ips is correct and makes Tor bind on eth1 (not on eth0)
* implement Qubes static networking, if still in time for Qubes R4.3 and if sensible
** https://github.com/QubesOS/qubes-issues/issues/1477
** https://forums.whonix.org/t/qubes-whonix-eth1-static-networking/18493
* Aaron: Discussed possible solutions in chat. Pushed commits to qubes-whonix and anon-gw-anonymizer-config that should implement this sufficiently well for Whonix 18.
* Patrick: Merged.
* Patrick: Made huge changes to replace-ips. Please review and test.
** Aaron: Reviewed, made mostly minor changes (some more involved ones to the var_name function). Tested, seems to work right.
== trixie-port - red XDG_RUNTIME_DIR unset warning during shutdown ==
* Non-Qubes-Whonix Whonix-Workstation
* no adverse effects, but looks scary for users
* Aaron: I've seen this before, but could not reproduce it on-demand for testing.
** Pushed commits to desktop-config-dist and user-sysmaint-split in an attempt to resolve the issue and a related problem with scary logs being shown during shutdown. Unfortunately I ended up reproducing the issue by accident even after these changes were installed.
* Patrick:
** What place is supposed to set XDG_RUNTIME_DIR? Can we set it?
** Could you ask labwc please?
** libpam-systemd missing? as per
*** https://github.com/BlitterStudio/amiberry/issues/453#issuecomment-549150776
** Aaron: Possibly a minor greetd bug: https://lists.sr.ht/~kennylevinsen/greetd-devel/%3C20251113233255.64d6bc0f@kf-m2g5%3E
*** Seems benign and most likely race-induced (labwc is failing to start somewhere, but it seems to get retried and successfully starts thereafter?). Silencing for now. Commits pushed to desktop-config-dist and systemcheck.
* Patrick: Merged.
== trixie-port - sdwdate-gui - flashing menu during time sync ==
* While a time sync is in progress, right-click on the sdwdate-gui icon. The menu will flash rapidly in bursts.
* This is most likely caused by the sdwdate-gui-client rewrite, which is probably reacting overzealously to status file changes from sdwdate. Adjust the inotify mechanism to not notify quite so frequently.
** Fixed, commit pushed to sdwdate-gui.
* Patrick: Merged.
== trixie-port sdwdate-gui - client busy-waits if sdwdate-gui.ConnectCheck fails ==
* expected behavior: endless repeated notifications about failed qrexec calls
* actual behavior: failed qrexec call warnings stop after a bit, sdwdate-gui-client consumes 100% CPU
** Fixed, commit pushed to sdwdate-gui.
* Patrick: Merged.
== trixie-port - Kicksecure ISO Installation - using btrfs - broken live mode ==
* VirtualBox
* 18.0.7.0
* ISO
* btrfs
* at boot time, an error related to subvolumes is shown
* bug: read-only volume without read-write overlay
* Aaron: Dracut bug, already fixed upstream but not fixed in Trixie. Bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121043
** Pushed a commit to grub-live to revert back to the Debian-specific overlay-root module and rootovl kernel parameter.
* Patrick: Merged.
== trixie-port - privleap - ai review ==
* todo
* https://github.com/assisted-by-ai/privleap/pull/1
* Aaron: Reviewed, implemented various fixes and added hardening measures. Commits pushed to privleap.
* Patrick: Merged.
* https://github.com/assisted-by-ai/privleap/pull/1 - PR updated
** Aaron: Reviewed, added a bugfix.
* new PR: https://github.com/assisted-by-ai/privleap/pull/2
** Aaron: Reviewed, manually tested the scenario the bulk of the PR was intended to test, added an extra feature suggested by the AI.
* new minor: bug: after running "leaprun sudo" (non-existing, user error, but causes scary error message)
Nov 18 10:03:03 host privleapd[1648]: auth_signal_request: WARNING: Action run request: Could not find action 'sudo' requested by account 'user'
Nov 18 10:03:06 host privleapd[1648]: send_msg_safe: ERROR: Could not send 'UNAUTHORIZED'
Nov 18 10:03:06 host privleapd[1648]: BrokenPipeError: [Errno 32] Broken pipe
* Aaron: Most likely caused by pressing Ctrl+C during the delay caused by attempting to run an action without authorization. Fixed by the new signal handling mechanism in leaprun used to fix check_action_terminate: ERROR: Could not get message from client run by account 'user'!.
* Patrick: Merged.
== trixie-port - broken passwordless sudo in unrestricted admin mode ==
* https://forums.whonix.org/t/rejecting-passwordless-sensitive-account-user/22440/2
** Fixed, commit pushed to security-misc.
* Patrick: Merged.
== trixie-port - privleap - check_action_terminate: ERROR: Could not get message from client run by account user ==
* VirtualBox
* 18.0.8.0
* not upgraded
Nov 18 09:01:02 localhost privleapd[1143]: check_action_terminate: ERROR: Could not get message from client run by account 'user'!
Nov 18 09:01:02 localhost privleapd[1143]: Traceback (most recent call last):
Nov 18 09:01:02 localhost privleapd[1143]: File "/usr/lib/python3/dist-packages/privleap/privleapd.py", line 517, in check_action_terminate
Nov 18 09:01:02 localhost privleapd[1143]: comm_msg: PrivleapMsg = comm_session.get_msg()
Nov 18 09:01:02 localhost privleapd[1143]: ~~~~~~~~~~~~~~~~~~~~^^
Nov 18 09:01:02 localhost privleapd[1143]: File "/usr/lib/python3/dist-packages/privleap/privleap.py", line 691, in get_msg
Nov 18 09:01:02 localhost privleapd[1143]: recv_buf: bytes = self.__recv_msg_cautious()
Nov 18 09:01:02 localhost privleapd[1143]: ~~~~~~~~~~~~~~~~~~~~~~~~^^
Nov 18 09:01:02 localhost privleapd[1143]: File "/usr/lib/python3/dist-packages/privleap/privleap.py", line 549, in __recv_msg_cautious
Nov 18 09:01:02 localhost privleapd[1143]: raise ConnectionAbortedError("Connection unexpectedly closed")
Nov 18 09:01:02 localhost privleapd[1143]: ConnectionAbortedError: Connection unexpectedly closed
Nov 18 09:01:02 localhost privleapd[1143]: send_action_results: INFO: Action 'sdwdate-log-viewer' requested by account 'user' completed
* not reproducible after upgrade
** Aaron: Mitigated somewhat with a commit to leaprun, however this was most likely caused by the leaprun process receiving a signal mid-execution. There isn't much that can be reasonably done to prevent a session terminated prematurely at an arbitrary point from resulting in the server griping about it, other than hiding possibly useful debugging output. The commit fixes a likely common case though.
* Patrick: Merged.
== trixie-port - leapctl - could not connect to privleapd ==
* Tor could not bind. At second boot.
* VirtualBox
* 18.0.6.8
* upgraded
* see log provided
* output by leapctl does not allow to nail this down easily at this point. Perhaps if difficult to debug, add additional debug output to leapctl so we can point out which exact leapctl call is causing this?
* please add more debug output to leapctl calls in any case for the future.
** Aaron: Sufficient information to debug the leapctl failure is present in the logs. The issue seems to have been triggered by privleapd dying due to a watchdog timeout. The exact reason is unclear, the VM seems to have locked up for 10 seconds or otherwise experienced a time jump possibly. Details shared in chat.
== trixie-port - set-system-keymap improvements #2 ==
* 1) bug: in sysmaint session sudo set-system-keymap de fails to reload labwc. reboot required to change keyboard layout. (confusion resolved: system vs user configuration)
* 2) bug: set-system-keymap / set-console-keymap is broken in some situations:
** inside dracut emergency shell
** single user mode (kernel parameter single)
** this is because localectl is unavailable. Patrick pushed some changes to ignore this.
* 3) feature request: set-system-keymap should configure the system keymap in case of
** single user mode (kernel parameter single) - possible by re-generating initrd running "sudo dracut -f" - tested - functional
** dracut emergency shell - same as above.
** run sudo dracut -f &>/dev/null to hide verbose dracut output and report only success or failure.
** Patrick implemented this.
* 4) feature request: set grub stage 2 keyboard layout
** 1 or 2 separate grub boot menu entries
*** additional boot menu entry 1: specific user-chosen keymap only
**** use case: easier to use GRUB menu entry - no need to scroll through lots of language entries
*** additional boot menu entry 2: generate all keymaps (within reasonable limits?)
**** What would be a good time/trigger to generate the keymaps? Useful/avoidable to keep re-generating the keymaps over and over again? A new /etc/grub.d drop-in? Part of which script?
**** use case: usable on the ISO
**** use case: users can easily try kernel boot parameters to attempt to fix the boot process in case of hardware issues
*** boot menu entries should be at the very bottom
*** enabling verbose ("set -x") equivalent may be useful
** boot with GRUB standard keyboard. Only if the user selects a custom GRUB keyboard layout change menu try loading a different keyboard driver and layout.
** Aaron: USB keyboard support does not appear practical, as numerous GRUB issues occur when using nativedisk and insmod usb_keyboard:
*** GRUB randomly can't find hard drives sometimes
*** Stack overflows occur
*** Sometimes "alloc magic" errors appear
*** Fonts can become very messed up
*** Boot usually becomes impossible
** Aaron: Implemented, commits pushed to helper-scripts, kicksecure-base-files, usability-misc, anon-gw-base-files, anon-ws-base-files, and derivative-maker.
* 5) feature request: set-labwc-keymap: --persist should be the default?
* 6) feature request: apply console layout change by running systemctl --no-block --no-pager restart keyboard setup
* 7) set-console-keymap: allow running as non-root / support file ~/.keyboardDiscussed, researched, not possible to set console keymap without root permissions and setting the keymap system-wide.
* 8) bug: Should write INFOs to stdout, not stderr? Or is there a reason to write everything to stderr? In such special cases, please document this by adding a script comment on how channels (stdout, stderr) are used.
* 8) set-system-keymap in sysmaint mode bug: layout change requires reboot
* Patrick: Merged.
== trixie-port - Tor could not bind to IPv6 race condition ==
* Tor could not bind. At second boot.
* VirtualBox
* happened at first boot only
* happened just once. difficult to reproduce.
* see old log provided (was version 18.0.6.8)
* Patrick: Fixed.
== trixie-port - lengthen live-config-dist timeouts ==
* Physical hardware installations to a USB drive oftentimes are slow due to slow USB key performance
* Timeouts sometimes occur during the installation process, resulting in failed installations
* Lengthen timeouts in live-config-dist so that this use case is better supported
* Aaron: Lengthened timeouts in both live-config-dist and calamares-settings-debian.
** Patrick: Merged.
** Worth asking Debian upstream if they'd be interested in lengthening timeouts too, since it's the bootloader-config module in calamares-settings-debian that was timing out according to https://forums.kicksecure.com/t/warning-prob-with-installing-on-verbatim-seaglass-drives-false-alarm/1359/6?
** Patrick: Yes.
*** Aaron: Reported: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120779
* Patrick: Merged.
== trixie-port - Kicksecure /etc/hostname bug ==
* todo
* Aaron: Fixed, commit pushed to derivative-maker.
* Patrick: Merged.
== privleap - improve debug output ==
* "ERROR: You are unauthorized ..."
** Who is "You"? :)
** todo: please add who "you" is. This might simplify debugging when using nested privleap.
* Aaron: Implemented, also did some test script refactoring. Commit pushed to privleap.
* Patrick: Merged.
== trixie-port - livecheck-lsblk.service broken in Qubes ==
* noticed only once in sys-whonix
Nov 11 03:56:11 host systemd[1]: Starting livecheck-lsblk.service - Obtains lsblk output for use by livecheck...
Nov 11 03:56:12 host livecheck-lsblk[654]: overwrite: ERROR: Error while writing file '/run/desktop-config-dist/livecheck-lsblk', and >
Nov 11 03:56:12 host systemd[1]: livecheck-lsblk.service: Main process exited, code=exited, status=1/FAILURE
Nov 11 03:56:12 host systemd[1]: livecheck-lsblk.service: Failed with result 'exit-code'.
Nov 11 03:56:12 host systemd[1]: Failed to start livecheck-lsblk.service - Obtains lsblk output for use by livecheck.
* https://github.com/Kicksecure/desktop-config-dist/blob/master/usr/lib/systemd/system/livecheck-lsblk.service probably needs to wait for systemd-tmpfiles
** Aaron: Implemented in desktop-config-dist.
* Patrick: Merged.
== trixie-port - reconsider non-Qubes RAM settings ==
* rads RAM threeshold?
* non-Qubes minimum RAM for CLI? 512 insufficient nowadays?
** Aaron: Should be sufficient now that we have swapfile issues solved.
== trixie-port - login broken in cli ==
* sysmaint session
* 512 MB RAM
* login as sysmaint succcess
* message "You are using the sysmaint account. This account has sudoers capabilities." visible but then system frozen
* only reproducible at first login, maybe not reproducible
* Aaron: RAM issue, encrypted swapfiles as made by swap-file-creator work on Bookworm but are broken on Trixie.
** unencrypted: works
** encrypted by virtue of being on a LUKS-encrypted partition: works
** file on an unencrypted filesystem which is then itself encrypted and device-mapper mounted, then used as a swapfile: broken, machine hangs as if memory is exhausted while gigabytes of swap remain
** Reported bug to LKML: https://lore.kernel.org/lkml/20251111231835.1232ad8f@kf-m2g5/T/#u
** Adjusted swap-file-creator to use unencrypted swapfiles, but only allow creating swapfiles on systems with LUKS FDE. Commits pushed to swap-file-creator.
* Patrick: Merged.
== qubes memory issues ==
* https://forums.whonix.org/t/increased-memory-usage/22092/12
* sdwdate_gui_client.py: please port to asyncio - not trixie branch
** Aaron: Initial porting attempt, needs more testing but seems to work initially: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/sdwdate-gui-client-asyncio
** Patrick: Merged.
* Several more possibly memory-related issues reported:
** https://github.com/qubesos/qubes-issues/issues/10349
** https://github.com/QubesOS/qubes-core-admin/pull/748#issuecomment-3489978459
** alimj reported OOM crashes in the qubes-public Matrix room
* Commits pushed to security-misc, developer-meta-files, and kicksecure-meta-packages to disable USBGuard on Whonix always, and on Kicksecure when there is no USB controller.
* Patrick: Merged.
* -----
* Patrick: asyncio also merged.
* Patrick: Please review, merge (only the bug fix - not the test script) - https://github.com/assisted-by-ai/sdwdate-gui/pull/1
** Aaron: Merged, did substantial refactoring and fixed an uncaught bug in the process (inconsistent handling of config file parsing)
* Patrick: Please increase Qubes default memory, if applicable.
** Aaron: Per Qubes OS's current wishes, attempting to avoid this if possible. If memory is still an issue after merging the new sdwdate-gui code, will request a memory limit bump.
* Patrick: bug: chokes on gateway=sys-whonix - without quotes. Some users will use it that way because that is how it was documented in the past. I added code to legacy-dist. Please review.
** Aaron: Left comments in chat.
*** Will move migration code to sdwdate-gui postinst script.
**** This is now done, commits pushed to legacy-dist and sdwdate-gui.
* Patrick: please review https://github.com/assisted-by-ai/sdwdate-gui/pull/2
** Aaron: Merged.
== trixie-port - default desktop icons ==
* Network: Seems useless. Please remove.
** Aaron: Removed, commits pushed to kicksecure-base-files, anon-gw-base-files, and anon-ws-base-files.
* Patrick: Merged.
== trixie-port - environment variable VISUAL missing ==
* usability-misc
/etc/profile.d/50_default_editor.sh /etc/zprofile.d/50_default_editor.zsh
/etc/profile.d/50_default_editor.sh /etc/X11/Xsession.d/50_default_editor
* in non-Qubes, Wayland: env | grep VISUAL
* also other environment variables set through profile.d/ zprofile.d, Xsession.d mechanism might be missing
* Aaron: Issue was caused by a check for "$XDG_SESSION_TYPE" = "tty". Removed that conditional, now it works. (greetd appears to run the session start script in a TTY.)
** Did not find any other missing variables in /etc/profile.d that were being missed except for safe-rm's addition of its own path to $PATH (this file is not symlinked to /etc/zprofile.d so this is likely expected).
** Fixed 50_default_editor.sh, commit pushed to usability-misc.
* Patrick: Merged.
== trixie-port - vm-config-dist - install on ISO by default ==
* vm-config-dist has vbox-guest-installer and wlr-resize-watcher, which both can be/are highly useful inside virtualbox
* Do you see anything that makes vm-config-dist incompatible with installed on the host operating system or inside Qubes?
* investigate /etc/dracut.conf.d/30-vm-config-dist.conf and if it seems safe for rm_conffile removal
* Please modify, if sane, to make it compatible with the host / Qubes. I.e. implement no-ops, if needed.
* Install by default everywhere non-Qubes, Qubes and host, if sane.
* Aaron: Next steps:
** Need to change the `shared` bookmark so it is saved in a system-wide location and only created on VMs.
** Keep wlr-resize-watcher from running on physical hardware
** OK to comment out power management disabling and VBox guest additions installation in the postinst?
* Aaron: Done, commits pushed to vm-config-dist.
* Patrick: Ready to installed by default on the ISO? If yes, please add.
** Aaron: Done, commits pushed to developer-meta-files and kicksecure-meta-packages.
* Patrick: Merged.
== trixie-port - failed to mount /tmp ==
* seen in persistent mode user, briefly, during shutdown
* cosmetic issue only
* avoidable?
* Aaron: VBoxDRMClient bug. Report filed: https://github.com/VirtualBox/virtualbox/issues/375
** Possible security risks in /tmp remaining mounted during shutdown? Perhaps if shutdown hangs while /tmp is mounted, valuable data might be left in-memory that an attacker could access, but we have emerg-shutdown to deal with most situations where this would be a concern.
** As a stop-gap, we could use a service in usability-misc to kill VBoxDRMClient during shutdown if we want to ensure /tmp is properly unmounted.
*** Patrick: Please implement in security-misc? Seems security related. As a stop-gap until ensure-shutdown gets default and (more) reliable.
**** Aaron: Done, commits pushed to security-misc and user-sysmaint-split.
* Patrick: Merged.
== comment on pdf reader and other packages suggestions ==
* https://forums.whonix.org/t/choosing-qt-wayland-compatible-software-for-lxqt/22332/9
* Read through, commented.
== trixie-port - sgdisk ==
* VirtualBox 7.24
* Kicksecure LXQt 18.0.5.8
* Can these warnings be fixed?
sudo sgdisk -v /dev/sda
Caution: Partition 3 doesn't end on a 2048-sector boundary. This may
result in problems with some disk encryption tools.
No problems found. 2021 free sectors (1010.5 KiB) available in 2
segments, the largest of which is 2014 (1007.0 KiB) in size.
* Aaron: May be difficult to fix. grml-debootstrap uses parted for partition creation, and according to parted, partition 3 is optimally aligned. I find it somewhat unlikely grml-debootstrap would want to port to sgdisk.
** Sent an email to the GPT fdisk mailing list to see if there's a good way to fix the discrepancy between the behavior of GPT fdisk and Parted. https://sourceforge.net/p/gptfdisk/mailman/message/59257231/
* https://forums.kicksecure.com/t/sudo-sgdisk-v-dev-sda-caution-partition-3-doesnt-end-on-a-2048-sector-boundary-this-may-result-in-problems-with-some-disk-encryption-tools/1363
== trixie port - hibernation ==
* something has to be done about hibernation. even if deciding we're against it. then updating the wiki and removing the hibernation button (or breaking it).
* Create forum thread to determine demand before investing effort.
** Forum post: https://forums.kicksecure.com/t/support-for-hibernation/1349
== login security check bug ==
* sys-whonix
INFO: user-sysmaint-split session detection result: SYSMAINT Session.
INFO: Whonix Login Security Check:
+----------+--------------------------------------+
| Users | Password GUI Autologin |
+----------+--------------------------------------+
| root | Locked (Present) Disabled |
| user | Absent Disabled |
| sysmaint | Absent Enabled |
+----------+--------------------------------------+
* anon-whonix
[INFO] [systemcheck] user-sysmaint-split session detection result: USER Session.
INFO: Whonix Login Security Check:
+----------+--------------------------------------+
| Users | Password GUI Autologin |
+----------+--------------------------------------+
| root | Restricted (Absent) Disabled |
| user | Locked (Absent) Enabled | [Locked (Absent) - green color]
| sysmaint | Locked (Absent) Enabled | [Locked (Absent) - orange color]
+----------+--------------------------------------+
* Kicksecure Qubes
[INFO] [systemcheck] user-sysmaint-split session detection result: USER Session.
[INFO] [systemcheck] Kicksecure Login Security Check:
+----------+--------------------------------------+
| Users | Password GUI Autologin |
+----------+--------------------------------------+
| root | Restricted (Absent) Disabled |
| user | Absent Enabled |
| sysmaint | Locked (Absent) Enabled |
+----------+--------------------------------------+
* bug: user | Locked (Absent) versus user | Absent?
* bug: why do some Locked (Absent) entries get green color and others orange?
* bug: why are some accounts locked while others are not?
* new design
* refuse screen lock because the password is locked
* refuse logout because the password is locked
* when booted in user mode:
** prevent logging into accounts that are passwordless and members of group sudo, root, or sysmaint
** prevent logging into account sysmaint
* when booted in sysmaint session:
** prevent logging into any accounts other than sysmaint
* stop locking account sysmaint in user sessions since we now rely on a PAM module
* remove special handling of account sysmaint in login security table of systemcheck
* Aaron: Implemented, commits pushed to security-misc, user-sysmaint-split, and systemcheck.
* Patrick: bug:
** Kicksecure, 512 MB RAM, user session:
*** can no longer login. Account false-positive detected as sensitive passwordless account.
*** Perhaps because account user is a member of group sudo?
**** Aaron: Fixed, commit pushed to security-misc.
* Patrick: Merged.
== trixie-port - fix shutdown slowdown bug ==
* todo
* slower since fixing unmount of /tmp?
* Aaron: Unable to reproduce. Timing measurements from screen recordings (all times and timestamps are measured in 1/30 of a second):
start end end minus start
before upgrade - bootup : 335 -> 736 | 401
before upgrade - shutdown : 914 -> 1156 | 242
after upgrade - bootup : 323 -> 728 | 405
after upgrade - shutdown : 869 -> 1058 | 189
before upgrade - sysmaint bootup : 247 -> 746 | 499
before upgrade - sysmaint shutdown : 1377 -> 1621 | 244
after upgrade - sysmaint bootup : 215 -> 616 | 401
after upgrade - sysmaint shutdown : 1195 -> 1410 | 215
* If slow shutdown is noticed again, will re-measure and compare to these values.
== stardict - investigate ==
* debian policy appliable?
* https://www.kicksecure.com/wiki/Dev/Debian#startdict
* Sent email to Debian.
* https://lists.debian.org/debian-devel/2025/10/msg00175.html
** Aaron: Conversation seems to have run its course, package is likely no longer unsafe and can be left. However, if a similar issue reoccurs, this can be referenced.
== trixie-port - user-sysmaint-split - improve error handling ==
* now: when booting into sysmaint session and user-sysmaint-split fails, one actually boots into a user session
* expected: better error handling
* todo: when user-sysmaint-split fails (such as read-only file system, either due to a live-hardner bug or filesystem corruption, disk hardware issues):
** show an error, wait, reboot or poweroff?
** offer to open a recovery console? conflicts with no recovery console by default goal. so settings should be honored. a recovery console however or even booting into "user session" may be helpful for debugging.
** need to have some way to debug the system
* Aaron: Suggested action: Make sysmaint-boot.service print stdout and stderr to journal+console (so messages are seen by the user). If an error is encountered and trapped, pause for five seconds so they can see or screenshot the error. Ensure that the user does not get dropped to a sysmaint session with a full LXQt desktop, or a user session, prefer dropping them to a login screen as worst-case scenario.
** This should allow easy-ish debugging (switch to a TTY and log in as account sysmaint) assuming the sysmaint account was unlocked before sysmaint-boot.service crashed. It also avoids the possible security risks of logging in as a standard user while the sysmaint account is unlocked.
** Maybe also block logging into a full graphical user session when booted in sysmaint session, to encourage the use of a TTY instead?
** Suggestions implemented, commits pushed to user-sysmaint-split and desktop-config-dist.
* Patrick: Merged.
== trixie-port - kloak - disable red crosshair by default ==
* todo discuss
* Aaron: Done, commits pushed to kloak and lxqt-wayland-session.
* Patrick: Merged.
== live-hardener - skip overlay of non-overlayable filesystems ==
* todo
* Aaron: Added requested feature, also greatly improved regression test coverage, added better comments, and fixed some bugs with finding submounts.
* Patrick: Merged.
* Patrick: please review https://github.com/assisted-by-ai/grub-live/pull/1
** Aaron: Merged.
== security-misc /etc/systemd/system/ review ==
* Do /etc/systemd/system folder contents still make sense nowadays?
* https://github.com/Kicksecure/security-misc/tree/master/etc/systemd/system
** Aaron: In my opinion, yes. The contents of these files prevent a locked root account from denying access to emergency mode, which IMO is very useful so that someone with physical access to the machine and the disk passphrase (and bootloader password) can fix a broken system even if the root account is locked for security. I also think that these should remain in /etc as they are now, because that allows users who want to disable this behavior to do so easily.
== LXQt - ISO - move task bar to the top ==
* https://forums.kicksecure.com/t/make-the-taskbar-on-the-bottom-not-at-the-top/1338
* if sensible
* new images:
** VM images: Taskbar at the top by default. - keep as is
** ISO / hardware: Taskbar at the bottom by default. - new default
* existing images: No need to change the setting for existing users.
* Patrick: Not doing this for now. Could run a poll if this comes up again.
== Whonix-Starter - please fork on github and nothing ==
* https://github.com/Whonix/Whonix-Starter
* 1. please fork
* 2. done
* (this is just to be able to git fetch from github using dm-packaging-helper-script without errors, exceptions, the only not yet forked repository)
* 3. please move to archived when done
** Aaron: Repo was already forked. Made sure the master and work branches of all my repos were updated just in case that would help the issue.
== bookworm - disk lost after initial upgrade-nonroot ==
* occurs for users running Whonix KVM under Fedora, Manjaro
** Debugged, was only able to reproduce the issue once (using Manjaro KDE). Partition table was corrupted after first boot, the partition table field indicating the end of the partition had been changed to a larger value, but integrity checking info was not updated, thus Linux wasn't detecting any partitions on the device. Interestingly, in a later working VM, the same larger value was seen in the partition table, but there were no boot issues.
** The most likely culprit is systemd-repart.
** Unable to reproduce with Whonix 18 on Manjaro KDE. Documented possible workaround here: https://www.whonix.org/wiki/KVM#VM_disk_corruption_after_first_boot
== trixie-port - power saving ==
* todo: discuss
* Aaron: Discussion thread created: https://forums.kicksecure.com/t/power-management-for-physical-hardware-in-kicksecure-18/1344
* Patrick: Please report LXQt issue upstream
** Aaron: Done.
* Aaron: Implemented new power savings settings, commits pushed to desktop-config-dist and vm-config-dist.
* Patrick: Merged.
== trixie-port - livecheck - avoid multiple popups ==
* if pressing the livecheck button multiple times, and an active popup window is already open, don't open additional popups
** Aaron: Implemented in desktop-config-dist.
* Patrick: Merged.
== trixie-port - set-system-keymap ==
* bug: Whonix-Gateway - no user-sysmaint-split - sudo set-system-keymap de
* expected: runs labwc --reconfigure
* actual: does not run labwc --reconfigure
* todo: look at $SUDO_USER and run sudo --non-interactive -u $SUDO_USER labwc --reconfigure
* todo: run sudo --non-interactive -u $user_name_item labwc --reconfigure for all users?
* todo: set-system-keymap / set-console-keymap: run loadkeys to apply changes without reboot? (not possible)
* Aaron: Implemented, however this does not fully work due to a labwc bug: https://github.com/labwc/labwc/issues/3184
* Patrick: Merged.
== trixie-port - text encoding issues ==
* todo
* Aaron: Fixed for new VM image builds: https://github.com/ArrayBolt3/derivative-maker/commit/095d4dfadf57cfa291fd123c7320e559fc78b802
** Does not affect ISO builds.
** Patrick: Merged.
** Worth adding code to legacy-dist to fix this on upgrade for existing Kicksecure/Whonix 17 users?
== trixie port - sdwdate-gui icon under Qubes gets stuck in "broken" mode ==
* Steps to reproduce:
** Set anon-whonix NetVM to "none"
** Boot sys-whonix
** Boot anon-whonix
** Observe sdwdate-gui icon changes to a "broken" icon (this is intentional, as sdwdate in anon-whonix is broken due to the NetVM being "none"
** Shutdown anon-whonix
** Expected result: sdwdate-gui icon changes back to what it was previously
** Actual result: sdwdate-gui icon is stuck "broken"
* Fixed: https://github.com/ArrayBolt3/sdwdate-gui/commit/deffa5039800d1eac28d83ed5cb9dc7dc9cb1f19
* Patrick: Merged.
== trixie-port - sdwdate-gui-broken when sys-whonix is booted in sysmaint session ==
* bug: starts sdwdate-gui instead of sdwdate-gui-qubes?
* bug: /usr/libexec/sdwdate-gui/sdwdate-gui-qubes-proxy-helper is broken because UID 1000 is hardcoded
* this results in other App Qubes (such as anon-whonix) frequent sdwdate-gui systemd journal errors
* Aaron: Fixed, pushed commit to sdwdate-gui.
* Patrick: Merged.
== trixie-port - iso broken in Qubes ==
* could be related to above issue
* https://www.kicksecure.com/wiki/Qubes#HVM
broken units:
* systemd-networkd-persistent-storoge.service
* greetd-config-build.service
* live-mode-apparmor.service
* sdwdate-pre.service
* cold-boot-attack-defense-status
* tor@default.service
* usbguard.service
* Maybe just insufficient RAM? -> todo: fail more obvious, stop boot?
* failed units can mess up sysmaint session?
* Aaron: Reproduced with slightly different symptoms (had a VM crash during bootup once and boot into CLI mode another time), increasing RAM did appear to fix the issue. Could possibly use a oneshot unit very early in startup that would print a message to the TTY if RAM was below a certain "safe" threshold.
** Pushed a commit to rads that should result in a warning message and fallback to CLI-only mode if RAM is insufficient.
* same issue as trixie-port - live mode - sysmaint session - broken
== trixie-port - live mode - user session - broken ==
* many systemd units failing during boot
* could be related to above
* Aaron: Could not reproduce, tried multiple scenarios after discussion in chat.
* same issue as trixie-port - live mode - sysmaint session - broken
== trixie-port - live mode - sysmaint session - broken ==
* to debug, use "leaprun sudo" (as documented on https://www.kicksecure.com/wiki/Sysmaint#enable_sudo_access_in_USER_session)
* bug: boots into user session, presumably due to read-only file system
* bug: sudo touch /etc/testfile show "read-only file system"
* bug: live-hardener: INFO: Non-zero exit code. - Should be ERROR or at least WARNING?
** Patrick: Fixed.
* bug: live-hardener detect grub-live-semi-persistent-unsafe but livecheck does not point that out
* bug: live hardener attempts to remount /boot/efi but fails
* bug: live-hardener runs a mount code that has a non-zero exit code but yet live-hardener exits zero rather than non-zero
* Aaron: Could not reproduce, tried multiple scenarios after discussion in chat.
* Patrick: live-hardener log: removed since not caused by live-hardener.
* Patrick: Probably not caused by live-hardener. sudo systemctl mask live-hardener.service - did not solve the issue
* Patrick: Also not a VirtualBox green turtle issue as this was also resolved on my system.
* lots of overlayfs related issues: https://github.com/dracut-ng/dracut-ng/issues?q=overlayfs
* user session mode - persistent mode - no issue - for comparison only
mount
/dev/sda3 on / type ext4 (rw,relatime,errors=remount-ro)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=246855,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
proc on /proc type proc (rw,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=403684k,nr_inodes=819200,mode=755,inode64)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=4308)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=201840k,nr_inodes=50460,mode=700,uid=1000,gid=1000,inode64)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
shared on /mnt/shared type vboxsf (rw,nodev,relatime)
* user session - live mode - broken read-only filesystem
/dev/sda3 on / type ext4 (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=246855,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=403684k,nr_inodes=819200,mode=755,inode64)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=4451)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=201840k,nr_inodes=50460,mode=700,uid=1000,gid=1000,inode64)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
* user session: same output for both, persistent mode and live mode
sudo sgdisk -v /dev/sda
Caution: Partition 3 doesn't end on a 2048-sector boundary. This may
result in problems with some disk encryption tools.
No problems found. 2021 free sectors (1010.5 KiB) available in 2
segments, the largest of which is 2014 (1007.0 KiB) in size.
* Patrick: For debugging, removed error=remount-ro from /etc/fstab. No effect.
* Aaron: Issue spotted, your system is still using the Debian-specific module for mounting an overlayfs, and thus is looking for rootovl rather than rd.live.overlay.overlayfs=1.
* Patrick: Merged.
== trixie-port - sysmaint - lock screen - black screen ==
* probably minor bug: boot into sysmaint session -> lock screen -> black screen
** note: this bug was only observed prior reboot. after reboot, screen locking was refused with popup. as expected. (because no password set)
*** after setting a password and locking the screen, everything worked as expected.
* we might be able to ignore this bug since unreleased
* xtrace of /usr/libexec/user-sysmaint-split/sysmaint-session-wayland
** (ticket below for unrelated error messages found)
* Aaron: Cannot reproduce. Asked for more info in chat.
* Aaron: Possibly transient, symptoms did not match any screen locking utility in Kicksecure. Archiving for now.
== trixie port - possibly broken systemcheck disallowed-test ==
* Aaron saw the AppArmor "disallowed-test" fail in KVM. Investigate.
** Issue does not occur in a freshly built KVM VM. Archiving.
== trixie-port - user-sysmaint-split versus flatpak ==
* flatpak install flathub org.mozilla.firefox
* functional in user session
* also functional
** flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
** flatpak --user install flathub org.mozilla.firefox
* please investigate security impact
* Aaron: Users were indeed able to install applications system-wide, so that account user could install an app in a location where account sysmaint could run it later.
** Added a commit to security-misc to lock down Flatpak's polkit controls, requiring authorization for most things. Installing software with flatpak install --user is still functional as account user even with user-sysmaint-split installed.
* Patrick: Does it belong into security-misc or user-sysmaint-split?
** Aaron: security-misc seems preferable. Might prevent deployment of a system-wide malicious flatpak.
* Patrick: Please update debian/control and readme.
** Aaron: Updated README.md. debian/control didn't look like it had anything that needed updated.
* Patrick: Merged.
== trixie-port - kloak - compilation warning ==
In file included from src/kloak.c:47:
src/xdg-output-protocol.h: In function 'zxdg_output_v1_add_listener':
src/xdg-output-protocol.h:347:38: warning: cast discards 'const' qualifier from pointer target type [-Wcast-qual]
347 | (void (**)(void)) listener, data);
| ^
In file included from src/kloak.c:48:
src/wlr-layer-shell.h: In function 'zwlr_layer_surface_v1_add_listener':
src/wlr-layer-shell.h:434:38: warning: cast discards 'const' qualifier from pointer target type [-Wcast-qual]
434 | (void (**)(void)) listener, data);
| ^
make[1]
* Aaron: Warnings are in headers autogenerated by wayland-scanner. The way in which the code is used that leads to these warnings appears to be correct use of the Wayland protocols and libraries, thus this should be safe to ignore.
* Patrick: Merged.
== trixie-port - qubes update ==
* privleap systemctl workaround
* no stream isolation warnings injected by uwt
** Aaron: Both done, new commits in uwt.
* Patrick: Merged.
== mediawiki-shell review and merge ==
* https://github.com/Kicksecure/mediawiki-shell/pull/1
* please review, merge and commit any fixes on top if any new bugs were introduced or obvious bugs spotted
* branch: trixie (primarily used internally)
** Aaron: Reviewed, fixed many small issues, pushed to my fork of mediawiki-shell. Code is untested as of yet, can come back to test this if/when desirable.
* Patrick: Merged.
== trixie-port - /etc/profile.d environment variables missing ==
* Kicksecure 18, ISO with vm-config-dist installed
* /etc/profile.d/20_software_rendering_in_vms.sh - script executes correctly if executed using sh -x /etc/profile.d/20_software_rendering_in_vms.sh
* when typing env | grep -i QML the environment variable is missing under Wayland
* Aaron: Found bug, glxinfo is not directly compatible with Wayland and can be misleading when using Xwayland.
** Fix, switch to eglinfo: https://github.com/ArrayBolt3/vm-config-dist/commit/36aa33c0e64a9a73a83db4753ee4005af5007ceb
* Patrick: Merged.
== tor-control-panel - anon-connection-wizard - review contributions ==
* please discuss, review
* https://forums.whonix.org/t/tor-controller-gui-tor-control-panel/5444/99
** Aaron: Briefly reviewed, commented. This looks like it increases code duplication, which is undesirable.
== trixie port - dom0 updates over Whonix-Gateway ==
* downloads failing because curl proxy is not set
* Fix in progress: https://github.com/QubesOS/qubes-core-agent-linux/pull/614
** Merged, test locally.
** Seems to work in testing. Will keep sys-whonix as the dom0 update proxy for a few more days to see what happens.
* Patrick: Please document. https://www.whonix.org/wiki/Qubes/UpdatesProxy
** Aaron: Added documentation, did some more testing of the dom0 update system to ensure it actually was working.
* Patrick: If possible, please revert upstream in Qubes and implement a uwt wrapper for dnf that injects the required option.
** https://github.com/QubesOS/qubes-core-agent-linux/pull/614#issuecomment-3449884150
*** Aaron: Done, pushed commits to uwt, helper-scripts, and qubes-whonix. The new code works both with and without the Qubes-side proxy argument injection in place, so migration should be smooth.
* Patrick: Merged.
== trixie port - sysmaint - sys-whonix - missing systemd units ==
* Please check if any systemd units are missing in sysmaint.target.
sudo systemctl list-units --all | grep "loaded inactive dead"
* Aaron: Compared the units running in a user session with the units running in a sysmaint session, rather than using --all; this approach should be more accurate.
** Added some missing units to user-sysmaint-split (sysmaint-boot.service).
** Also sent an email to Qubes to see if we should just blanket whitelist all qubes units going forward (this should be done with automation of some sort most likely to avoid units introduced in the future ending up missed). https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05673.html
== trixie-port - qubes-bind-dirs bug ==
* uses has privately shared a log where /var/lib/sdwdate/time-replay-protection-utc-unixtime was not writeable by sdwdate
* /usr/lib/tmpfiles.d/sdwdate.conf looks fine
* therefore this is a qubes-bind-dirs issue?
* https://github.com/QubesOS/qubes-issues/issues/8466
** if possible during R4.3 RC. otherwise priority can be lowered.
** otherwise, non-ideal workaround otherwise for all bind-dirs:
## https://github.com/QubesOS/qubes-issues/issues/8466
ExecStartPre=chown --recursive canary:canary /var/lib/canary
* Aaron: Issue already known, fix is at https://github.com/QubesOS/qubes-core-agent-linux/pull/615 but is pending merge by Qubes. Link to PR already in WAITING ON.
== trixie-port - lock-screen improvements ==
* move from /usr/libexec/helper-scripts/lock-screen to /usr/bin/lock-screen since it might be useful to lock the screen using the command line
* bug: unhandled swaylock issues. If swaylock exits non-zero, there would currently be no error popup. (Theoretical issue only at this time.)
* disable screen lock by default inside VMs, if sane?
** Versus security on servers with wayland installed?
** Versus vm-config-dist? (Which says it disables screen locks for VMs but does not yet for Wayland.)
* use a different background image that simply states "screen lock" all over the place?
* use a swaylack theme?
** https://github.com/dracula/swaylock/blob/main/swaylock/config
** looks better: https://github.com/dracula/swaylock/blob/main/screenshot.png
** no need for a different background image, but the style, the clock might help the user to identify that this is a screen locker
* there is not really a swaylock alternative where the password prompt is more obvious? (was discussed before, i think)
* automatically lock screen in sysmaint session. Currently does not seem to happen.
* Aaron: All implemented in appropriate packages (anon-gw-base-files, anon-ws-base-files, desktop-config-dist, helper-scripts, kicksecure-base-files, sysmaint-panel, user-sysmaint-split, vm-config-dist)
* Patrick: Merged.
== trixie port - multiple wayland sessions or wayland session restarts ==
* excerpt from above log file from task trixie-port - sysmaint - lock screen - black screen
* steps to reproduce:
** 1) from a virtual console.
** 2) while a wayland session is already running
** 3) sudo systemctl restart greetd
* Multiple sessions? Not important. Most important is to handle or fail better:
** The usual thing would be to kill the old session and start a new one?
** If not, can we fail with a better error message?
* Aaron: Implemented the "kill the old session and start a new one" solution. Commits pushed to user-sysmaint-split, helper-scripts, and kloak (since code from kloak ended up being reused in user-sysmaint-split and was split into a new library in helper-scripts).
* Patrick: Merged.
== trixie port - backlight-tool ==
* excerpt from above log file from task trixie-port - sysmaint - lock screen - black screen
** i did not use backlight-tool because testing inside a VM
** yet, journal will probably pick up an issue such as the following
/usr/bin/backlight-tool-dist-agent: ERROR: Cannot read target file!
* bug: backlight-tool shows errors inside VMs where it is expected that there is no backlight kernel driver
* question:
** related to calc_bl_brightness=$(( (bl_max_brightness * bl_pct) / 100 )) || true (split by Patrick into two lines)
** action: bash -x usr/bin/backlight-tool-dist-agent set 100
*** result: overwrite /home/user/.config/backlight-tool-dist-last-bright-pct 50
*** always "50" is written to that file
* some changes by Patrick. Please review.
** Aaron: Reviewed, made some string changes and added a better info message when no saved brightness value is present for restoring.
* Patrick: Merged.
== trixie-port - vm-config-dist - disable power savings by default in wayland ==
* needed?
* Aaron: Done as part of disabling screen locking in VMs on Wayland.
== trixie-port - don't offer on-screen keyboard in sysmaint-panel on Qubes ==
* The on-screen keyboard button does nothing under Qubes because Wayland is not in use. Even if Wayland was in use, this would be confusing.
** Hid this and the system keymap button under Qubes OS at the same time.
* Patrick: Merged.
== trixie-port - apparmor-info - fix ==
* bug: apparmor-info is no longer functional on trixie. It fails to show denied (or any) apparmor messages.
* Aaron: Fixed, commits pushed to security-misc and helper-scripts.
** '''WARNING:''' apparmor-info and apparmor-watch moved from helper-scripts to security-misc, thus please add to security-misc Breaks/Replaces against helper-scripts versions older than the next uploaded version.
*** Patrick: Merged, reverted to avoid breaks, replaced. Instead added the journal auditd socket activation to usability-misc.
== trixie-port - system keymap script improvements #2 ==
* separate set-console-keymap
** Aaron: Implemented in helper-scripts.
* sysmaint-panel: do not show keymap change in Qubes
** Aaron: Implemented. Notes about UI design left in chat.
* Patrick: Merged.
== automate detection of new tor and tor-browser versions ==
* We currently ship Tor in the Kicksecure repository, taking packages from deb.torproject.org for this.
* We also hardcode a Tor Browser version number in tb-updater.
* Create scripts for finding the latest versions of Tor and Tor Browser, and taking the necessary actions to update them
## developer-meta-files
/usr/bin/dm-virtualbox-update-local-and-wiki-links
make_cross_build_platform_list="i386 amd64 arm64" ./build-steps.d/*_create-debian-packages --flavor internal --target root --function download_tpo_packages
./build-steps.d/*_create-debian-packages --flavor internal --target virtualbox --function download_packages_from_debian_sid
* Aaron: Implemented Tor package update script as dm-tor-update-repository, added wrapper in dm-packaging-helper-script.
* Aaron: Tor Browser version updater is already implemented as pkg_tor_browser_version_update in dm-packaging-helper-script.
* Aaron: Unsure where to add master wrapper to update Tor, Tor Browser, and VirtualBox all at once. Perhaps create a new shell script, dm-update-third-party-software-references or similar?
* Patrick: Merged.
* Patrick: dm-maintenance created
== trixie-port - default screen resolution ==
* vm-config-dist: debian/control
Set screen resolution 1920x1080 by default for VM in VirtualBox and KVM.
Workaround for low screen resolution 1024x768 at first boot. When using lower
screen resolutions, Xfce will automatically scale down.
`/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml` TODO: This
may no longer be the case with Wayland.
* please re-implement for Wayland, if sane.
* Aaron: Doing this exactly as described may be hard on Wayland, because there is no location where the display configuration is saved any longer, it is always generated dynamically and must be fixed manually by the user if desired. However, what we can do is set the resolution of all displays to 1920x1080 if the appropriate hypervisor helpers (VBoxDRMClient, spice-vdagentd) are not active when wlr_resize_helper launches.
** Implemented this in vm-config-dist.
* Patrick: Merged.
== trixie port - forcing reinstallation of alternative /usr/libexec/user-sysmaint-split/policy-rc.d because link group policy-rc.d is broken ==
* bug?
Setting up systemcheck (3:43.6-1) ...
warn: The user `canary' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `debian-tor'.
warn: The user `systemcheck' is already a member of `systemd-journal'.
Processing triggers for qubes-core-agent (4.3.34-1+deb13u1) ...
Setting up user-sysmaint-split (3:9.1-1) ...
update-alternatives: warning: forcing reinstallation of alternative /usr/libexec/user-sysmaint-split/policy-rc.d because link group policy-rc.d is broken
Synchronizing state of openvpn.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable openvpn
Generating grub configuration file ...
Found theme: /boot/grub/themes/kicksecure/theme.txt
Adding boot menu entry for UEFI Firmware Settings ...
done
Setting up security-misc-desktop (3:48.8-1) ...
* Aaron: Qubes OS bug, fix submitted: https://github.com/QubesOS/qubes-builder-debian/pull/95
== trixie port - remove volume widget from Whonix-Gateway sysmaint panel ==
* Waybar is showing an empty volume widget on Whonix-Gateway
* Move config files to remove this.
** Likely need to handle migration of the files from desktop-config-dist to the appropriate base-files packages to prevent breaking Qubes OS R4.3 rc3. See qubes-public Matrix room for context.
** Done, commits pushed to kicksecure-base-files, anon-ws-base-files, anon-gw-base-files, and desktop-config-dist for this.
*** '''WARNING:''' After desktop-config-dist's version is bumped, all three *-base-files packages MUST have a Breaks/Replaces against desktop-config-dist (<< LATEST_VERSION) added.
* Patrick: Note to self:
myfind . | grep base-files | grep --invert-match dist-base-files | grep --invert-match whonix-base-files | grep control
./whonix/anon-gw-base-files/debian/control
./whonix/anon-ws-base-files/debian/control
./kicksecure/kicksecure-base-files/debian/control
* Patrick: Done.
* Patrick: Please check if functional on your side. If so, please move to archived.
** Aaron: Upgrades worked, however due to an oversight the volume widget in Whonix-Gateway wasn't fully removed. Pushed a commit to anon-gw-base-files to fix.
** Also noticed a preinst script header was missing in usability-misc, and pushed a commit to fix that too.
* Patrick: Merged.
== trixie port - virtualbox / kvm - dynamic resolution resizing with labwc ==
* Automatic display resizing is no longer working under VirtualBox with Wayland. It actually does work, but it requires the user to manually set the resolution to the "native" resolution after every window resize.
* Possible solutions listed for discussion at https://github.com/labwc/labwc/discussions/3109
* Discussion ongoing, currently waiting on upstream to reply. I might attempt to do further development work on this if we consider it a priority.
* Discussed with Patrick, we should probably solve this ourselves via a daemon that watches udev messages, as not having this feature may result in serious usability issues with VirtualBox.
* Discovered that a missing binary, VBoxDRMClient, was needed to even try to implement resize support. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968390#15
** Found and tested a fix, sent it to the VirtualBox Debian maintainers. Awaiting a response from them. I can still work on implementing the resizing code in the mean time.
*** This was accepted in Debian.
* Implemented the helper tools for actually changing the display resolution.
** vm-config-dist: https://github.com/ArrayBolt3/vm-config-dist/commit/bbc2633fe329229465ac7ab87bc08eef0e01e6a3
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/abc9f58a0d8e800a3a2b3754b3243ce94dad9c0d
* Patrick: Merged.
* Patrick: Tested in VirtualBox. Working great!
* Patrick: TODO: Please error out if vbox drm client is missing or fails.
** Aaron: Implemented, along with similar code for KVM: https://github.com/ArrayBolt3/vm-config-dist/commit/166a3e13a2ad1369265aed7f23e3a7ae21cdea89
*** Patrick: Merged.
*** Patrick: Maybe better don't exit non-zero in case and keep running? Because there is no (systemd) supervisor to restart the script.
*** Patrick: Before: Forgiving in case dependencies are missing but installed later.
*** Patrick: Now: Non-forgiving, more brittle?
**** Aaron: Fixed, pushed a new commit to vm-config-dist for this.
*** TODO: Start wlr-resize-watcher as a systemd user unit, if sensible. Would be useful if the process gets randomly killed (some sort of user space OOM management).
**** Aaron: Undesirable, as this would prevent wlr-randr from finding the appropriate Wayland compositor. Having the session start the process makes sure the right WAYLAND_DISPLAY variable is set, which means wlr-randr should always access the correct compositor.
== Qubes Kicksecure - sdwdate-gui qrexec denied messages ==
* Qubes R4.3
* 1) Kicksecure 17 Template installed
* 2) qubes-core-admin-addon-kicksecure installed
* 3) release-upgraded to Kicksecure 18
* 4) created App Qube based on Kicksecure Template
* bug: sdwdate-gui qrexec denied messages
* debugging information:
** running "sudo qvm-features-request kicksecure=1" shows nothing in dom0 journal (i would expect that to show something)
** running in dom0 "qvm-features kicksecure-17 | grep kicksecure" shows that qvm-feature "kicksecure" is missing
* Aaron: Reproduced, but the issue can be fixed by doing the following:
** Ensure qubes-core-admin-addon-kicksecure is installed in dom0, if it isn't, install it (sudo qubes-dom0-update --action=install qubes-core-admin-addon-kicksecure) and then restart qubesd (sudo systemctl restart qubesd)
*** Patrick: Qubes bug? sudo systemctl restart qubesd should be automated? Perhaps the postinst script can do that?
** Boot the upgraded Kicksecure 18 qube
** Run cd /etc/qubes/post-install.d; for i in *.sh; do source $i; done
** Reboot dom0 or restart qubesd again
* Aaron: Why are the post-install.d scripts not being properly called after a release upgrade? Shouldn't apt do this for us? We could probably work around this issue by making release-upgrade source all scripts in post-install.d after the upgrade.
*** Patrick: Please report at Qubes to find a solution for this, if still an issue.
*** Patrick: Possible to add some echo informational debug output so we can see what is run?
** Aaron: After another test, I believe these scripts are being run. Most likely the reason I ran into this issue was because I failed to restart qubesd or dom0 before running the release upgrade. After reinstalling Kicksecure 17 again and upgrading it to Kicksecure 18 again, the feature is properly set and a new AppVM based on the template is able to connect to sys-whonix's sdwdate_gui_server.
**** Patrick: Probably same solution as above: Automate restart of qubesdb?
* Aaron: What's a good way to inform users that they need to install qubes-core-admin-addon-kicksecure and reboot before installing Kicksecure templates?
** Patrick: No idea. Could you discuss at Qubes please? I guess also applies to qubes-core-admin-addon-whonix to a lesser degree. Meanwhile, please document.
* Patrick: Can qubes-core-admin-addon-kicksecure be made functional if installed too late (after Kicksecure Template installation)?
** Aaron: Qubes OS R4.3 will have qubes-core-admin-addon-kicksecure preinstalled, so this likely won't happen to anyone using the final release. Sourcing all scripts in /etc/qubes/post-install.d will resolve the issue if it somehow shows up in the wild.
* Aaron: Anything left to do here? Our last conversation on Matrix ended with the conclusion that we could not re-evaluate the in-vm post-install.d scripts when dom0's qubes-core-admin-addon-kicksecure was installed or updated, but I'm not sure if we came to a conclusion about what to do with this, if anything. Maybe just document that users can do something like export LC_ALL=C; cd /etc/qubes/post-install.d; for i in *.sh; do source "$i"; done if necessary?
** Patrick: Please document.
*** Aaron: Documented at https://www.kicksecure.com/wiki/Qubes#Known_Issues.
** Patrick: Please discuss upstream if restarting qubesdb is a possibility.
*** Aaron: Created thread on qubes-devel: https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05669.html
== trixie-port - system keymap script improvements ==
* more changes were added by Patrick
* 1) always show a success message such as the following even if run manually (currently only in interactive mode)
** Aaron: Implemented in helper-scripts.
printf '%s\n' "$0: INFO: Keyboard layout change successful." >&2
* 2) port live-config-dist to set-all-keymap, if sensible
** Aaron: Implemented in helper-scripts and live-config-dist.
* 3) sysmaint-panel: add an option to start set-all-keymap
** Aaron: Implemented in sysmaint-panel.
* Patrick: Merged.
== systemcheck - garbage configuration should result in non-zero exit code ==
* bug: systemcheck with garbage configuration file does not error out
* reported by Marek in qubes-public
* Aaron: Fixed: https://github.com/ArrayBolt3/systemcheck/commit/91f272912d5e35939298c0d075dd711b9597fd03
* Patrick: Merged.
== trixie port - Kicksecure template build failure due to firmware-nonfreedom ==
* https://github.com/QubesOS/updates-status/issues/6127
* Aaron: Fix: https://github.com/ArrayBolt3/qubes-template-kicksecure/commit/1008e40ce5f82cab25703ea942603e70e4054bdf
* Patrick: Merged.
== trixie-port - Warning: ignoring exit-on-service-eof=true for executable service /etc/qubes-rpc/qubes.UpdatesProxy ==
Warning: ignoring exit-on-service-eof=true for executable service /etc/qubes-rpc/qubes.UpdatesProxy
* Patrick: Is this a known Qubes bug?
* Marek in qubes-public: This is related to whonix replacing qubes.UpdatesProxy service. Those options are valid only for socket based service, but whonix replace it with a script. I'd recommend replacing service config too to avoid the warnings
* Aaron: Should be fixed by https://github.com/ArrayBolt3/qubes-whonix/commit/a8dfbfb3acd5ef5c506ea3b52132fac2be3239ed
* Patrick: Merged.
== install fewer firmware-nonfreedom packages by default in Qubes ==
* install firmware-nonfreedom by default in Qubes. Done by Patrick.
* purpose: useful for sys-net (non-free wifi controller)
* we might want a smaller collection of packages to save disk space since for example microcode is irrelevant? can we rely on a Qubes package for the non-free firmware package selection?
* Aaron: Qubes does not appear to have a package we can use for this.
* Aaron: Split packages containing networking firmware (wireless or wired) from firmware-nonfreedom into firmware-nonfreedom-network, and switched kicksecure-qubes-cli to use firmware-nonfreedom-network. Commits in developer-meta-files, kicksecure-meta-packages.
* Patrick: Merged.
== rename sdwdate.ConnectCheck to sdwdate-gui.ConnectCheck etc ==
* we might have sdwdate.ConnectCheck issues from time to time. this implies broken sdwdate while actually only sdwdate-gui is broken.
* if still possible and sane, please rename.
** Aaron: Asked for permission to do the rename: https://github.com/QubesOS/qubes-issues/issues/10346#issue-3547291374 Permission was granted.
*** Qubes-side PR: https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/26
*** sdwdate-gui commit: https://github.com/ArrayBolt3/sdwdate-gui/commit/2dc019a1e6967d55ca8a8cfd8e24a35e269bab10
* Patrick: Merged.
== trixie port - Whonix Qubes template issues ==
* reported by Marek on Matrix:
** "in Whonix 18 workstation, opening "file manager" via domains widget opens "Catfish", not "pcmanfm-qt". Looks like some default apps are not set correctly (qubes calls xdg-open $HOME, which should open default app for inode/directory type)."
** "something doesn't work with pcmanfm-qt actions - I see only "QubesOS Edit in DisposableVM" action, not any of copy/move, or view in disposable; on top of that, looks like file names are swapped (action for viewing in dispvm is in file named edit, and action for editing is in file named open); and I have no idea from "QubesOS" prefix comes"
*** Aaron: Fixed, required changes both on our side and on the Qubes side:
**** usability-misc: https://github.com/ArrayBolt3/usability-misc/commit/0a8c2d7d97345d78aa7cd58199b5b67925ab93cf
**** qubes-gui-agent-linux: https://github.com/QubesOS/qubes-gui-agent-linux/pull/246
*** Aaron: Fixed:
**** kicksecure-meta-packages https://github.com/ArrayBolt3/kicksecure-meta-packages/commit/ab29e2a064404b7462dca7e3956712e86799e30f
**** developer-meta-files: https://github.com/ArrayBolt3/developer-meta-files/commit/36056e1856cd37b2f57b573a029dfa427f23f41c
* Patrick: Merged.
* Aaron: Still working on the Qubes PR.
** Merged.
== kloak - Qubes OS input anonymization flicker bug ==
* https://github.com/QubesOS/qubes-issues/issues/10286
* Fix submitted: https://github.com/QubesOS/qubes-gui-daemon/pull/172
** Merged.
== trixie-port - browser-choice - do not Depends on tb-updater ==
* should be installed only on demand
* this is to avoid Kicksecure Qubes Templates downloading Tor Browser
* Patrick: Implemented. Needs to be tested.
** Aaron: Notes shared in chat.
* Patrick: Simple solution. Install tb-updater and tb-starter only. Instruct user to run Tor Browser Downloader in user session.
** Aaron: Implemented, commits pushed to browser-choice.
* Patrick: Merged.
== ipv6 sleep 10 improvements ==
* as discussed
* skip sleep when IPv6 is disabled in kernel
* event-based if possible
* re-check every 0.1 - 1 second
* commentary why this is necessary
* Aaron: Pushed commits to anon-gw-anonymizer-config, reimplementing tor-wait-for-network in Python for speed and ease of working with files, and adding the requested functionality.
* Patrick: Merged.
== trixie-port - port Whonix-Gateway to privleap ==
* currently broken: anon connection wizard, tor control panel
* Aaron: Pushed new commits to anon-connection-wizard and tor-control-panel to fix issues in both. Untested (yet).
* Patrick: Merged.
== trixie port - sysmaint session occasional black screen ==
* Environment: Kicksecure 17 upgraded to Kicksecure 18
* After some period of inactivity in the sysmaint session, the screen goes black
* A mouse click or keypress is enough to make it come back
* XScreenSaver is the likely culprit, find a way to disable on Wayland sessions
** Aaron: Added code to legacy-dist to remove xscreensaver on upgrades. https://github.com/ArrayBolt3/legacy-dist/commit/7f91838b8878ded1f45479d4d9ecc7b01414c454
* Patrick: Merged.
== trixie-port - keyboard layout change usability improvements ==
* user story: I am a VM using and in user session, CLI. How do I change my keymap? "sudo loadkeys de"? Doesn't work. No sudo.
* todo:
** refuse running set-labwc-keymap as root
** set-console-keymap: CLI tool that can be used to configure the virtual terminal
** set-multi-keymap: CLI tool that can set the keymap for currently logged-in account (most likely user), sysmaint and root. It should run, is a wrapper around set-console-keymap and set-labwc-keymap. A tool that sets the keymap for all places relevant to the user.
*** sysmaint GUI: set-labwc-keymap --persist keymap
*** user GUI: sudo --non-interactive -u user set-labwc-keymap --no-reload --persist keymap
*** sysmaint CLI: set-console-keymap de
*** user CLI: sudo --non-interactive -u user set-console-keymap de
** not sure about --non-interactive
* Aaron: Implementation ended up being via two wrapper scripts, set-labwc-keymap and set-system-keymap, the former of which configures labwc for the current user, the latter of which configures labwc and the console for all users (with labwc settings being overridable by user-specific settings). The main reason for this is that there is no user-specific console keyboard layout, only a system-wide one. Both scripts wrap a library, set-keyboard-layout.sh. Changes pushed to helper-scripts.
** Test plan completed, some fixes made during testing.
* Patrick: Merged.
== trixie port - greetd only provides one chance to log in ==
* Aaron: if wrong username or password is provided, wlgreet exits and does not restart, user is left at a black screen
** Fixed: https://github.com/ArrayBolt3/desktop-config-dist/commit/490b6833915f95ae66ce72c02aca6df23e9d13f2
* Patrick: Merged.
== trixie-port - desktop environment broken after release upgrade ==
* Kicksecure Xfce 17.4.4.6 (for VirtualBox)
* sudo apt update && sudo apt dist-upgrade
* sudo release upgrade
* reboot
* bug: desktop environment no longer starting
* debugging:
** in sysmaint session, CLI:
systemctl is-enabled greetd
disabled
sudo journalctl --boot -u sysmaint-boot
...
INFO: Wayland session: 'no'
...
* in sysmaint-boot we can probably safely change the default from sysmaint_session_wayland='no' to sysmaint_session_wayland='yes'. Done.
** Aaron: Reviewed, looks good.
* file /etc/greetd/config.toml.d/30_desktop-config-dist.conf looks messed up. Something has apparently removed all newlines. sudo debsums -ce shows that the file has been modified. This is unexpected.
** Aaron: autologinchange bug, fixed by https://github.com/ArrayBolt3/helper-scripts/commit/1e7fc0e26cb761189f744cd1ca3b2491d46d6135
* Aaron: greetd being disabled is likely the result of lightdm being enabled at installation time. Should be fixed by https://github.com/ArrayBolt3/legacy-dist/commit/2ced60ca2f41f310a70e0af5b88202c432b78cb3
* Patrick: Merged.
== trixie port - display brightness ==
* https://forums.kicksecure.com/t/display-brightness/1271/2
* Aaron: See notes in chat.
* Previous plan: wrap pkexec and the backlight helper in lxqt to insert a validating shim, allowing safe(r) access to the backlight subsystem
** Problem: this will probably interact poorly with user-sysmaint-split unless we place the pkexec wrapper in helper-scripts, and the pkexec wrapper may be too invasive to put in helper-scripts.
* Current plan: create a dedicated backlight management utility in Python, integrate with LXQt's config system, hide the existing (broken) backlight config, integrate with brightness keyboard shortcuts in labwc
* Aaron: Implemented:
** desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/commit/673dd505ddfc2683c56fabcc9b35801f3a5926c6
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/36aa0d32b93f3332d232fbe898ef11073dd32669
* Patrick: Merged.
== curl dns ticket reply ==
* https://github.com/QubesOS/qubes-core-agent-linux/pull/614
** I thought my reply was productive. But apparently not. Please discuss, comment.
*** Aaron: Can't comment, discussion has been locked to limited collaborators there. However I don't see anything non-productive about the comment at https://github.com/curl/curl/discussions/11125#discussioncomment-7498491. If a Tor developer went out of their way to say the library shouldn't block onion resolution, and they do anyway because a Tor spec supposedly says they should, that's a strange decision and one they arguably shouldn't have made. Not sure much else can be done there other than work around the issue as we do now.
== misc review ==
* https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3345059129 - opinion?
** Aaron: Reviewed, did some testing and commented.
* https://github.com/Kicksecure/security-misc/pull/323
** Aaron: Reviewed, looks good, merged and fixed.
* https://github.com/Kicksecure/security-misc/pull/322
** Aaron: Reviewed, looks good, merged and fixed.
* https://github.com/KSPP/kspp.github.io/issues/9
** Aaron: Replied.
* https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/25
** Aaron: Reviewed and left change suggestions.
* https://github.com/QubesOS/qubes-core-agent-linux/pull/613
** Aaron: Left some notes.
*** Patrick: Please re-review as changes have been applied.
* Aaron: Also reviewed, left notes on https://github.com/Kicksecure/security-misc/issues/328
== qubes - kernel boot mode for Template shows user session instead of sysmaint session ==
* todo
* Aaron: Cannot reproduce.
** Freshly installed Kicksecure 17 template:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** After upgrading from Kicksecure 17 to Kicksecure 18:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** Freshly installed Whonix-Workstation 17 template:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** After upgrading from Whonix-Workstation 17 to Whonix-Workstation 18:
*** Boot mode: PERSISTENT Mode - SYSMAINT Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** Freshly installed Whonix-Gateway 17 template:
*** Boot mode: PERSISTENT Mode - USER Session
**** Expected, since Whonix-Gateway does not have user-sysmaint-split installed on it.
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** After upgrading from Whonix-Gateway 17 to Whonix-Gateway 18:
*** Boot mode: PERSISTENT Mode - USER Session
*** AppVM default boot mode: PERSISTENT Mode - USER Session
** AppVMs for both Kicksecure 18 and Whonix-(Workstation/Gateway) 18 have the correct "PERSISTENT Mode - USER Session" boot mode
* Patrick: Whonix-Gateway - without user-sysmaint-split - shouldn't show PERSISTENT Mode - USER Session since not applicable?
* Aaron: After threat model discussion, choosing to install user-sysmaint-split in Whonix-Gateway.
** See chat notes, fixing a UX issue requires some files to move in a way that will either require a painful migration process or require Whonix 18 and Kicksecure 18 systems to be rebuild/reinstalled/repaired by the end user. Would suggest the latter, as Kicksecure/Whonix 18 doesn't have even testing releases out yet.
*** Patrick: Confusing fixed by installing user-sysmaint-split by default.
== systemcheck - dependencies version check broken ==
[INFO] [systemcheck] kicksecure-dependencies-cli: Could not detect derivative kicksecure-dependencies-cli version. (Code: 2) Please report this bug!
* Fix should be added to usr/libexec/systemcheck/preparation.bsh:
if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
derivative_deb_package_name="whonix-gateway-packages-dependencies-cli"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
derivative_deb_package_name="whonix-workstation-packages-dependencies-cli"
elif [ -f "/usr/share/kicksecure/marker" ]; then
derivative_deb_package_name="kicksecure-dependencies-cli"
fi
* Patrick: Fixed.
== Qubes Kicksecure Template - unrestricted session - requires sudo password bug ==
* Qubes Kicksecure 18 Template
* unrestricted session
* bug: asks for sudo password
* perhaps run: passwordless-root
* Aaron: Reproduced issue. Fix: https://github.com/ArrayBolt3/user-sysmaint-split/commit/acdf596affe8c40232863a83f19f4101607600c9
** This fix is insufficient on its own because passwordless-root is persistent even in AppVMs. Need to make it ephemeral in AppVMs by default, persistent only if explicitly requested.
*** Done, commits pushed to helper-scripts and usability-misc. '''NOTE:''' This includes moving passwordless-root from usability-misc to helper-scripts (done to avoid needing to add usability-misc as a dependency of user-sysmaint-split), so this will require the Breaks/Replaces in helper-scripts to be bumped.
*** Patrick: Merged.
== install extrepo-offline-data by default ==
* todo
* Patrick: Done.
== repository-dist-wizard gui broken in Qubes R4.3 ==
* input by keyboard functional
* input by mouse clicks broken
* if not easily reproducible then please ignore
* Aaron: Reproduced, I can select the "No..." radio button with the mouse, but not the "Yes..." radio button.
** Moving the radio button group box down so that it isn't partially overlapped by the text above resolves the problem.
** Short-term solution, move the box down.
** Long-term solution, this should be using layouts so that the window can be resized freely and overlap bugs of this sort don't occur. This will also make the wizard compatible with non-default Qt themes which may have differently sized elements.
** Implemented long-term solution: https://github.com/ArrayBolt3/repository-dist/commit/9c9feff070470b4494520c8a5d16699f6185a04c Tested on Whonix-Gateway, works.
*** Patrick: Merged.
== trixie port - Qubes R4.3 Templates ==
* Kicksecure, Whonix: Please bump Qubes R4.3 upstream to Kicksecure, Whonix 18
* Aaron: Waiting on input on upgrade plan.
* https://github.com/QubesOS/qubes-issues/issues/10253
* Aaron: Marek seems to be doing this so far. Will watch and assist where possible.
** This appears to have been completed.
== /etc/apt/sources.list.d/debian.soures not readable by user only readable by root ==
* is this intended?
* Aaron: Not intended. I'm unable to reproduce this issue though - neither a fresh ISO installation of Kicksecure nor Whonix-Gateway or Whonix-Workstation VirtualBox VMs have this issue. Also not seeing this issue in a Whonix-Gateway 18 sys-whonix on Qubes R4.3.
** I believe I've seen this issue occur in the past, but haven't seen it in a while. I'm happy to build new VM images and check them for this issue if desirable.
** Patrick: No longer reproducible.
== sysmaint-panel - sysmaint session - add display settings shortcut ==
* add open display settings
* rationale: When booting for the first time and into sysmaint session inside a VM, the display is too big.
* Aaron: Implemented in sysmaint-panel. Also pushed commits to developer-meta-files and kicksecure-meta-packages for adding kanshi.
** Patrick: Merged.
== ISO - virtualbox guest additions missing ==
* virtualbox guest additions missing on the Kicksecure ISO
** Aaron: Fixed: https://github.com/ArrayBolt3/derivative-maker/commit/c0d7bf7a24483d5984142b8c274f1b66597935c1
*** Patrick: Merged.
== browser-choice - better notification when action such as installation is complete ==
* todo
* once there is a exit code of zero or non-zero, show a passive popup? change window color? animation?
* Aaron: Implemented in browser-choice. Also found and fixed an unrelated bug with dist-virtual-keyboard in helper-scripts.
** Decided to use a notify-send popup because that will work in both sysmaint and user sessions and has a good chance of getting the user's attention even if the browser-choice window is hiding behind another window or is minimized. Considered using QWindow::alert but this would probably have not worked in a sysmaint session.
*** Patrick: Merged.
== volume setting in sysmaint systray ==
* usability bug: when hovering over volume changes in sysmaint session, the color gets darker, which implies it being clickable, but actually is not clickable
* Aaron: Fixed with a commit to desktop-config-dist.
** Patrick: Merged.
== sysmaint - restart of greetd allows login into regular desktop ssession ==
* sudo systemctl restart greetd
* login as sysmaint
* bug: expected: sysmaint session. actual: normal desktop session
* Aaron: Fixed this and a bunch of related issues that popped up when the sysmaint session had autologin disabled. Changes pushed to helper-scripts, user-sysmaint-split, and desktop-config-dist.
** Patrick: Merged.
== browser-choice - brave installation broken ==
* Kicksecure 17 release upgraded to Kicksecure 18
+ pkexec bash -c -- 'extrepo enable brave_release && apt-get update && apt-get-noninteractive --no-install-recommends --yes install brave-browser'
500 Can't connect to extrepo-team.pages.debian.net:443 (Temporary failure in name resolution) at /usr/share/perl5/Debian/ExtRepo/Data.pm line 34.
Could not download index YAML file:
Done, but operation failed!
* to fix, add env var: https_proxy=http://127.0.0.1:8082/
* Aaron: Should be fixed by https://github.com/ArrayBolt3/browser-choice/commit/83e33a2f604ffc8e670914dd8b09e74c55fdff9f
** Patrick: Merged.
== Qubes Kicksecure Template Upgrade in R4.3 ==
* todo
* Aaron: Cannot reproduce issues mentioned in chat. Successfully updated Kicksecure, Whonix-Gateway, and Whonix-Workstation 17 to 18 on Qubes R4.3 with no special configuration changes required.
== systemcheck - split log parsing code ==
* https://github.com/Kicksecure/security-misc/issues/253#issuecomment-3379301931
* Aaron: Implemented: https://github.com/ArrayBolt3/systemcheck/commit/b1ed7254e51423466efcdee07c8fad9839818e73
** Patrick: Merged.
== setxkbmap replacement too for wayland ==
* "setxkbmap de" used to be handy.
* implement
* add to helper-scripts
* Aaron: Implemented: https://github.com/ArrayBolt3/helper-scripts/commit/41ae1e120672b94351a4c3889181bb9be2991eb0
** Patrick: Merged.
== calamares - language setup ==
* please set up for
** CLI user
** CLI sysmaint
** GUI user
** GUI sysmaint
* Aaron: Setting a non-English language in Calamares already sets the language for all of these scenarios in the installed system. Tested by doing an ISO installation of Kicksecure 18 with the langauge set to Spanish (Mexico). Spanish-translated strings were visible in all four session types. Admittedly, many strings were not translated, but that is likely simply a case of missing translations.
== trixie port - qubes-core-agent-pcmanfm-qt ==
* Aaron: Qubes templates are still referencing Xfce components, Xfce won't be installed anymore
* PRs:
** https://github.com/QubesOS/qubes-core-agent-linux/pull/608
** https://github.com/QubesOS/qubes-app-linux-img-converter/pull/24
** https://github.com/QubesOS/qubes-app-linux-pdf-converter/pull/36
* Filed, passes CI, works on my Qubes machine. Awaiting review from upstream.
** Reviewed, merged upstream.
== kloak - systemd ordering cycle ==
* host: trixie (non-Kicksecure)
[SKIP} kloak.service to stop ordering cycle loop
graphical.target: Found ordering cycle on multi-user.target/start
graphical.target: Found dependency on kloak.service/start
graphical.target: Found dependency on graphical.target/start
graphical.target: Job kloak.service/start deleted to break ordering cycle starting with graphical.target/start
* wild guess: related to removal of symlinks?
* no more information available. Will hopefully be posted in the forums.
* Aaron: Cannot reproduce on Debian 13 with GNOME Desktop, using the pre-v2 version of kloak. User may have added a configuration rule that attempted to require kloak to start before multi-user.service. Waiting on more info.
* https://forums.whonix.org/t/kloak-latest-update-is-broken/22244
== ESP - EFI system partition versus dracut generic ==
* we're now using /etc/dracut.conf.d/30-dist-base-files.conf
compress="xz"
hostonly="yes"
hostonly_mode="sloppy"
* Should we therefore increase the size of the ESP?
* grml
** https://github.com/grml/grml-debootstrap/issues/221
* calamares
* Aaron: No changes needed to EFI partition size, dracut initramfs files are stored in /boot, not /boot/efi.
** As discussed, boot partition doesn't need to be larger, it's 4 GB with Calamares and is integrated into the root partition on VM images.
** grml-debootstrap is not interested in increasing the EFI partition size at this time, so I don't believe there's any reason to do this.
* Patrick: Should have said /boot partition.
** VMs: We are not using a separate /boot partition.
** Host: [https://www.phoronix.com/news/Fedora-43-Bigger-Boot-Firmware Fedora increased /boot to 2 GB] We're already using 4 GB for /boot when installing using calamares.
** This issue does not exist.
== bindp - compilation warning - _GNU_SOURCE redefined ==
Setting up bindp (3:4.2-1) ...
/usr/lib/bindp.c:48:9: warning: "_GNU_SOURCE" redefined
48 | #define _GNU_SOURCE
| ^~~~~~~~~~~
* : note: this is the location of the previous definition
** Aaron: This is because we have the compilation of bindp being done via a direct gcc call in the postinst. This is wrong, we should be using the Makefile in the postinst to build the library at runtime but without having to duplicate code in two locations. Will adjust postinst as appropriate to resolve this.
** Aaron: Fixed: https://github.com/ArrayBolt3/bindp/commit/c0592d2e284c7a0a6e825279c5ace87bb9a1f566
* Patrick: Merged.
== install an onscreen keyboard by default ==
* todo
* purpose: configuration a keyboard layout when not knowing how to enter some special character such as "=" on the keyboard using the local keyboard
* related: [[Software#On-Screen_Keyboard|On-Screen Keyboard]]
* Aaron: Done, new commits pushed to developer-meta-files, kicksecure-meta-packages, and usability-misc for this.
* Patrick: Merged.
== trixie port - Whonix update failure if sys-whonix isn't already running ==
* https://github.com/QubesOS/qubes-issues/issues/4096 has come back
* Probably related to delaying Tor's startup to accomodate IPv6 changes
* Possible ways of fixing the issue listed at https://github.com/QubesOS/qubes-issues/issues/4096#issuecomment-3383779544.
* Marek suggested a good fix, which works in testing. Implementation: https://github.com/ArrayBolt3/qubes-whonix/commit/34418e335c6ea8d09d018ebda871a2ead4f392c1
== change keyboard layout versus ISO ==
* currently, change keyboard layout required reboot but that is a contradiction on the ISO which cannot be rebooted
** Aaron: I don't think keyboard layout changes require a reboot - if kloak isn't running, they take effect immediately after running labwc --reconfigure (which is automatically done by the newly created set-labwc-keymap script). If kloak is running, they take effect after kloak is restarted (which can be done even from a user session with Right Shift + Escape).
** In the event a full compositor restart was needed to make a settings change take effect, logging out and logging back in would be sufficient to restart the compositor, even on the ISO.
* https://github.com/labwc/labwc/issues/1407
** Aaron: This bug appears fixed in Trixie.
== sysmaint-panel - new shortcuts ==
* add onscreen keyboard shortcut
* add open display settings or open lxqt settings shortcut
* Aaron: Implemented, pushed commits to usability-misc, helper-scripts, sysmaint-panel.
** LXQt settings button will only appear in non-sysmaint sessions, as it is not useful and possibly misleading in sysmaint sessions.
* Patrick: Merged.
== sdwdate-gui - add left click menu ==
* usability bug: currently left click on sdwdate-gui does nothing
** Aaron: Unfixable or at least extremely difficult to fix due to a combination of Wayland and Qt limitations.
** Qt does not expose any API for popping up the menu the way a right-click pops it up. The only way to pop up a menu on a left-click is by using one of the exec() or popup() functions on the menu itself, which causes them to appear as a window in the middle of the screen under Wayland rather than them appearing as a popup menu.
** Both Qt5 and Qt6 behave in the same way.
** ChatGPT recommended using Gtk to create the context menu instead. A quick test revealed that Gtk has similar issues as Qt in this regard. I did not discover how to get a left-click to be registered by Gtk, documentation appears to be sparse and ChatGPT was not able to offer a functional suggestion.
** I tried to see if it would be possible to use D-Bus to trigger the StatusNotifierItem associated with the QSystemTrayIcon to pop up a menu. The closest I was able to get to making this work simply popped up a window containing the menu in the middle of the screen.
** The removable media and sound application icons seem to be left-clickable, but these are LXQt Panel plugins, not system tray icons. I suspect that's why they work, in which case that isn't a suitable solution for us.
** It might be possible in the future to create an LXQt panel plugin for sdwdate_gui_server, but this would most likely require rewriting sdwdate_gui_server in C++, which I do not believe is practical at the moment.
** For now, probably best to live with the issue, and make the time synchronization monitor popup specify "Right-click for menu" rather than "Click for menu".
** Commit pushed to sdwdate-gui to change wording as described above.
== labwc environment default configuration file ==
* if file ~/.config/labwc/environment does not exist, pre populate it with XKB_DEFAULT_LAYOUT= (and other useful settings?)
* might not be needed if the tool below gets implemented
* Aaron: Ignoring in favor of setxkbmap replacement tool, as suggested.
== compiled code - remove unsafe sanitizers ==
* All sanitizers except minimal UBSan are unsafe to use in production, they may result in security vulnerabilities.
* LSan is causing sclockadj to go into an infinite loop on exit for Marek.
* Leave minimal UBSan runtime enabled, remove full UBSan and ASan from all code.
** As it turns out, only Clang supports the minimal UBSan runtime, but we use GCC, so this is not possible. Just disable all sanitizers.
* Adjust sanitizer flags in compiler flags wiki page.
* Done, changed sdwdate, bindp, kloak, and security-misc to remove all sanitizers.
== trixie port - misc remaining issues ==
* Aaron:
** swaylock is configured to show a solid black screen. We may want to show something else so that the user knows the system isn't broken and is awaiting a password.
*** Turns out telling the user that the system is awaiting a password is impossible with Swaylock's current feature set. See https://github.com/swaywm/swaylock/issues/100.
*** Asked Debian if they would be interested in us providing a patch to them, will likely contact the swaylock maintainer if that is confirmed as the correct next step.
*** Added background color / image configuration for now.
*** Swaylock has rejected further requests to allow displaying user-defined text on the lock screen, because they consider it an aesthetic feature and do not target a userbase that needs to be told that the lockscreen is waiting for them to type their password.
*** Debian has rejected an offer of a patch because the maintainer wants to stick with Swaylock upstream.
*** For now, we will likely just document how to unlock the screen and hope users don't get confused.
*** Documented: https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Screen_Lock
** some systemcheck gripes need to be silenced, mostly just journal check stuff, but also the virtualizer check is "failing" on physical hardware because systemd-detect-virt returns non-zero if running on physical hardware. We probably shouldn't interpret that as failure.
*** Silenced a lot of these, but still have to build new VBox and KVM VMs to ensure all of them are silenced if possible.
*** Also fixed the virtualizer check.
** Need to build the Qubes templates and make sure they actually work. I haven't tried to build a Qubes template even once so far. That's probably what I'm going to do now.
*** Kicksecure template built after some effort.
**** Need to submit changes to qubes-builderv2 so this works out of the box.
***** Somewhat done; Marek has changes in-flight that will do this for us.
**** Need to modify qubes-template-kicksecure to point to kicksecure-qubes-gui-lxqt package.
***** Done.
**** Need to modify qubes-template-kicksecure to point to trixie-developers repository.
***** Done.
**** Need to update template build documentation.
***** Done.
*** Whonix templates still need built.
**** Whonix-Workstation cannot be built due to curl being unable to resolve www.torproject.org. Most likely an issue with our uwt curl wrapper. Created a commit that should fix this: https://github.com/ArrayBolt3/uwt/commit/13984371a370ec330c25b721a48c24f25034ddc2
**** Got Whonix-Workstation to build. Both it and the Whonix-Gateway template seem to work well so far.
** Might be good to launch Flameshot on login, make it not show a "welcome" message when launched, and bind the Print Screen key so that it triggers the screenshot UI when pressed.
*** We've decided to simply document this for now, since Flameshot consumes 80+ MB memory at idle. TODO: Where should we document this?
**** Patrick: [[Software]]?
**** Aaron: Good, let's just stick with the existing documentation there.
** We should be configuring PCManFM-Qt to not show graphical thumbnails. (PCManFM-Qt is also missing some of our distribution-specific configuration because of some odd behavior with configuration profiles, a symlink should be enough to solve that.)
*** Done, tested, works on physical hardware and Qubes OS.
** In the sysmaint session, the battery status notification takes a long time to notice if AC power is plugged in or unplugged. Should be pretty easy to solve by just shortening the check interval to 5 seconds rather than the default of 60.
*** Done, tested, works on physical hardware.
** We need to document how to configure the keyboard layout using labwc. At some point we may want to write a tool for this, it's just a matter of modifying a configuration file written in XML, and Python has built-in XML manipulation capabilities. They can't be used on untrusted XML, but the labwc configuration won't be untrusted.
*** Done.
** CLI builds don't have enhanced zsh configuration yet. Not sure if we figured out what to do with that, I think we wanted to create a new package for this but haven't actually done so yet.
*** Fixed by Patrick.
== browser-choice - consider using --no-install-recommends ==
* bug: Installing chromium from Debian package sources results in installing avahi and cups. Better sudo apt install --no-install-recommends chromium chromium-sandbox?
* use --no-install-recommends whenever applicable
* Patrick: Done.
== kloak - core versus adapter split ==
* https://forums.whonix.org/t/better-mouse-obfuscation/21445/18
* Aaron: Abandoned for the time being, rationale documented at https://forums.whonix.org/t/better-mouse-obfuscation/21445/19
== screenlocker backdoors ==
* https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128
* please check, confirm, reply if this issue is now resolved thanks to Wayland (and our disabling of SysRq by default)
* Aaron: Replied, there a hardening option we might consider enabling (panic_on_oom).
== trixie port - anon-ws-disable-stacked-tor apparmor issues ==
* apparmor fails to start if /etc/apparmor.d/abstractions/tor does not exist, but shipping this file in anon-ws-disable-stacked-tor results in upgrade problems because Tor is being installed by default on Whonix-Workstation 17
** Fix: https://github.com/ArrayBolt3/anon-ws-disable-stacked-tor/commit/a9a0ac9db25fa1f00985a585193e109dc51fb5b4
* Patrick: Merged.
* Aaron: Ended up removing this fix and replacing it with an if exists fix instead as discussed. Commits pushed to helper-scripts, systemcheck, and anon-ws-disable-stacked-tor for this.
* Patrick: Merged.
== privleap comment ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/35
* Aaron: Replied while waiting for Whonix templates to build.
== kloak - natural scrolling ==
* https://github.com/Whonix/kloak/issues/8
* Aaron: To enable natural scrolling: https://wayland.freedesktop.org/libinput/doc/latest/api/group__config.html#ga958b67193c3948b59add719a68f1b948 This will need to be a configurable option within kloak itself.
* Aaron: Implemented: https://github.com/ArrayBolt3/kloak/commit/c881c666ac8af47fbc334dd41acec12323c1bcfe
* Patrick: Merged.
== trixie port - browser-choice versus user-sysmaint-split ==
* user-sysmaint-split installed
* Qubes Template
* Kicksecure trixie based
* Qubes R4.2
** This may not be applicable to Qubes R4.3.
* Also reproducible in Qubes R4.2 + bookworm based Kicksecure.
* The following error message is not applicable:
You are currently running Browser Choice inside a user session. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, reboot, select PERSISTENT Mode| SYSMAINT Session | system maintenance tasks from the boot menu, and click Install a Browser in the System Maintenance Panel. See Sysmaint for more information.
* What should the user do?
** Aaron: Open a Qubes Root Console, then run browser-choice as root. Ugly, but should work. Will work on messaging for Qubes.
** Aaron: Fix created, untested: https://github.com/ArrayBolt3/browser-choice/commit/41ced11b9a77abfb58d2d7f616563625d70d9363
* Patrick:
** Qubes R4.2 + trixie: Opened a root terminal. Bug: No installation (such as chromium from Debian) possible.
You are currently running Browser Choice as a normal user. You will be unable to install most browsers from here; only browsers that install into the current user account will be installable. To install a browser, open a terminal in dom0, run qvm-run -u root VMNAME qterminal, then run browser-choice from that terminal. See Sysmaint for more information.
* Aaron: Second attempted fix, untested: https://github.com/ArrayBolt3/browser-choice/commit/f1331432b649fb636f7516617fc3df98692e90af
* Patrick: Merged.
== trixie port - adjust Qubes templates for LXQt ==
* Aaron: Attempted to fix https://github.com/QubesOS/qubes-issues/issues/10253#issuecomment-3333503493
** qubes-template-kicksecure: https://github.com/ArrayBolt3/qubes-template-kicksecure/commit/36a2bd4ad9d0648650fdc50df71fc30384dc350e
*** Patrick: Merged.
** qubes-template-whonix: https://github.com/ArrayBolt3/qubes-template-whonix/commit/db004332a67a82e2b956174fbc76678c9f1ddc98
*** Patrick: Merged.
* Aaron: Also make a fix for a Qt theming issue: https://github.com/ArrayBolt3/desktop-config-dist/commit/e37430be671458e7fb6f61eb306e3d5e032eb3aa
** Patrick: Merged. As a side effect, the default font in KDE konsole now looks weird. There is too much space between letters. But probably not important as there are other terminal emulators to choose from.
*** Aaron: The default terminal in LXQt is QTerminal, so this should be fine. Might be worth adding support for components of other desktops as a future task?
* Aaron: Please move to "WAITING ON" if this looks good. Feedback on qubes-core-agent-pcmanfm-qt would also be appreciated.
** Patrick: Looks good.
* Patrick: Best to split this ticket into general Qubes build issues for trixie and qubes-core-agent-pcmanfm-qt?
** Aaron: Sure.
== unshare vs. ptrace ==
* https://github.com/Kicksecure/security-misc/issues/321
* Can unshare be used to bypass ptrace restrictions? Create sample code and test.
** Aaron: Tested, could not circumvent ptrace restrictions by leveraging unshare. Unshare actually made the restrictions tighter.
== trixie port - FDE systemcheck test passing incorrectly ==
* freshly installed Kicksecure 18 system on physical hardware:
** INFO: Full Disk Encryption (FDE): Enabled.
** This is incorrect, the system has other operating systems on it that do use FDE, but the Kicksecure installation is not one of them.
** Only report FDE enabled if root (/) and home (/home) are both located on encrypted volumes
** Done: https://github.com/ArrayBolt3/systemcheck/commit/488aabfd69e039eb89a3a7d66e89f5400d2992d2
*** Patrick: Merged.
== trixie port - wl-clipboard ==
* install by default, if sensible
** Aaron: Would recommend against it for now, it's not critical and most users should likely not be using clipboard sharing anyway.
* document usage
* {{whonix_wiki
|wikipage=KVM#Clipboard_Sharing
|text=KVM, Clipboard Sharing
}}
* [[VirtualBox/Guest_Additions#Clipboard_Sharing|Clipboard Sharing]] (Mention it does not work.)
** Aaron: Documented in both places.
* https://forums.whonix.org/t/whonix-18-wayland-based-virtualbox-clipboard-sharing-broken/22213
* https://forums.whonix.org/t/whonix-18-wayland-based-kvm-clipboard-sharing-broken/22212
== browser-choice - inside Qubes Template - prohibit starting browsers ==
* if file /var/run/qubes/this-is-templatevm exists, do not allow to start browsers
** Aaron: Done: https://github.com/ArrayBolt3/browser-choice/commit/845946c344c4917afbb765a7c322e6ac3e955e28
*** Patrick: Merged. Tested.
== tirdad - improvements ==
* review, discuss upstream: https://github.com/assisted-by-ai/tirdad/pulls
* https://github.com/0xsirus/tirdad/issues/29
* Aaron: Done, see Github comments on PRs and the compiler hardening flags issue.
== trixie port - usbguard - IPC connection failure ==
* Happening inside Qubes (R4.2) Template
IPC connection failure!IPC connect: service=usbguard: Operation not permitted
* Aaron: Reproduced on R4.3. Added additional USBGuard configuration to allow members of the qubes group access to USBGuard IPC.
** security-misc: https://github.com/ArrayBolt3/security-misc/commit/7e016b563239e31c650aece115bb19af0395ec52
* Patrick: Merged.
== trixie port - KVM shared clipboard ==
* Requires clipboard sync between X11 and Wayland clipboards
* Make spice-vdagent start properly and ensure clipboard sync allows two-way clipboard transfer
* spice-vdagent: Upstream is waiting for Wayland support to be contributed. See https://gitlab.freedesktop.org/spice/linux/vd_agent/-/issues/26.
** Worth attempting to contribute?
* Virtual Machine Manager (virt-manager): https://github.com/virt-manager/virt-manager/issues/918
* Patrick has documented using a shared folder as a workaround for now: [[KVM#Clipboard_Sharing|KVM, Clipboard Sharing]]
* We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard.
== trixie port - VirtualBox shared clipboard ==
* Broken with Wayland upstream: https://github.com/VirtualBox/virtualbox/issues/33
* Oracle apparently intends to fix this: https://github.com/VirtualBox/virtualbox/issues/33#issuecomment-3253257020
* Aaron: Probably better to leave alone for now, document the issue and let Oracle fix it eventually? If so, this should be moved to "WAITING ON".
* We might not want clipboard sharing anyway to prevent a compromised VM from sniffing secrets that are present in the host clipboard.
* Patrick has documented using a shared folder as a workaround for now: [[VirtualBox/Guest_Additions#Clipboard_Sharing|VirtualBox Clipboard Sharing]]
== remove unnecessary dependencies from arc-theme ==
* https://github.com/UbuntuBudgie/arc-theme/pull/2
* since upstream is unlikely to react, could you please send a patch to Debian instead if that seems possible/useful?
* or perhaps a different, better theme? separate ticket: [[#desktop theme improvements]]
* Aaron: Pinged Ubuntu Budgie upstream via Matrix, got a response, waiting to see how (or if) that develops. Debian is likely not the right place to override this unless we absolutely have to do that. In either event, the dependencies won't be removed until Forky at best.
* Cancelled, we are not using the arc theme any longer.
== qubes boot modes - GRUB in-vm kernel support ==
* todo
* Submitted to Qubes: https://github.com/QubesOS/qubes-linux-pvgrub2/pull/16
* Submitted to FSF: https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00050.html
** Attempt to get attention for the patch again on April 11, try to smooth out some of the possible issues with the patch before sending if at all possible.
** If a second attempt at submitting the patch results in complete silence, return to Qubes and explain that attempts to upstream the patch weren't acknowledged.
* Aaron: Accepted by FSF, merged by Qubes. Will resume work on this for Qubes R4.4/R5.0.
== trixie port - desktop theme improvements ==
* suggestions from https://forums.whonix.org/t/xfce-theming-a-few-suggestions/7205/82 valid?
* useful to change the desktop theme?
* Might be useful to postpone after port to trixie. After the first trixie based release. Because by that time, desktop environment choice (Xfce vs LXqt) and wayland should be settled. No point in improving Xfce based style in case of porting to LXQt.
* Provided suggestions for improving Xfce theming and attempted to port the theming to LXQt. Should defer to Trixie.
* Can be postponed after the first trixie based release.
* Aaron: Mostly implemented as part of the port to LXQt, but we should entirely remote MATE's notification daemon in favor of LXQt's (this hasn't been done yet).
* Aaron: This is now done and has been merged for a while.
== trixie port - check compiled code ==
* does our compiled code still compile on trixie?
* and compile time warnings to fix?
* any new compile time hardening flags that should be used?
** Perhaps our own compilation hardening wrapper would be useful?
* this is mostly about kloak but may affect other compiled code
* use -fanalyzer, where sensible.
* For high effort, lower gain items, please create lower priority follow-up issues for post trixie.
** Aaron: Documented compilation flags at [[Dev/compiler hardening]]
*** I seem to have messed up the page title... it says "compiler_hardening" rather than "compiler hardening" in the navbar. Is there a way to fix it?
**** Patrick: Fixed.
** Aaron: Hardened sclockadj, bindp, and emerg-shutdown. kloak was hardened in earlier tasks. Did not harden tirdad yet, unsure if it's possible / safe to do so.
*** Patrick: Follow-up ticket created.
* Patrick: All merged.
* Patrick: Please try hardening-check and address, if applicable.
hardening-check /usr/libexec/sdwdate/sclockadj
/usr/libexec/sdwdate/sclockadj:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Branch Protection: no, not found!
== trixie port - switch image viewer to loupe ==
* current default image viewer is Tor Browser, which is non-ideal
* lximage-qt is potentially dangerous
* loupe uses Glycin to load images, which is sandboxed and written in Rust, thus likely less vulnerable
* Done, made changes to tb-starter, developer-meta-files, kicksecure-meta-packages, and anon-meta-packages to change this.
* Patrick: Merged.
== trixie port - physical hardware installation uses /dev path in grub.cfg ==
* in boot menu, if pressing e on a boot entry:
** linux ... root=/dev/nvme1n1p6
** this should be something like linux ... root=UUID=...
* Aaron: Discovered we were explicitly turning UUIDs off. Fixes:
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/commit/50405851087c08a5ec60fe83944fa1298266613b
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/commit/4d453cda101d40536ab3831ee222a5057fc025f0
* Patrick: Merged.
== trixie port - wlgreet autologin for sysmaint session broken on ISO ==
* Booting into a sysmaint session from a Kicksecure 18 ISO results in a login screen rather than an automatic sysmaint session. Logging in at this screen as "sysmaint" presents a full desktop, not a normal sysmaint session.
* Manually executing /usr/libexec/user-sysmaint-split/sysmaint-session-wayland works fine
* Aaron: Found root cause and fixed it: https://github.com/ArrayBolt3/user-sysmaint-split/commit/8a9586f5cf4a3977e6ee06b78738cad322bd066b
* Patrick: Merged.
== trixie port - Kicksecure Qubes test ==
* install firmware-nonfree in Kicksecure Qubes. It's also default in Debian Qubes default Template.
** Aaron: Package wpasupplicant also had to be installed to get Wi-Fi to work.
* Does DNS work when using a Kicksecure 18 based sys-net?
** Aaron: Yes, DNS seems fine. Was able to reach Google, Bing, Reddit, speedtest.net, and qubes-os.org at least.
* sys-firewall ok?
** Aaron: Yes, all connectivity from the AppVM used for testing went through sys-firewall and encountered no issues. Reconfiguring sys-firewall to block connections to everything except Wikipedia resulted in Wikipedia working but all other outgoing connectivity breaking, as expected. Undoing that configuration restored outgoing connectivity, as expected. Works both with WiFi and Ethernet.
* Kicksecure Qubes internet speed versus Debian Internet speed?
** Aaron: WiFi test results (using a Fedora 42 AppVM with Firefox):
*** With sys-net based on Kicksecure 18:
**** Test 1: 55.58 Mbps down, 2.08 Mbps up
**** Test 2: 54.86 Mbps down, 2.20 Mbps up
**** Test 3: 62.13 Mbps down, 2.25 Mbps up
*** With sys-net based on Debian 13:
**** Test 1: 51.89 Mbps down, 2.61 Mbps up
**** Test 2: 50.06 Mbps down, 2.68 Mbps up
**** Test 3: 45.32 Mbps down, 2.11 Mbps up
*** Conclusion: Likely no difference. Debian 13 appears slower than Kicksecure 18 in testing, but that is most likely due to speed fluctuations with my cellular Internet connectivity. Speeds seem coherent with the speeds I usually see with Ubuntu.
** Aaron: Ethernet test results (using a Fedora 42 AppVM with Firefox):
*** With sys-net based on Kicksecure 18:
**** 18.59 Mbps down, 1.89 Mbps up
**** 19.91 Mbps down, 2.07 Mbps up
**** 18.39 Mbps down, 1.97 Mbps up
*** With sys-net based on Debian 13:
**** 20.58 Mbps down, 2.01 Mbps up
**** 20.95 Mbps down, 1.83 Mbps up
**** 20.29 Mbps down, 1.90 Mbps up
*** Conclusion: Likely no or relatively negligible difference. Debian 13 appears faster than Kicksecure 18 in testing, but again, this is probably because of network speed fluctuations on my end, and this is as good or better than speeds I was seeing using this link previously. (Note that because my hotspot's Ethernet support is buggy, I used NetworkManager internet connection sharing from another laptop with Ethernet, which is probably why this is so much slower than WiFi.)
* Aaron: Should we be pre-installing wpasupplicant in some instances? It appears to be preinstalled in the Debian 13 template.
** Patrick: Please install.
* Patrick: Please look for other missing packages.
* Aaron: Added wpasupplicant to Kicksecure for Qubes and baremetal.
* Aaron: No additional packages were needed for wired networking to function properly.
== trixie port - decrease touchpad sensitivity ==
* on Aaron's test laptop, the mouse pointer moves far too quickly when using the built-in touchpad.
* same issue as https://github.com/Whonix/kloak/issues/8
= ARCHIVED 2 =
== user-sysmaint-split - Qubes support ==
* Ensure template provides sudo access and allows normal system maintenance, while AppVM doesn't.
* Ensure sysmaint-panel works properly
* Workarounds may be needed so that the sysmaint account is used by default in sysmaint session rather than user.
* Qubes upstream PR needed for sysmaint-related changes to work: https://github.com/QubesOS/qubes-core-qrexec/pull/194
** PR is merged upstream.
* Changed packages:
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/qubes-sysmaint
*** Patrick: Merged.
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/qubes-sysmaint
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/qubes-sysmaint
*** Patrick: Merged.
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/qubes-sysmaint
*** Patrick: Merged.
== user-sysmaint-split - advertise boot modes in Qubes OS ==
* Add needed files for advertising supported boot modes in Whonix-Workstation
* Whonix-Gateway will not be using user-sysmaint-split by default and thus should NOT have these files unless the user manually installs the needed packages
** Code done in the same branches listed under https://www.kicksecure.com/wiki/Dev/todo#user-sysmaint-split_-_Qubes_support.
== grml-debootstrap - review #332 ==
* https://github.com/grml/grml-debootstrap/pull/332
* please do a theoretic review if it might have adverse effects
* Aaron: Thoroughly reviewed and tested with derivative-maker. Looks good, works just fine.
== grml-debootstrap - dual grub-pc and grub-efi compatibility ==
* now default by grml-debootstrap? does above PR effect it?
* Aaron: PR does not appear to affect hybrid BIOS+UEFI boot compatibility at all. I was able to build a Kicksecure VirtualBox VM that was both BIOS and UEFI-bootable using the zeha/grub-once branch the PR is in.
== grml-debootstrap - GRUB installation refactoring ==
* https://github.com/grml/grml-debootstrap/issues/258
* The following line is very difficult to follow.
# Has chroot-script installed GRUB to MBR using grub-install (successfully), already?
# chroot-script skips installation for unset ${GRUB}
if [[ -z "${GRUB}" ]] || ! dd if="${GRUB}" bs=512 count=1 2>/dev/null | cat -v | grep -Fq GRUB; then
* Split into multiple conditions?
* More informational output.
* Possible to leave GRUB installation to grml-deboostrap and leave it out from chroot-script?
* potential bug / difficult to follow cod paths: chroot-script seems to set up grub-pc in some cases only. But if it does, then --vmefi would be skipped.
* Better code documentation?
* Looked at the code, concluded the best way to refactor it out was to implement https://github.com/grml/grml-debootstrap/issues/320 since it didn't serve any useful purpose other than working around a needless redundancy anyway.
** PR: https://github.com/grml/grml-debootstrap/pull/331
** Merged.
== live-build - initramfs-tools is needlessly installed ==
* please avoid, if feasible, as this prolonged build times, specifically for cross builds (arm64 on amd64)
* non-issue: initramfs-tools inside final ISO. In other words: initramfs-tools later gets replaced by dracut. initramfs-tools is just needlessly intermediately installed.
* Reduced unnecessary initramfs rebuilds in https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
** Patrick: merged
* Got rid of initramfs-tools and installed dracut earlier in the build process in https://github.com/ArrayBolt3/derivative-maker/commit/8ce944308b767c328c443dcf15d5f6b1fba57dec
** Patrick: merged
== GRUB - improve developer documentation ==
* see [[Dev/boot]] and related wiki pages in mininav (links on top of the wiki page)
* document which tools are writing to important files such as /etc/default/grub
* Documented all Kicksecure and Whonix packages that make meaningful changes to GRUB configuration or setup.
== calamares - use /etc/default/grub.d drop-in folder instead of /etc/default/grub file ==
* This is to avoid the issue of multiple files attempting to write to /etc/default/grub, dpkg interactive conflict resolution dialogs, ucf.
* if applicable
* This feature already exists in Calamares, but is sadly broken. PR to fix at https://github.com/calamares/calamares/pull/2445
* This can be worked around in the short term using a shellprocess. Code with workaround: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/grubcfg Tested and appears to work on my end.
* Patrick: Merged.
== Qubes kloak-alike tickets ==
* please comment on https://github.com/QubesOS/qubes-issues/issues/1850 and other related tickets as sensible
** https://github.com/QubesOS/qubes-issues/issues/1850#issuecomment-2655357292
** https://github.com/QubesOS/qubes-issues/issues/8541#issuecomment-2655358902
** https://github.com/vmonaco/kloak/issues/74#issuecomment-2655362546
* What other steps are required to enable Qubes kloak-alike for Qubes-Whonix? Please create tickets.
** https://github.com/QubesOS/qubes-issues/issues/9771
*** Implemented in https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/20, handling in a separate task.
** https://github.com/QubesOS/qubes-issues/issues/9861
== calamares dual legacy + efi booting support ==
* as discussed
* PR opened at https://github.com/calamares/calamares/pull/2422
* Merged.
== Verified Boot 3mdeb Git ==
* please review and comment
* Reviewed, commented where appropriate, will keep up-to-date with future changes.
== pwchange migration packaging bug ==
dpkg -l | grep usability
ii usability-misc 3:26.2-1 all Misc usability improvements
dpkg: error processing archive /var/cache/apt/archives/helper-scripts_3%3a27.8-1_all.deb (--unpack):
trying to overwrite '/usr/sbin/pwchange', which is also in package usability-misc 3:26.2-1
Errors were encountered while processing:
/var/cache/apt/archives/helper-scripts_3%3a27.8-1_all.deb
* Patrick renamed pwchange to pwchange_ as a stopgap.
* Patrick made some improvements to pwchange_.
* If this is difficult to fix, we can just move pwchange back to usability-misc perhaps until release upgrade (if that simplifies things).
* Discussed cause and solution with Patrick, file shouldn't need to be moved back to usability-misc.
helper-scripts debian/changelog:
helper-scripts (3:28.2-1) unstable; urgency=medium
...
usability-misc debian/changelog:
usability-misc (3:26.4-1) unstable; urgency=medium
....
helper-scripts debian/control:
Package: helper-scripts
...
Breaks: usability-misc (<< 3:26.4-1)
Replaces: usability-misc (<< 3:26.4-1)
...
usability-misc debian/control:
Package: usability-misc
...
Depends: ... helper-scripts (>= 3:28.2-1) ...
...
== systemcheck - improve login security output format ==
* current table format is confusing, rework as discussed
* Improved in https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/autologin
** Patrick: Merged.
* Also found an autologinchange bug (was trying to create /etc/sddm.conf.d without root privileges), fixed in https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/autologin
** Patrick: Merged.
== user-sysmaint-split - GUI vs CLI ==
* GUI (login manager) versus CLI (tty login)
* clarify autologinchange GUI vs CLI
* clarify inside systemcheck
** Aaron: Implemented clarifications:
*** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/autologin
*** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/autologin
*** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/autologin
* check systemcheck CLI autologin in separate column, if feasible (separate columns for GUI vs CLI autologin)
** Aaron: This looks difficult, see https://unix.stackexchange.com/questions/401759/automatically-login-on-debian-9-2-1-command-line. Console autologin has details about things like serial terminals and the like that one has to be aware of, and depending on one's systemd configuration, determining when automatic login is enabled vs. when it isn't may be tricky. Should probably be split into a separate task if we want to pursue this, noting that it may end up a modestly large job.
* test login (non-automatic) into sysmaint CLI tty1
** Aaron: tty1 has boot messages and RADS messages still showing on it. Does not accept user input. I can however log into the sysmaint account on tty2 when booted in PERSISTENT mode SYSMAINT. All I need to do is type the username and press Enter, the account is passwordless in my VM so I'm granted access without a password prompt, similar to how account user behaves.
* Patrick: all merged
== privleap - pwd bug ==
* Qubes, sys-whonix
[gateway user ~]% leaprun tor-verify-config
Mar 17 06:38:26.693 [notice] Tor 0.4.8.13 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.15, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
Mar 17 06:38:26.693 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Mar 17 06:38:26.693 [notice] Read configuration file "/etc/tor/torrc".
Mar 17 06:38:26.694 [notice] Processing configuration path "/etc/torrc.d/*.conf" at recursion level 1.
Mar 17 06:38:26.694 [notice] Including configuration file "/etc/torrc.d/60_network.conf".
Mar 17 06:38:26.694 [notice] Including configuration file "/etc/torrc.d/65_gateway.conf".
Mar 17 06:38:26.694 [notice] Including configuration file "/etc/torrc.d/65_leak_tests.conf".
Mar 17 06:38:26.694 [notice] Including configuration file "/etc/torrc.d/70_workstation.conf".
Mar 17 06:38:26.694 [notice] Processing configuration path "/usr/share/tor/tor-service-defaults-torrc.anondist" at recursion level 2.
Mar 17 06:38:26.694 [notice] Including configuration file "/usr/share/tor/tor-service-defaults-torrc.anondist".
Mar 17 06:38:26.694 [notice] Including configuration file "/etc/torrc.d/95_whonix.conf".
Mar 17 06:38:26.694 [notice] Processing configuration path "/usr/local/etc/torrc.d/*.conf" at recursion level 2.
Mar 17 06:38:26.694 [notice] Including configuration file "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Mar 17 06:38:26.694 [notice] Including configuration file "/usr/local/etc/torrc.d/50_user.conf".
Mar 17 06:38:26.695 [notice] You configured a non-loopback address '10.137.0.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Mar 17 06:38:26.695 [notice] You configured a non-loopback address '10.137.0.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Mar 17 06:38:26.695 [warn] Directory /home/user/.tor cannot be read: Permission denied
Mar 17 06:38:26.695 [warn] Failed to parse/validate config: Couldn't access private data directory "/home/user/.tor"
Mar 17 06:38:26.695 [err] Reading config failed--see warnings above.
zsh: exit 1 leaprun tor-verify-config
* In file /usr/libexec/systemcheck/check-env I appended:
pwd
env
* result:
leaprun check-privleap-environment-variables
/home/user
SHELL=/usr/bin/bash
WATCHDOG_USEC=10000000
PWD=/home/user
LOGNAME=user
SYSTEMD_EXEC_PID=902
TEMPDIR=/tmp/user/0
HOME=/home/user
LANG=en_US.UTF-8
TMPDIR=/tmp/user/0
INVOCATION_ID=675ad997bbec4d37ad4ab6339af8a388
USER=user
WATCHDOG_PID=902
NOTIFY_SOCKET=/run/systemd/notify
TEMP=/tmp/user/0
SHLVL=1
JOURNAL_STREAM=8:3035
TMP=/tmp/user/0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
* conclusions:
** output of pwd is wrong
** environment variables wrong:
*** PWD
*** HOME
*** TMPDIR
*** TEMP
*** USER
*** PATH
* This happened when I refactored the PAM integration out into a separate shim - I got the calling user and target user mixed up and the regression tests didn't catch it.
* Fixed in https://github.com/ArrayBolt3/privleap/commit/e8d7023b44d770d7b9c76ff217b975da0e9d0d05, regression tests added to catch similar bugs in the future.
== user-sysmaint-split - systemcheck ==
* If user-sysmaint-split is installed, systemcheck function check_login_security cannot use
/usr/libexec/user-sysmaint-split/sysmaint-boot query-sysmaint-autologin
* Perhaps that function would be better if available in helper-scripts? Because it currently results in an error.
if [ -x /usr/libexec/user-sysmaint-split/sysmaint-boot ]; then
if [ "$(/usr/libexec/user-sysmaint-split/sysmaint-boot query-sysmaint-autologin 2>/dev/null)" = 'yes' ]; then
echo 'Enabled'
else
echo 'Disabled'
fi
else
echo 'Error'
fi
* The problem is "echo 'Error'".
* User sysmaint might exist but user-sysmaint-split might have been uninstalled using user-sysmaint-split.
* Skip check_login_security inside Qubes?
* Please avoid subshells because these interfere with error handling. (I did not do it to avoid merge conflicts.)
readarray -t user_list < <(/usr/libexec/helper-scripts/get-user-list)
if ! output="$(/usr/libexec/helper-scripts/get-user-list)"; then
echo "ERROR: Failed to get user list!" >&2
exit 1
fi
readarray -t user_list <<< "$output"
* please use grep with end-of-options
* All issues should now be fixed. Repos changed:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/autologin
*** Patrick: Merged.
** setup-wizard-dist: https://github.com/ArrayBolt3/setup-wizard-dist/tree/arraybolt3/autologin
*** Patrick: Merged.
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/autologin
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/autologin
*** Patrick: Merged.
== privleap - logging improvements ==
* please rewrite "user" -> "account" (This is to avoid phrases like "user user".)
Mar 14 09:05:56 host privleapd[18294]: handle_comm_session: INFO: Triggered action 'apt-get-update'
Mar 14 09:28:52 host privleapd[17481]: auth_signal_request: WARNING: Could not find action 'test'
* Should privleap mention which account triggered an action? By comparison, sudo does log this.
Mar 14 09:25:49 host sudo[24600]: user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/ls
Mar 14 09:25:49 host sudo[24600]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Mar 14 09:25:49 host sudo[24600]: pam_unix(sudo:session): session closed for user root
* Privacy should be alright because journal can only be accessible by root. (Unless systemcheck --verbose leaks it. But logging, able to find bugs/DOS seems more important than log privacy.)
* We don't necessarily needs the same logging format as sudo.
** TTY: probably irrelevant.
** PWD: probably irrelevant.
** command: privleap already logs it.
** account: missing
* Should be done in https://github.com/ArrayBolt3/privleap/commit/abf878dfe55d49bb930fdbba2ed9542db9d4aa93, may need a more careful audit to ensure all cases that need changed are changed
* Audited, made another commit with missed bits caught: https://github.com/ArrayBolt3/privleap/commit/b9ea564089d3f825a2f08364807dfc1c7c278eb8
* Patrick: Merged.
== privleap - post-review improvements ==
* https://github.com/ArrayBolt3/privleap/issues/1
* Discuss, implement as appropriate
* Done, remaining issues on the bug tracker are very low priority and not blockers.
== grml-debootstrap - fix UEFI bootloader updates ==
* https://github.com/grml/grml-debootstrap/issues/297
* please send a pull request upstream
** Pull request: https://github.com/grml/grml-debootstrap/pull/299 merged.
** This is specific to how grml-debootstrap works, Kicksecure will need some extra code of its own to work properly here since we use a different bootloader ID than Debian does (ours is kicksecure, theirs is debian).
*** Patrick: Please make bootloader ID configurable in grml-debootstrap. (They'll probably accept that because grml is an independent Linux distribution, might have use for that too and are generally easy to work with.)
**** Aaron: Done.
*** Patrick: Please patch derivative-maker to make use of this new feature and set custom bootloader ID.
**** Aaron: Will wait to do this until the patch is merged upstream, unless things take long enough that we have a good reason to fork.
* Patrick: please use, review the following simplification, if sane
if [ -z "$VMEFI" ]; then
grub_pc_package_name=grub-pc
else
# We install grub-pc-bin instead of grub-pc when EFI is enabled, because
# otherwise the EFI bootloader won't be automatically updated when GRUB
# packages are uploaded. Doing this means that the BIOS bootloader won't
# be automatically updated, which stinks, however the BIOS bootloader
# doesn't have the same security concerns as the EFI bootloader (there's
# no Secure Boot to grapple with when using legacy BIOS boot) so it's
# better to let the BIOS bootloader lag behind and update the EFI one
# than to let the EFI bootloader lag behind and update the BIOS one.
grub_pc_package_name=grub-pc-bin
fi
if ! clean_chroot "${MNTPOINT}" dpkg --list "$grub_pc_package_name" 2>/dev/null | grep -q '^ii' ; then
echo "Notice: '$grub_pc_package_name' package not present yet, installing it therefore."
# shellcheck disable=SC2086
clean_chroot "$MNTPOINT" DEBIAN_FRONTEND=$DEBIAN_FRONTEND apt-get -y --no-install-recommends install $DPKG_OPTIONS "$grub_pc_package_name"
fi
** Integrated.
* Patrick: Please consider using numbers and lowering priority. Since it's unlikely that any other configuration file changes EFI ID, specifically by the time grml-debootstrap runs, maximum priority is unnecessary. Always best to keep free space for hypothetical derivatives.
echo "GRUB_DISTRIBUTOR='${EFI_ID}'" > "${MNTPOINT}"/etc/default/grub.d/z-grml-debootstrap-efi-id.cfg
** Discussed, elected not to do this.
* Run clean_chroot "$MNTPOINT" debconf-set-selections <<< 'grub-efi-amd64 grub2/force_efi_extra_removable boolean true' unconditionally in all cases? That would make it easier to add an option in case upstream does not wish to enable that by default.
** Discussed, elected not to do this.
* Avoid repetitive clean_chroot "$MNTPOINT" DEBIAN_FRONTEND=$DEBIAN_FRONTEND apt-get -y --no-install-recommends install $DPKG_OPTIONS command in source code, only set package name so the source code has this command only once to install the GRUB package? Not sure it is a good idea to mix this refactoring into this pull request. Might be better to do that later in a follow-up pull request once that one was merged.
** Not done yet to avoid overcomplicating the PR.
* ARM_EFI_TARGET: Assume that works similarly, use the new debconf-set-selections method?
** Done, actually I just removed ARM_EFI_TARGET entirely.
* CI testing: {{Github_link|repo=grml-debootstrap|path=/pull/1}}
* related PR: https://github.com/grml/grml-debootstrap/pull/302
== user-sysmaint-split - Qubes - sysmaint boot features ==
* implement [https://github.com/QubesOS/qubes-issues/issues/9750 Polish support for booting qubes with custom kernel command line parameters]
* related: [https://github.com/QubesOS/qubes-issues/issues/2238 Debian template: disable newly (all) installed services by default]
** Replied here with some relevant info.
** Does this obsolete selective sudo access? No, probably not.
* Wrote several iterations of a spec, updating with input from Marek for each iteration.
* Implemented, going back and forth with reviews with Marek.
* PR list:
** qubes-core-admin: https://github.com/QubesOS/qubes-core-admin/pull/653
*** Also made https://github.com/QubesOS/qubes-core-admin/pull/666 to fix a bug after the above PR was merged slightly too early.
** qubes-manager: https://github.com/QubesOS/qubes-manager/pull/407
** qubes-core-admin-client: https://github.com/QubesOS/qubes-core-admin-client/pull/342
* All PRs merged.
== default password ==
* rationale: virtual console based login attempts. An attacker could connect a keyboard to a server to login.
* review wiki: [[Default Passwords]]
* helper-scripts: add a tool that looks user accounts with empty passwords, if feasible
* GUI ISO: calamares.
** link to documentation
** choices:
*** default: none (user must choose)
*** passwordless
*** set a password
*** Aaron: We decided to skip doing this in calamares to reduce code duplication and maintenance burden.
* CLI ISO: non-existent, therefore non-issue for now
* GUI VM images: A setup-wizard-dist popup should explain this.
** Good for systems installed from ISO also.
* CLI: an INFO message after login if there are any unlocked passwordless accounts
* Implemented, ready for review, testing, ''maybe'' merge?:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/autologin
*** Rename variable file to file_name. (Because `file` is a utility.)
*** Please simplify string parsing. Create a file /etc/user-sysmaint-split.d/40_autologin_username when enabling autologin. Point out that the file was auto generated by $SCRIPTNAME and might get deleted by the same. To enable autologin, create a file. To disable autologin, delete the file.
**** Aaron: Currently this is not done because it would potentially cause severe bugs to do things this way, especially with the KDE desktop environment. Autologin configuration can get badly out of sync without the more complicated sting parsing.
*** Lightweight self-document what the script is doing on a technical level. ("Created file ...")
*** Drop if [ "${default_display_manager}" = 'lightdm' ]; then and elif [ "${default_display_manager}" = 'sddm' ]; then. Always apply all autologin enabling and disabling actions to all supported display manager configurations.
*** What if there are user configured autologin settings? Detect these, point out the configuration file path and tell the user that the autologin script does not support that? Advice the user to keep manual configuration or delete the custom configuration?
**** Aaron: Not necessary, because we're doing more complex string parsing.
*** Aaron: Done except for points that are marked as skipped.
**** Patrick: Merged.
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/autologin
*** Patrick: Merged.
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/tree/arraybolt3/autologin
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/autologin
*** Patrick: Merged.
*** Aaron: Needs re-merged, more changes were made.
*** Patrick: Merged.
** usability-misc: https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/autologin
*** rm_conffile /etc/lightdm/lightdm.conf.d/40_autologin.conf missing? Probably not. I guess this is on purpose. Otherwise, this would disable autologin for existing users, which would be confusing.
**** Aaron: Correct, we want to leave this file here.
***** Patrick: Merged.
** setup-wizard-dist: https://github.com/ArrayBolt3/setup-wizard-dist/tree/arraybolt3/autologin
*** Patrick: Merged.
** setup-dist: https://github.com/ArrayBolt3/setup-dist/tree/arraybolt3/autologin
*** Please use grep with end of options.
*** Aaron: Done.
*** Patrick: Merged.
** initializer-dist: https://github.com/ArrayBolt3/initializer-dist/tree/arraybolt3/autologin
*** Please document in script comments: Why is this a chroot script instead of a postinst script with do_once? Because otherwise, do_once in postinst, this might enable sysmaint autologin for already existing users that are upgrading that had already disabled autologin, which would be bad from their perspective.
*** Use call the autologin script to enable autologin instead using sponge directly. This would be useful in the future if porting to a different display manager. The autologin script will need a non-interactive / command line use method
*** Aaron: Both tasks done.
*** Patrick: Merged.
** msgcollector: https://github.com/ArrayBolt3/msgcollector/tree/arraybolt3/autologin
*** Unnecessary? This should better be implemented at the level of {{Github_link|repo=open-link-confirmation|path=?}}
*** Aaron: Done, required changes to two repos:
**** open-link-confirmation: https://github.com/ArrayBolt3/open-link-confirmation/tree/arraybolt3/autologin
**** user-sysmaint-split (listed above)
**** Patrick: Merged.
* Things that still need fixed:
** Wording changes necessary? autologinchange talks about 'sysmaint session' rather than 'PERSISTENT mode SYSMAINT' which may be bad.
** Patrick: Should be OK.
* Review by Patrick #1:
** Please reword from "user user" to "account user".
*** Aaron: Done.
** Replace /etc/user-sysmaint-split.conf by drop-in folder.
*** Aaron: Done, modified user-sysmaint-split, helper-scripts, initializer-dist, systemcheck, and derivative-maker to make this work.
**** derivative-maker: https://github.com/ArrayBolt3/derivative-maker/tree/master
***** Patrick: Merged.
** See inline comments above.
*** Aaron: Addressed.
== user-sysmaint-split - setup-dist - improve error handling ==
check_passwords() {
if grep -q -- 'Absent' < <(leaprun get-password-status-list); then
printf '%b\n' "[${yellow}WARNING${nocolor}] Some user accounts on this system are passwordless. Run 'systemcheck' for more information."
fi
}
* bug: subshell cannot handle errors
* please implement without subshell
* leaprun should run outside of "if"
* WARNING -> NOTICE?
* Patrick: Done.
== user-sysmaint-split - set default shell for account sysmaint to zsh ==
* todo
* Done in https://github.com/ArrayBolt3/user-sysmaint-split/commit/779a483f8c83fd7dfb15f3532a8eb5285115dc05
* Patrick: Merged.
* please refactor / de-duplicate code dist-base-files versus user-sysmaint-split
* Done:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/user-create
*** Patrick: Merged.
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/user-create
*** Patrick: Merged.
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/user-create
*** Patrick: Merged. There was a merge conflict. Could you please check if it was resolved correctly?
**** Aaron: Reproduced conflict on my end, resolved it, then checked the difference with git difftool. Looks fine to me.
== user-sysmaint-split - sysmaint login failure when autologin disabled ==
* If sysmaint autologin is disabled, the first attempt to log in as account sysmaint in PERSISTENT mode SYSMAINT will fail because it will try to sign into a normal desktop session.
* Investigate ways to resolve this, is there a system-wide state file for lightdm we can overwrite?
* Fixed in user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/autologin
* Patrick: Merged.
== kernel module loading disabling exit zero or non-zero comment ==
* please comment here: {{Github_link|repo=security-misc|path=/issues/303}}
* Researched and commented.
== Kicksecure default browser ==
* please read prior discussions, comment, edit if applicable
* https://www.kicksecure.com/wiki/Dev/Default_Browser
** Aaron: Reorganized some stuff, filled in some missing documentation on projects.
* https://forums.whonix.org/t/chromium-browser-for-kicksecure-discussions-not-whonix/10388
** Aaron: Read through and commented.
* {{Github_link|repo=security-misc|path=/issues/192}}
*** Aaron: Read through, didn't have much to add here, I put everything I had to add on the Whonix forum.
== automatic updates wiki editing ==
* please add notes to, edit [[Dev/Automatic_Updates]]
** Only things I could see to add was the bit about Lubuntu Update and a note about making an update notifier that didn't handle update installation. Otherwise this seemed pretty thorough and not in need of further revision at the moment. I think Kicksecure would need something more robust than Lubuntu Update, but that it would still provide somewhere to start for implementing something like this (probably in Python).
== privleap - umask ==
* please consider privleap in context of {{Github_link|repo=security-misc|path=/issues/185}}
* How to handle privleap versus umask? Leave it to (python) PAM? Probably best.
* Please lightweight document.
* Discovered that PAM umask customization was causing problems, by changing the umask of the entire privleapd process (thus affecting even actions that are run as root). Fixed by adding an extra shim between privleapd and PAM. Fixes are in https://github.com/ArrayBolt3/privleap as usual.
* Patrick: merged
== privleap - upgrade systemd unit issue ==
* Qubes, Whonix-Workstation, developers repository
Mar 14 09:05:15 host systemd[1]: Stopping leapctl@1000.service - leapctl - Enable access to privleap for each user...
Mar 14 09:05:15 host systemd[1]: Stopping privleapd.service - privleap - Limited Privilege Escalation Framework...
Mar 14 09:05:15 host systemd[1]: privleapd.service: Deactivated successfully.
Mar 14 09:05:15 host systemd[1]: Stopped privleapd.service - privleap - Limited Privilege Escalation Framework.
Mar 14 09:05:15 host systemd[1]: privleapd.service: Consumed 2.205s CPU time.
Mar 14 09:05:15 host systemd[1]: Starting privleapd.service - privleap - Limited Privilege Escalation Framework...
Mar 14 09:05:15 host leapctl[18293]: ERROR: Could not connect to privleapd!
Mar 14 09:05:15 host systemd[1]: leapctl@1000.service: Control process exited, code=exited, status=1/FAILURE
Mar 14 09:05:15 host systemd[1]: leapctl@1000.service: Failed with result 'exit-code'.
Mar 14 09:05:15 host systemd[1]: Stopped leapctl@1000.service - leapctl - Enable access to privleap for each user.
Mar 14 09:05:15 host systemd[1]: Starting leapctl@1000.service - leapctl - Enable access to privleap for each user...
Mar 14 09:05:15 host systemd[1]: Started privleapd.service - privleap - Limited Privilege Escalation Framework.
Mar 14 09:05:15 host privleapd[18294]: handle_control_create_msg: INFO: Handled CREATE message for user 'user', socket created
Mar 14 09:05:15 host leapctl[18296]: Comm socket created for user 'user'.
Mar 14 09:05:15 host systemd[1]: Finished leapctl@1000.service - leapctl - Enable access to privleap for each user.
* Mostly a cosmetic issue. But a problem as this error ends up in systemcheck --verbose --function check_journal.
* No actually broken functionality.
* Most likely not a configuration issue.
* Potential bug: Does leapctl@1000.service try use privleapd.service before it was restarted?
* /usr/lib/systemd/system/leapctl@.service - Does it lack After=?
[Unit]
Description=leapctl - Enable access to privleap for each user
Requires=privleapd.service user@.service
## Useful to add...?
After=privleapd.service user@.service
* Looks like the After= was indeed good to have and missing. Added, tested, works. https://github.com/ArrayBolt3/privleap/commit/c1e9730e5ff3988db610d5603f1b14d8e16ebd2d
* Patrick: merged
== privleap - tb-starter issue ==
* stable repository
* https://forums.whonix.org/t/home-user-cache-permission-issue-in-recent-updates/21427
* Fix: https://github.com/ArrayBolt3/tb-updater/tree/arraybolt3/cache-fix
** Tested, .cache is no longer owned by root, Remmina starts properly
* Patrick: Merged.
== privleap - error - No authorized users or groups for action: 'tor-bootstrap-check' ==
* was happening inside Qubes Whonix-Workstation Template only
* error happened during upgrade from developers repository
Setting up privleap (3:2.3-1) ...
/etc/privleap/conf.d/systemcheck.conf:33:error:No authorized users or groups for action: 'tor-bootstrap-check'
WARNING: privleap configuration invalid. Not restarting privleapd.
* file /etc/privleap/conf.d/systemcheck.conf already looks okay
[action:tor-bootstrap-check]
Command=/usr/libexec/helper-scripts/tor_bootstrap_check.py
AuthorizedGroups=sudo
AuthorizedUsers=user,sdwdate
TargetUser=debian-tor
TargetGroup=debian-tor
* was happening insid Qubes Whonix-Gateway Template only
Setting up privleap (3:2.3-1) ...
/etc/privleap/conf.d/anon-connection-wizard.conf:1:error:No authorized users or groups for action: 'acw-tor-control-restart'
WARNING: privleap configuration invalid. Not restarting privleapd.
* file /etc/privleap/conf.d/anon-connection-wizard.conf already looks good
[action:acw-tor-control-restart]
Command=/usr/libexec/anon-connection-wizard/acw-tor-control restart
AuthorizedGroups=sudo
AuthorizedUsers=user
* Aaron: Attempted to fully upgrade a clean pair of Whonix-Gateway and Whonix-Workstation templates on Qubes OS R4.3 using the bookworm-developers repository. Cannot reproduce either bug, privleap installs, sets up, and has triggers run for it without issues, service is properly started and systemcheck works without errors.
* Got another report from a user using the testers repository.
/etc/privleap/conf.d/systemcheck.conf:33:error:No authorized users or groups for
action: 'tor-bootstrap-check'
WARNING: privleap configuration invalid. Not restarting privleapd. Run configura
tion check using: privleapd --check-config
* This is perhaps because config check runs before new configuration files have been installed? Solution, run config check after installation of configuration files, i.e. after DEBHELPER token?
* Figured out why this is likely happening - upgrades that change the config file format will trigger this because the conffiles of packages ''other than privleap'' are unlikely to be unpacked by the time privleap is configuring itself. This is normal, expected behavior that can't be avoided and shouldn't cause problems in practice.
* Fixed the cosmetic part of the issue in https://github.com/ArrayBolt3/privleap/commit/78698e8ae40d2b5ea3e0f11e32f8ffe0b2e6793e
* Patrick: Merged.
== unbreak repository-dist ==
* Likely caused by recent repository-dist changes. Issue visible on both new ISO and VBox builds of Kicksecure.
** Note that patches for default password/autologin security were applied to my build, but this failure appears to be unrelated.
* systemctl status repository-dist-initializer.service:
× repository-dist-initializer.service - /etc/apt/sources.list.d/derivative.list initializer
Loaded: loaded (/lib/systemd/system/repository-dist-initializer.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Fri 2025-03-07 17:31:20 CST; 35s ago
Process: 968 ExecStart=/usr/libexec/repository-dist/repository-dist-initializer (code=exited, status=1/FAILURE)
Main PID: 968 (code=exited, status=1/FAILURE)
CPU: 5ms
Mar 07 17:31:20 localhost repository-dist-initializer[968]: + set -e
Mar 07 17:31:20 localhost repository-dist-initializer[968]: + test -r /var/lib/repository-dist/derivative_apt_repository_opts
Mar 07 17:31:20 localhost repository-dist-initializer[968]: + test -e /var/lib/repository-dist/initializer.done
Mar 07 17:31:20 localhost repository-dist-initializer[1016]: ++ cat /var/lib/repository-dist/derivative_apt_repository_opts
Mar 07 17:31:20 localhost repository-dist-initializer[968]: + repository_dist_arguments='--enable --codename bookworm'
Mar 07 17:31:20 localhost repository-dist-initializer[968]: + repository-dist --enable --codename bookworm
Mar 07 17:31:20 localhost repository-dist-initializer[1027]: /usr/bin/repository-dist: line 362: under: unbound variable
Mar 07 17:31:20 localhost systemd[1]: repository-dist-initializer.service: Main process exited, code=exited, status=1/FAILURE
Mar 07 17:31:20 localhost systemd[1]: repository-dist-initializer.service: Failed with result 'exit-code'.
Mar 07 17:31:20 localhost systemd[1]: Failed to start repository-dist-initializer.service - /etc/apt/sources.list.d/derivative.list initializer.
* /etc/apt/sources.list.d/derivative.list does not exist.
* Patrick: Fixed.
== deb822 sources list comment ==
* please comment on https://forums.kicksecure.com/t/apt-sources-list-one-line-format-versus-deb822-style-format/267/1
== ISO - use variable flavor_meta_packages_to_install ==
* using already existing variable flavor_meta_packages_to_install would simplify modifications
* Done: https://github.com/ArrayBolt3/derivative-maker/commit/1653d359373963e50b8f8b16f254e6bbfe47ac90
** Tested, both XFCE and CLI Kicksecure ISOs can be built successfully with this change.
== privleap - python-pam bug ==
* error produced in anon-whonix
sudo journalctl --boot -u privleapd
Mar 03 11:30:21 host systemd[1]: Starting privleapd.service - privleap - Limited Privilege Escalation Framework...
Mar 03 11:30:21 host systemd[1]: Started privleapd.service - privleap - Limited Privilege Escalation Framework.
Mar 03 11:33:06 host privleapd[671]: handle_control_create_msg: INFO: Handled CREATE message for user 'user', socket created
Mar 03 11:33:07 host python3[671]: pam_unix(privleapd:session): session opened for user debian-tor(uid=107) by (uid=0)
Mar 03 11:33:07 host python3[671]: pam_succeed_if(privleapd:session): requirement "uid eq 0" not met by user "debian-tor"
Mar 03 11:33:07 host privleapd[671]: handle_control_create_msg: WARNING: User 'debian-tor' is not allowed to have a comm socket
Mar 03 11:33:07 host privleapd[671]: handle_comm_session: INFO: Triggered action 'tor-circuit-established-check'
* Aaron: The PAM message is perfectly normal, it's triggered by this snippet in /etc/pam.d/common-session:
session [success=1 default=ignore] pam_succeed_if.so uid eq 0
session optional pam_umask.so umask=027
* This snippet says "set the umask for the newly logged-in user to 027 if they ''aren't'' root. If they are root, skip over the umask setting. When running an action as debian-tor, this will end up showing a message that the UID check didn't pass, meaning that the umask will be set. This is an intentional part of how we implement stricter umask settings.
* The issue stating that debian-tor is not allowed to have a comm socket is normal, because debian-tor (for some reason unknown to me) has a running user session in the anon-whonix VM. This means that it triggers a leapctl@UID.service unit for itself like any other logged-in user, but because it isn't listed as an allowed user, that service doesn't start (by design). Therefore this isn't a problem, though it's curious that debian-tor is logged in...
== bookworm-backports-staging ==
* https://fasttrack.debian.net/ mentions deb https://fasttrack.debian.net/debian-fasttrack/ bookworm-backports-staging main contrib
* Is this new?
** Aaron: Does not appear to be new, this was how things were done in Bullseye as well.
* Since Kicksecure enables fasttrack by default, should probably enable bookworm-backports-staging by default too?
** Aaron: Yes, we should. "Staging" is usually scary and indicates there could be package breakage, but in this instance it's effectively identical to the normal backports repo but allows packages in that don't fit the normal backports rules (yet). This isn't a place for doing dangerous operations like I initially thought.
== investigate why debian-tor has a login on Whonix-Workstation ==
* todo
* Turned out to be PAM integration's fault, the default code path in PAM's config stacks assumes an interactive session.
* Fixed in https://github.com/ArrayBolt3/privleap/commit/a22b63d4190cf8b52fb8727560f4113f80da36b2, all it does is specify a non-interactive session instead.
== Qubes APT pinning ticket ==
* https://github.com/QubesOS/qubes-core-admin-linux/pull/184
* https://www.kicksecure.com/wiki/Dev/APT_Pinning
* Please comment, if applicable.
* Commented, also looked over code and didn't have anything to add beyond what Ben already added.
== privleap - keep trying to start leapctl@1000.service ==
Mar 03 11:09:50 host systemd[1]: leapctl@1000.service: Failed with result 'exit-code'.
Mar 03 11:09:50 host systemd[1]: Stopped leapctl@1000.service - leapctl - Enable access to privleap for each user.
Mar 03 11:09:50 host systemd[1]: Starting leapctl@1000.service - leapctl - Enable access to privleap for each user...
Mar 03 11:09:50 host leapctl[40455]: ERROR: Could not connect to privleapd!
Mar 03 11:09:50 host systemd[1]: leapctl@1000.service: Main process exited, code=exited, status=1/FAILURE
Mar 03 11:09:50 host systemd[1]: leapctl@1000.service: Failed with result 'exit-code'.
* In case of errors, please configure the systemd unit to start trying forever but with long enough delay to keep long spam limited.
* Done in https://github.com/ArrayBolt3/privleap/commit/b4a84a8660fe8a5380e42b9df930ac718cb2dd34
== privleap - leaprun - consider supporting end-of-options ==
* leaprun apt-get-update-simulate
* would it make sense to support
* leaprun -- apt-get-update-simulate
* it doesn't change a lot, except it allows for consistent use of end-of-options
* Done: https://github.com/ArrayBolt3/privleap/commit/0db59e476e606481b979331060a3cc53cd73da99
== privleap - consider using end-of-options ==
["/usr/bin/bash", "-c", desired_action.action_command],
* minor: useful to change to...?
["/usr/bin/bash", "-c", "--", desired_action.action_command],
* Done: https://github.com/ArrayBolt3/privleap/commit/61da84d033c23c74840ae953409a2c09475a0b9c
== privleap - harden and polish ==
* Continue fixing and discussing issues found by Ben Grande and others.
* Should be done, only remaining issue that seems potentially concerning is https://github.com/ArrayBolt3/privleap/issues/11 which may or may be something that needs fixed.
* Patrick: merged
== privleap - abolish simple all users allowed fallback ==
[command:echo-hello]
Command=echo 'Hi!'
* Some sort of AuthorizedGroups=sudo or AuthorizedUsers= should always be existing.
* If all users should be able to, this might be best implemented with a special keyword.
* Done in https://github.com/ArrayBolt3/privleap/commit/415190bed64add132fdb38e886ce868286c4da77, special keyword can be added later if needed.
* Repos that needed additional changes:
** anon-connection-wizard: https://github.com/ArrayBolt3/anon-connection-wizard/tree/arraybolt3/privleap-strict-auth
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/privleap-strict-auth
* Patrick: Merged.
== fix up policy-rc.d script in user-sysmaint-split ==
* Conflicts with derivative-maker, needs derivative-maker changes to avoid
** Fixed, required changes to derivative-maker and live-build
*** https://github.com/ArrayBolt3/derivative-maker/tree/master
*** https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
* Missing proper copyright header
** Fixed: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/policy-rcd
* Check other policy-rc.d helpers in Debian if they exist to see if they would be better suited to this?
** It appears the only helpers are policyrcd-script-zg2 and policy-rcd-declarative, both of which have been studied and appear unfit for our use case. (Based on the results of apt-cache search policy | grep rcd)
* Patrick: Merged.
== privleap - implement config reload without restart ==
* https://github.com/ArrayBolt3/privleap/issues/12
* configuration fast hash based?
* Current implementation works via an explicit restart command that can be sent by leapctl. Performance doesn't seem to be an issue doing a total reload each time, can revisit hashing if performance becomes a problem.
* {{CodeSelect|code=
sudo systemctl reload privleapd
}}
== user-sysmaint-split - document policy-rc.d ==
* todo
* Documented at https://www.kicksecure.com/w/index.php?title=Sysmaint&stable=0, with a new bullet point "Inhibition of non-critical services".
== privleap postinst deb-systemd-invoke bug ==
#####################################################################
## INFO: BEGIN: privleap postinst configure' '3:1.7-1
#####################################################################
'
+ case "$1" in
+ deb-systemd-helper enable privleapd.service
+ deb-systemd-helper enable leapctl@.service
+ start_privleapd
+ deb-systemd-invoke restart privleapd.service
Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145.
* Can't reproduce, but may be resolved by https://github.com/ArrayBolt3/privleap/commit/17d4caa0a84499559c8f18dbd90076ef0172501d
* only reproduced so far: Qubes Whonix-Gateway Template
* not reproducible in: Qubes Kicksecure / Qubes Whonix-Workstation Template
[template gateway user ~]% sudo DEBDEBUG=1 dpkg --configure -a
Setting up privleap (3:1.9-1) ...
++ [[ -v disable_echo ]]
++ disable_echo=
++ '[' '' = true ']'
++ colors
++ alt=
++ ealt=
++ hide=
++ show=
++ save=
++ load=
++ bold=
++ stout=
++ estout=
++ under=
++ eunder=
++ reset=
++ blink=
++ italic=
++ eitalic=
++ red=
++ green=
++ yellow=
++ blue=
++ magenta=
++ cyan=
++ white=
++ default=
++ eed=
++ eel=
++ ebl=
++ ewl=
++ draw=
++ back=
++ test -n ''
++ test -n ''
++ [[ -v TERM ]]
++ '[' xterm-256color = '' ']'
++ [[ -t 2 ]]
+++ type -t exception_handler_general
++ '[' '' = function ']'
+++ trap -p ERR
++ '[' '' = '' ']'
++ trap error_handler_pre ERR
++ bash -n /usr/libexec/helper-scripts/pre.bsh
++ bash -n /var/lib/dpkg/info/privleap.postinst
++ own_filename=privleap.postinst
++ source_config_folder
++ [[ -v DPKG_MAINTSCRIPT_PACKAGE ]]
++ '[' privleap = '' ']'
++ pre_bsh_settings_folder=privleap_maint.d
++ shopt -s nullglob
++ local i
++ true 'folder 1: /etc/privleap_maint.d/*.conf'
++ true 'folder 2: /usr/local/etc/privleap_maint.d/*.conf'
++ shopt -u nullglob
++ check_scripts_to_skip
++ [[ -v SKIP_SCRIPTS ]]
++ SKIP_SCRIPTS=
++ local skip_script
+ set -e
+ true '
#####################################################################
## INFO: BEGIN: privleap postinst configure' '3:1.7-1
#####################################################################
'
+ restarted_once=no
+ case "$1" in
+ deb-systemd-helper enable privleapd.service
+ deb-systemd-helper enable leapctl@.service
+ start_privleapd
+ '[' no = yes ']'
++ command -v systemctl
+ '[' '!' -x /usr/bin/systemctl ']'
+ deb-systemd-invoke restart privleapd.service
Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145.
++ error_handler_pre
== privleap - run config check from postinst ==
* to make broken configurations more easily visible
* Done in https://github.com/ArrayBolt3/privleap/commit/29580c1bc4991a87f03bdc7fc92738b36371ca37, may also resolve some of the other weird behavior we've been seeing.
== privleap - bug duplicate action tor-verify-config ==
Feb 20 05:37:04 host privleapd[15069]: parse_config_files: CRITICAL: Error parsing config: '/etc/privleap/conf.d/systemcheck.conf:26:error:Duplicate action found: 'tor-verify-config''
* This was resolved by https://github.com/Whonix/anon-gw-anonymizer-config/commit/778625b7c1dd4ef3c0afd9b839d31684b85f4bee, does anon-gw-anonymizer-config need a new upload or is the machine this is happening on out-of-date?
* Further fix at https://github.com/ArrayBolt3/privleap/commit/dd776782aedf176b3f2538e8b8b78db73504ba43
== privleap - change action header format ==
* https://github.com/ArrayBolt3/privleap/issues/4
* Done:
** privleap: https://github.com/ArrayBolt3/privleap/commit/b482a05a1970b1be0bbad784753a1019730e0b0c
** sdwdate: https://github.com/ArrayBolt3/sdwdate/tree/arraybolt3/pl-actions
** sdwdate-gui: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/pl-actions
** anon-connection-wizard: https://github.com/ArrayBolt3/anon-connection-wizard/tree/arraybolt3/pl-actions
** setup-dist: https://github.com/ArrayBolt3/setup-dist/tree/arraybolt3/pl-actions
** systemcheck: https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/pl-actions
** tb-starter: https://github.com/ArrayBolt3/tb-starter/tree/arraybolt3/pl-actions
** tb-updater: https://github.com/ArrayBolt3/tb-updater/tree/arraybolt3/pl-actions
** anon-gw-anonymizer-config https://github.com/ArrayBolt3/anon-gw-anonymizer-config/tree/arraybolt3/pl-actions
* Patrick: Merged.
== user-sysmaint-split - consider using policyrcd-script-zg2 ==
* todo
* Aaron: Looks like it introduces more complexity than it fixes:
** It doesn't actually support drop directories as hoped. It just looks for a script in:
*** Whatever location is specified by a hardcoded config file /etc/zg-policy-rc.d.conf
*** Whatever location is specified by a hardcoded environment variable CONFFILE
*** One of two hardcoded locations (/usr/local/sbin/policy-rc.d or /etc/policy-rc.d)
** It only executes one script. Ultimately this is no better than the functionality given by just using update-alternatives.
** It warns in the manpage that there may be many bugs. The script isn't that long, but it has lots of (seemingly unnecessary?) automake stuff surrounding it, which worries me.
** IMO, it will be easier to just fiddle with update-alternatives when we need to tweak policy-rc.d than to use this.
== sdwdate-gui - port qrexec temporary file to tmpfiles.d ==
* replace mkdir --parents -- /run/user/1000
* replace /run/user/1000/sdwdate
* prefer using /usr/lib/tmpfiles.d/sdwdate-gui.conf, if possible
** Done: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/run-user-1000
* as a fallback (if still needed, if above is not possible, use mkdir --mode)
** Not needed.
== sdwdate-gui - /run/user/1000 owned by wrong user ==
* https://forums.whonix.org/t/some-recent-change-breaks-starting-whonix-workstation-on-qubes-privleap-suspected/21170/13
* Should be fixed by https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/run-user-1000
* Patrick: Merged.
== user-sysmaint-split - consider using policy-rcd-declarative-deny-all or alike in sysmaint session ==
* Would using policy-rcd-declarative-deny-all (or similar) be useful in sysmaint session to avoid unneeded systemd units from starting in sysmaint session?
* related: https://github.com/QubesOS/qubes-issues/issues/2238
* policy-rcd-declarative-deny-all itself did not appear suitable, however a custom policy-rc.d appears to work.
* Implemented in https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/policy-rcd
* Patrick: Merged.
== privleap - start early before other systemd units such as sdwdate ==
* if sane, doable
* to avoid sdwdate and others needing to use systemd After=privleapd.service
* Done, now starts before basic.target comes up, which should be early enough for sdwdate and most other services
* https://github.com/ArrayBolt3/privleap/commit/46f1ad00587cd1b34ee43fd14abf55b271cf8182
* Patrick: Merged.
== privleap - investigate qubes crashes ==
* https://forums.whonix.org/t/some-recent-change-breaks-starting-whonix-workstation-on-qubes-privleap-suspected/21170/13
* Issue found, fixed: https://github.com/ArrayBolt3/anon-gw-anonymizer-config/commit/778625b7c1dd4ef3c0afd9b839d31684b85f4bee
* Patrick: Merged.
== user-sysmaint-split - account bob breaks upgrade ==
* todo
* Should now be fixed, also made a bunch of other improvements, closing issues filed by Ben Grande.
== user-sysmaint-split - remove dependency on lightdm ==
* lightdm is not installed on Qubes OS VMs and should not be installed.
* desktop VM users may prefer sddm, which we are attempting to support.
* Done: https://github.com/ArrayBolt3/sysmaint-panel
** Patrick: merged
== user-sysmaint-split - Qubes tb-updater - fix disposable VM support ==
* https://forums.whonix.org/t/latest-update-breaks-tor-browser-in-disposables/21183
* revert the reverts:
** cf995c1d666fe3142f368afb243bd8be5be30734
** 814438e9f8a68da3ae3545f028e3850cac91e474
*** Reverts reverted and root cause fixed in https://github.com/ArrayBolt3/tb-updater/tree/arraybolt3/sudoless-fix
**** Patrick: merged
== user-sysmaint-split - test sudoless upgrade-nonroot ==
* ensure sudoless upgrade-nonroot doesn't damage system if privleapd is restarted during installation
* if output at restart is confusing, consider how to make it less confusing if such a restart occurs
* Details of issues and ideas on how to resolve them shared in chat
* Reverted back to sudo-based upgrade-nonroot, only works under user sysmaint. Also fixed some other bugs. https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/misc-fixes
** Patrick: merged
* Other fixes made while working on this:
** dist-base-files (allow sysmaint to use privleap): https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/sysmaint-privleap
** Patrick: merged
** privleap (fix install failure): https://github.com/ArrayBolt3/privleap
** Patrick: merged
** user-sysmaint-split (fix race condition that sometimes resulted in sysmaint login during normal boot): https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/race-fix
** Patrick: merged
== read 3mdeb RAM decay research ==
* https://blog.3mdeb.com/2025/2025-01-24-ram-data-decay-research-part2/
* [[Cold Boot Attack Defense]]
* [[Ram-wipe]]
* [[Dev/RAM Wipe]]
* Read, added notes to [[Cold Boot Attack Defense]].
== live-build - local repository support ==
* add support to build from local repository
* Merge request: https://salsa.debian.org/live-team/live-build/-/merge_requests/369
* Alternate implementation merged by rclobus, we're now using upstream's version in derivative-maker.
== user-sysmaint-split - Qubes - sysmaint-boot.target - upstream feature request ==
* What would need to happen to make sysmaint-boot.target available in Qubes? Please discuss with Qubes, open a Qubes ticket, if applicable.
* related Qubes ticket: [https://github.com/QubesOS/qubes-issues/issues/2238 Debian template: disable newly (all) installed services by default]
* Ticket filed for this specifically: https://github.com/QubesOS/qubes-issues/issues/9750
== privleap - add crash recovery ==
* If privleapd crashes on a system with user-sysmaint-split installed, the user will be left with no way to run privileged operations until the next reboot. Even without user-sysmaint-split, many of the sudoless application ports will function improperly if privleapd isn't running.
* Make privleapd resilient to crashes:
** Add a watchdog timeout to the systemd unit
** Add code to privleapd that occasionally pings systemd to let it know it's still running via sdnotify
** Handle user login/logout comm sockets using a systemd service template so that non-persistent user sockets can be automatically recreated on restart
* Code changes:
** privleap: https://github.com/ArrayBolt3/privleap
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/privleap
*** Patrick: both merged
== user-sysmaint-split - privleap - use systemd notify ==
* sdwdate uses sd-notify. Please look at it (or something else) as an example on how to implement it.
* please implement sd-notify in privleap
* reason: reliably notify systemd when the daemon is ready. This will avoid any hardcoded "sleep 1" in Debian postinst and will generally increase the reliability of privleap. Should it ever be stuck, systemd would detect this and restart privleap.
* systemd unit file changes:
[Service]
Type=notify
TimeoutSec=30 ## needs adjustment
WatchdogSec=200m ## needs adjustment
Restart=always
* usr/lib/python3/dist-packages/sdwdate/sdwdate.py
usr/lib/python3/dist-packages/sdwdate/sdwdate.py:import sdnotify
usr/lib/python3/dist-packages/sdwdate/sdwdate.py:SDNOTIFY_OBJECT = sdnotify.SystemdNotifier()
usr/lib/python3/dist-packages/sdwdate/sdwdate.py:SDNOTIFY_OBJECT.notify("READY=1")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py:SDNOTIFY_OBJECT.notify("STATUS=Starting...")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify("STATUS=Shutting down...")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify("WATCHDOG=1")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify("STOPPING=1")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify("WATCHDOG=1")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify(msg)
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify("WATCHDOG=1")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: msg_for_sdnotify = "STATUS=" + msg
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify(msg_for_sdnotify)
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify("WATCHDOG=1")
usr/lib/python3/dist-packages/sdwdate/sdwdate.py: SDNOTIFY_OBJECT.notify("WATCHDOG=1")
* Added basic support, also got the postinst script working properly and passing lintian. I don't know if watchdog support is desirable, since comm sockets will be lost during a restart and automatically recreating them may not always be desirable.
* Patrick: merged
== coding style - avoid which - use command -v ==
* which, use command -v instead. This is because which is an external binary (minor reason) and produces stdout if a binary was found, which can be slightly confusing (major reason).
* documented on [[Dev/bash]] just now
* task can be moved to archived after reading
* Aaron: Will do.
== lintian - use lintian locally during package build process ==
* lintian is already run during the build process.
/usr/share/genmkfile/make-helper-one.bsh: INFO: You can find your deb file here: /home/user/derivative-binary/genmkfile-packages-result/privleap_1.3-1_all.deb
/usr/share/genmkfile/make-helper-one.bsh: INFO: make_use_lintian='' - Autodetecting if lintian is installed...
/usr/share/genmkfile/make-helper-one.bsh: INFO: lintian auto detected, using it...
lintian --suppress-tags missing-tests-control --suppress-tags systemd-service-file-missing-documentation-key --suppress-tags orig-tarball-missing-upstream-signature --suppress-tags package-supports-alternative-init-but-no-init.d-script --suppress-tags no-manual-page --quiet --pedantic --info --display-info "/home/user/derivative-binary/genmkfile-packages-result/privleap_1.3-1_amd64.changes"
/usr/share/genmkfile/make-helper-one.bsh: INFO: lintian exit code: 0
/usr/share/genmkfile/make-helper-one.bsh: INFO: lintian output:
################################################################################
N:
W: privleap: maintainer-script-calls-systemctl [postinst:41]
* This breaks package build. By undocumented convention, all packages produce result in lintian exit code 0 and no lintian output. All lintian warnings are either fixed, suppressed or have lintian exception configurations.
* Could you please add to your local build tools to run genmkfile lintian?
* Aaron: Will do, usually I use genmkfile deb-pkg which runs this but I've been ignoring the output incorrectly.
== live-build - --debian-installer-distribution git security impact research ==
* TODO research: would --debian-installer-distribution git verify software signatures or still be vulnerable to HTTP / HTTPS based attacks?
* Aaron: Yes, this is still vulnerable. udebs are downloaded directly even when building the installer from source. Additionally, you can't use a source-built installer to create a Bookworm ISO anymore - only Trixie and newer works because Bookworm lacks udebs sufficiently new enough for the debian-installer build to work.
== user-sysmaint-split - quick uninstall boot option ==
* Users might be confused by user-sysmaint-split and prefer using sudo and pkexec normally.
* Using sudo dummy-dependency --purge user-sysmaint-split from sysmaint session is functional but inconvenient.
* Add option to boot menu that offers to remove user-sysmaint-split for the user, to revert back to "classic" privilege escalation.
* Implemented, required changes to user-sysmaint-split and sysmaint-panel.
** https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/uninstaller
*** Patrick: Merged.
** https://github.com/ArrayBolt3/sysmaint-panel
*** Patrick: Merged.
def uninstall():
subprocess.run(["/usr/libexec/helper-scripts/terminal-wrapper",
"/usr/bin/sudo", "/usr/bin/apt", "purge",
"user-sysmaint-split"])
subprocess.run(["/usr/sbin/reboot"])
* Patrick: This will cause issues with meta packages removal? Better to use dummy-dependency --yes --purge user-sysmaint-split.
** Aaron: Agreed, done. https://github.com/ArrayBolt3/sysmaint-panel
* Patrick: Merged.
== user-sysmaint-split - privleap - add a trigger to reload privleap once its configuration folder changed ==
* this is to receive updated/fixed privleap configuration files once these have changed
* Done: https://github.com/ArrayBolt3/privleap
** Patrick: Merged.
== user-sysmaint-split - privleap - start privleap after installation ==
* if possible (to avoid issues after installation)
* Did as part of adding a trigger to privleap.
== user-sysmaint-split - privleap - sdwdate-gui - temp folder ==
echo "$QREXEC_REMOTE_DOMAIN $1" | tee /tmp/sdwdate-gui-tmp-status
* consider use of a more secure folder
** Agreed on /run/user/1000/sdwdate, new code is here: https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/temp-file-move
* re-check python valid characters sanity test
** Rechecked and tested, appears to be correct. Add automated testing of invalid ASCII to privleap's test suite.
* Patrick: Merged.
== sync fork of live-build with upstream ==
* Some MRs made upstream have been reimplemented and the polished versions merged. Pull these changes into our fork and adjust derivative-maker accordingly.
** derivative-maker: https://github.com/ArrayBolt3/derivative-maker/tree/master
*** Patrick: Merged.
** live-build: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
*** Patrick: Merged.
* Aaron: Both of these need re-merged, the fix I did for isomd5sum turned out to be a workaround for a configuration issue. Upstream helped me discover the real problem there.
** Patrick: Both merged.
== user-sysmaint-split - privleap - breaks Qubes gui ==
* whonix-workstation-17-dvm is no longer starting, likely due to the issue below
* Tested, seems to now be resolved.
== user-sysmaint-split - privleap - close stdin ==
* close stdin, since not available anyhow
* this is to avoid programs waiting for input forever, which will never come
* Done in latest privleap code.
== user-sysmaint-split - privleap - usability-misc privleap configuration bug ==
Feb 06 18:32:29 host systemd[1]: Started privleapd.service - privleap - Limited Privilege Escalation Framework.
Feb 06 18:32:29 host privleapd[877]: parse_config_files: CRITICAL: Failed to load config file '/etc/privleap/conf.d/usability-misc.conf'!
Feb 06 18:32:29 host privleapd[877]: Traceback (most recent call last):
Feb 06 18:32:29 host privleapd[877]: File "/usr/lib/python3/dist-packages/privleap/privleapd.py", line 595, in parse_config_files
Feb 06 18:32:29 host privleapd[877]: = pl.PrivleapCommon.parse_config_file(f.read())
Feb 06 18:32:29 host privleapd[877]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 06 18:32:29 host privleapd[877]: File "/usr/lib/python3/dist-packages/privleap/privleap.py", line 1010, in parse_config_file
Feb 06 18:32:29 host privleapd[877]: action_output_list.append(PrivleapAction(current_action_name,
Feb 06 18:32:29 host privleapd[877]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 06 18:32:29 host privleapd[877]: File "/usr/lib/python3/dist-packages/privleap/privleap.py", line 830, in __init__
Feb 06 18:32:29 host privleapd[877]: raise ValueError(f"User '{raw_auth_user}' specified by "
Feb 06 18:32:29 host privleapd[877]: ValueError: User 'sysmaint' specified by field 'AuthorizedUsers' of action 'upgrade-nonroot-wrapper' does not exist!
Feb 06 18:32:29 host systemd[1]: privleapd.service: Main process exited, code=exited, status=1/FAILURE
Feb 06 18:32:29 host systemd[1]: privleapd.service: Failed with result 'exit-code'.
* Latest changes from https://github.com/ArrayBolt3/privleap should resolve this.
== user-sysmaint-split - privleap - setup-dist and anon-connection-wizard ==
* Patrick: in progress by Patrick
* port to privleap incomplete
* will cause the same issue as this: https://forums.whonix.org/t/getting-setup-dist-error-in-whonix-gateway/21162
* Whonix-Gateway CLI, no desktop. policykit may not be designed for this.
debian/control: pkexec,
usr/lib/python3/dist-packages/anon_connection_wizard/tor_status.py: command = ['pkexec', '/usr/libexec/anon-connection-wizard/acw-write-torrc', temp_file_path]
usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py: command = ['pkexec', '/usr/libexec/anon-connection-wizard/acw-write-torrc', Common.torrc_tmp_file_path]
* tor-control-panel:
packages/kicksecure/tor-control-panel/debian/control: pkexec,
* Patrick: Done. setup-dist is now using privleap for Tor enable/disable. Please review and move to archived if OK.
* Aaron: Makes sense to me, don't see any problems with it.
== user-sysmaint-split - implement sudoless ==
* [[Dev/sudo]]
** Ready for review:
*** https://github.com/ArrayBolt3/setup-dist/tree/arraybolt3/sudoless-privleap
**** Patrick: Merged. (Didn't merge branch "sudoless".)
*** https://github.com/ArrayBolt3/setup-wizard-dist/tree/arraybolt3/fix-spacing
**** Patrick: Not merged. But used autopeop. Merged branch "sudoless" instead.
*** https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/sudoless-privleap
**** Patrick: Merged.
*** https://github.com/ArrayBolt3/sdwdate/tree/arraybolt3/privleap
**** Patrick: Merged.
*** https://github.com/ArrayBolt3/tb-starter/tree/arraybolt3/privleap
**** Patrick: Merged.
*** https://github.com/ArrayBolt3/tb-updater/tree/arraybolt3/privleap
**** Patrick: Merged.
** https://github.com/ArrayBolt3/anon-gw-anonymizer-config/tree/arraybolt3/privleap
*** Patrick: Merged.
** https://github.com/ArrayBolt3/whonix-base-files/tree/arraybolt3/user-sysmaint-split
*** Patrick: Merged.
** https://github.com/ArrayBolt3/anon-connection-wizard/tree/arraybolt3/privleap
*** Patrick: Merged.
** https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/sudoless-privleap
*** Patrick: Merged.
** https://github.com/ArrayBolt3/tor-control-panel/tree/arraybolt3/privleap
*** Patrick: Merged.
** https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/privleap
*** Patrick: Merged.
* Patrick: Please move to archived if everything got merged as expected.
** Aaron: Looks good.
== user-sysmaint-split - implement sudoless #2 ==
** Additional things done:
*** grep through entire Kicksecure and Whonix codebases for all uses of sudo, replace with privleap where appropriate
*** grep through entire Kicksecure and Whonix codebases for all uses of pkexec, replace with privleap where appropriate
Port maybe needed? What should happen if a user runs repository-dist in user mode?
packages/kicksecure/repository-dist/debian/control:Depends: pkexec,
packages/kicksecure/repository-dist/usr/lib/python3/dist-packages/repository_dist_wizard/repository_dist_wizard.py: command = ['pkexec', 'repository-dist', '--disable']
packages/kicksecure/repository-dist/usr/lib/python3/dist-packages/repository_dist_wizard/repository_dist_wizard.py: command = ['pkexec', 'repository-dist', '--enable'] + repository
Port not needed because runs in sysmaint session:
packages/kicksecure/calamares-settings-debian/calamares-install-debian:pkexec calamares
packages/kicksecure/calamares-settings-debian/debian/control: pkexec,
packages/kicksecure/live-config-dist/debian/control:Depends: helper-scripts, pkexec, rsync, libglib2.0-bin, xdg-user-dirs,
packages/kicksecure/live-config-dist/usr/bin/install-host:if ! [ -x '/usr/bin/pkexec' ] || ! [ -x '/usr/bin/sudo' ]; then
packages/kicksecure/live-config-dist/usr/bin/install-host:The pkexec or sudo command is not executable by the current user. Installation cannot proceed. You may need to log in as user 'sysmaint' to resolve this.
packages/kicksecure/live-config-dist/usr/bin/install-host:pkexec install-host-calamares-wrapper
packages/kicksecure/live-config-dist/usr/share/polkit-1/actions/com.kicksecure.install-host-calamares-wrapper.policy:
'/usr/bin/pkexec'
Will cause issue https://forums.whonix.org/t/getting-setup-dist-error-in-whonix-gateway/21162 - separate ticket created:
packages/kicksecure/tor-control-panel/debian/control: pkexec,
packages/kicksecure/anon-connection-wizard/debian/control: pkexec,
packages/kicksecure/anon-connection-wizard/usr/lib/python3/dist-packages/anon_connection_wizard/tor_status.py: command = ['pkexec', '/usr/libexec/anon-connection-wizard/acw-write-torrc', temp_file_path]
packages/kicksecure/anon-connection-wizard/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py: command = ['pkexec', '/usr/libexec/anon-connection-wizard/acw-write-torrc', Common.torrc_tmp_file_path]
Port not needed (runs in sysmaint session or not important):
packages/kicksecure/kicksecure-meta-packages/debian/control: pkexec,
packages/kicksecure/sysmaint-panel/debian/control: pkexec,
packages/kicksecure/tb-starter/usr/bin/torbrowser: if ! pkexec /usr/share/tb-profile-i2p/enable-i2p; then
packages/kicksecure/tb-starter/usr/bin/torbrowser:Most likely user-sysmaint-split is installed and you are booted into 'PERSISTENT mode USER' or 'LIVE mode USER'. To enable i2p, reboot and select 'PERSISTENT mode SYSMAINT', then open a terminal and run 'pkexec /usr/share/tb-profile-i2p/enable-i2p'. More info: https://www.kicksecure.com/wiki/Sysmaint"
packages/kicksecure/tb-starter/usr/bin/torbrowser: ## This effectively results in a one time pkexec prompt for users of
Port not needed, not really using pkexec:
packages/kicksecure/user-sysmaint-split/debian/control: pkexec) inaccessible to limited user accounts such as user "user".
packages/kicksecure/user-sysmaint-split/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf:/usr/bin/pkexec 4750 root sysmaint
packages/kicksecure/security-misc/debian/security-misc.postinst: if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then
packages/kicksecure/security-misc/debian/security-misc.postinst: if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then
packages/kicksecure/security-misc/debian/security-misc.postinst: dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750'
packages/kicksecure/developer-meta-files/usr/bin/dm-packaging-helper-script: 'Depends: pkexec' \
packages/kicksecure/security-misc/debian/security-misc.undisplace:/usr/bin/pkexec.security-misc
packages/kicksecure/security-misc/usr/lib/systemd/system-preset/50-security-misc.preset:## Disable due to pkexec issues.
packages/kicksecure/security-misc/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf:/usr/bin/pkexec exactwhitelist
packages/kicksecure/security-misc/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf:/usr/bin/pkexec.security-misc-orig exactwhitelist
packages/kicksecure/security-misc/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf:## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo,
packages/kicksecure/security-misc/usr/share/lintian/overrides/security-misc:security-misc: no-manual-page [usr/bin/pkexec.security-misc]
packages/kicksecure/security-misc/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded:root root 4755 /usr/bin/pkexec
== user-sysmaint-split - passwordless login breaks when uninstalled ==
* Bug: removing user-sysmaint-split from a machine causes autologin to break, user is presented with login screen on boot
* Possibly caused by user sysmaint autologin handling?
* Fixed, along with some other issues: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/fix-passwordless-login
** Patrick: Merged.
== Strong Linux User Account Isolation wiki page - add Wayland considerations ==
* edit [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]] and point out differences in X11 versus Wayland in applicable chapters
* For example, chapter [[Dev/Strong_Linux_User_Account_Isolation#Console_Login_Attacks|Console Login Attacks]] currently only discusses X11. Please separate the description of X11 from Wayland.
** Done, did necessary research and added info to the wiki.
* please search with browser website internal search for all mentions of X11 and add Wayland equivalents documentation
** Used several different search terms that could reference X11, adding additional documentation where needed.
== user-sysmaint-split - port upgrade-nonroot to privleap ==
* port upgrade-nonroot to privleap, if sane
* do not add Depends: privleap
* https://forums.kicksecure.com/t/upgrade-nonroot-privilege-escalation-issue/886
* Done in https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/privleap
** Patrick: Merged.
* Patrick: refactored upgrade-nonroot. Could the following if needed please be improved, moved to its dedicated wrapper script to avoid code duplication?
if ! [ -f "/etc/privleapd/pid" ] ; then
echo "$0: ERROR: code 1: TODO"
exit 1
fi
if ! [ -d "/proc/$(cat /etc/privleapd/pid)" ] ; then
echo "$0: ERROR: code 2: TODO"
exit 1
fi
if ! [ -e "/etc/privleapd/comm/$(id -nu)" ]; then
echo "$0: ERROR: code 3: TODO"
exit 1
fi
* Aaron: The version merged appears to have some bugs. Fixed version here: https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/privleap
** Patrick: Merged.
* Aaron: Also needs accompanying update in helper-scripts to fully fix, this also provides warnings if privleap isn't usable like shown above: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/sudoless-privleap
** Patrick: Merged.
== user-sysmaint-split - avoid /etc as pid file location ==
* File location /etc/privleapd/pid seems unusual.
** Aaron: We're not using /etc, we're using /run. Details shared in chat.
== user-sysmaint-split - bind-mounts based passwordless privilege escalation wrapper ==
* implemented using overlays (bind mounts)
* passwordless privilege escalation tools in Qubes Template
* useful error message in Non-Qubes user mode and Qubes App Qube. untested pseudocode:
#!/bin/bash
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC
## See the file COPYING for copying conditions.
if test -x /path/to/real/sudo ; then
exec /path/to/real/sudo "$@"
fi
## Avoiding 'source'ing external libraries to avoid additional AppArmor issues.
## 'source' is a bashism.
#. /usr/libexec/helper-scripts/get_colors.sh
if test -f /usr/share/whonix/marker ; then
project_website="https://www.whonix.org"
else
project_website="https://www.kicksecure.com"
fi
echo 'ERROR: This account lacks administrative ("root") capabilities. See: ${project_website}/wiki/sysmaint' >&2
## Let the attempt to execute 'sudo' show the actual error message.
/path/to/real/sudo "$@"
* After attempted implementation and running into roadblocks, we no longer want to do this. It's a hack to work around missing Qubes OS features that we should be developing.
== qubes-template-kicksecure - Thunar - icons missing ==
* ran into serious issues with icons in Thunar, see https://forum.xfce.org/viewtopic.php?id=18054
** Patrick: Could you please update the Xfce forum thread?
*** Thread updated and marked as solved.
* Should be fixed by this: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/fix-thunar-icons-qubes
** Patrick: Merged.
== qubes-template-kicksecure - #3 ==
* rebuild qubes-template-kicksecure
* Now good enough to be built for qubes-community-testing repository by Qubes?
* If not, please create follow-up tickets.
* Patrick: Moved Thunar issue into its own ticket since not a blocker.
* Patrick: Next goal is to update https://github.com/QubesOS/qubes-issues/issues/9573 by posting a comment. Such as requesting that Qubes builds the Template for the community-testing repository. Selective broken applications are acceptable (such as Thunar). This is to allow upstream Qubes time to review, try to build the template, notify downstream Kicksecure of potentially yet unknown issues.
** Only immediately apparent issue I see is that we still have the bookworm-testers repo specified as the Kicksecure repo to use for the build process, whereas user-sysmaint-split is only available in bookworm-developers. This makes the build fail until the template-kicksecure code repo is manually edited to specify the correct source repo.
== user-sysmaint-split - review helper-scripts ==
* {{Github_link|repo=helper-scripts|path=/pull/13}}
* {{Github_link|repo=user-sysmaint-split|path=/pull/1}}
* Reviews complete and PRs were merged.
== privleap - compare what privleap is doing versus sudo and doas regarding environment ==
action_env["HOME"] = user_info.pw_dir
action_env["LOGNAME"] = user_info.pw_name
action_env["PWD"] = user_info.pw_dir
action_env["USER"] = user_info.pw_name
* please check what sudo / doas is doing for completeness sake
* env vars
* any other setup?
** doas (https://man.openbsd.org/doas.1):
*** HOME - We're already setting this.
*** LOGNAME - We're already setting this.
*** PATH - Set by systemd and inherited from privleapd, this is hardcoded to a known-good value.
*** SHELL - Useful to set, now hardcoded in privleapd to /usr/bin/bash (since that's the shell privleapd uses to run actions).
*** USER - We're already setting this.
*** umask - Default, inherited from systemd, probably do not want to change this.
*** DISPLAY - Usually specifies the active X11 display the process is running on. privleapd runs as a service and will have no X11 display, thus this is useless for us.
*** TERM - Specifies what terminal is in use. Probably also useless, processes run by privleapd are not given a PTY.
*** PWD - Not changed by doas. We're setting it, but we're also not changing the process's actual current working directory, which could potentially result in malfunctions. Fixed.
** sudo (https://man7.org/linux/man-pages/man8/sudo.8.html#ENVIRONMENT):
*** EDITOR - Used by sudo, but doesn't appear to be set by it.
*** MAIL - Set to the mail spool of the target user in some instances. This is empty on Kubuntu 24.04 and Kicksecure 17, and is set to /var/mail/user on a mostly minimal Debian 12 VM (that path doesn't actually exist on the VM though, strangely enough). Probably not useful.
*** HOME - We're already setting this.
*** LOGNAME - We're already setting this.
*** PATH - See above in doas section.
*** SHELL - See above in doas section.
*** SUDO_ASKPASS - Specific to sudo, not set by sudo.
*** SUDO_COMMAND - Specific to sudo, set to the command that is run by sudo. Potentially useful but also sudo-specific, probably not needed?
*** SUDO_EDITOR - Specific to sudo, not set by sudo.
*** SUDO_GID - Specific to sudo, set to the GID of the user who invoked sudo. Potentially useful, easy to implement in a secure manner. Desirable?
*** SUDO_PROMPT - Specific to sudo, not set by sudo.
*** SUDO_PS1 - Specific to sudo, not set by sudo, most likely only affects interactive shells which privleap doesn't support anyway.
*** SUDO_UID - Specific to sudo, set to the UID of the user who invoked sudo. Potentially useful, easy to implement in a secure manner. Desirable?
*** SUDO_USER - Specific to sudo, set to the login name of the user who invoked sudo. Potentially useful, easy to implement in a secure manner, but could potentially be used for malicious purposes if the user has a Unicode-based username? See https://lwn.net/Articles/1000485/. Redundant if SUDO_UID is implemented, probably we shouldn't set this.
*** USER - We're already setting this.
*** VISUAL - Used by sudo, but doesn't appear to be set by it.
== privleap - environment variables security ==
* consider account user setting malicious environment variables (length based buffer overflow, code substitution $(...) / `...` syntax)
** This should not be a problem. Environment variables cannot be inherited from the user that calls privleap because they are not transmitted by the client to the server. All actions launched by privleap will inherit their environment from the privleapd server, which inherits its environment directly from systemd. Environment variables that aren't inherited directly are currently derived from basic user info configured in root-owned files, thus not a security risk.
** Will keep this in mind if more environment variables need tweaked.
== privleap - code improvements ==
* Patrick:
** Output internal configuration to stdout? At least when debug mode is enabled. This would be useful to look into what actually got parsed.
** Worthwhile to simplify?
self.auth_user = auth_user if auth_user != "" else None
self.auth_group = auth_group if auth_user != "" else None
self.auth_user = auth_user
self.auth_group = auth_group
if desired_action.auth_user is not None:
if desired_action.auth_user is not "":
*** These are already either simplified, or can't reasonably be simplified further. In particular None and "" are not interchangeable and explicitly using None in Python is preferable when possible.
** Print first (more likely it will succeed and leave a log entry). Run the try/except block after?
try:
comm_session.send_msg(
pl.PrivleapCommServerUnauthorizedMsg())
except Exception:
print("handle_comm_session: Could not send UNAUTHORIZED")
print(traceback.format_exc())
print("handle_comm_session: User is not authorized to run "
"action '"
+ desired_action.action_name
+ "'")
** Generally, do the safe action print to stdout (which ends up in journal) first. Later do things which might hang in theory.
*** Done.
== user-sysmaint-split - privleap - improvements ==
* user_name validation - enforce maximum user name length: user_name variable should have a reasonable maximum string length
* move user_name validation into a dedicated function?
* maybe signal name could be validated using the same function?
* Added requested features. https://github.com/ArrayBolt3/privleap/commit/6c653e64da4959de2b53b72ec49835c01808204b Rather than enforcing a maximum user name length though, I enforced a maximum client-sent message length since that was more comprehensive and easier to do in an efficient manner.
== user-sysmaint-split - privleap - implement user switch - runas ==
* please implement, if needed
* already done, will use it where needed
== privleap ==
* todo
* Beta-quality code: https://github.com/ArrayBolt3/privleap
** Extensively tested, but still needs battle-tested in real-world use and tested by someone other than just me.
== user-sysmaint-split - enable user-sysmaint-split by default for Xfce version ==
* for GUI (Xfce) version only:
** Patrick: Done.
* and for VM images as "loose packages"
** Patrick: Done.
* not Whonix-Gateway
** Patrick: Done.
* ISO: TODO
** Done: https://github.com/ArrayBolt3/derivative-maker Tested, works
== user-sysmaint-split - refactor pkexec support ==
* in https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/polkit /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 gets hardcoded, started by a script
** Is this a good mechanism?
** What would be the usual mechanism to start it when booting into normal mode? Let's suppose the answer is "a systemd unit". In this case, wouldn't it be less surprising, easier to understand, cleaner to use the name mechanism when booting into sysmaint session?
** Please either use the same mechanism or add a comment why this specific mechanism has been selected.
** Please document.
*** This does have to use a different mechanism, which is now documented: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/polkit
== user-sysmaint-split - sysmaint-boot.target should allow SSH ==
* todo
* https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/ssh
== permission-hardener v2 - add easy debug feature ==
* permission-hardener could use an easy debug feature. Once run, it collects relevant outputs from permission-hardener (print-policy, state files and anything else that may be required), prints them to stdout.
* would have been useful for the following bug report
* Diagnostics command added: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/permission-hardener-diag
== permission-hardener v2 - repetitive polkit-agent-helper-1 messages ==
* background: The polkit-agent-helper-1 config snippet went thorough 2 several revisions. 1) usrmerge was dropped 2) symlink /usr/lib/policykit-1/polkit-agent-helper-1 that links to actual SUID /usr/lib/polkit-1/polkit-agent-helper-1.
** The bug already happened after revision 1. (Maybe even earlier.)
* on every run:
* only /usr/lib/polkit-1/polkit-agent-helper-1 shows up in print-policy, as expected
* bug: older revisions still show up in state, but should not?
* Bug fix: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/permission-hardener-symlink-fix Fully resolves symlinks, rejects hardlinks.
== user-sysmaint-split - research Qubes user to root isolation ==
* todo: read, comment if applicable
* https://qubes-os.org/doc/vm-sudo/
* https://www.qubes-os.org/doc/vm-sudo-implementation/
* https://github.com/QubesOS/qubes-issues/issues/8823
** https://github.com/QubesOS/qubes-issues/issues/8823#issuecomment-1953115546
*** has a small mention of /dev/xen
**** reported as bug: https://github.com/QubesOS/qubes-issues/issues/9717
* https://github.com/QubesOS/qubes-issues/issues/2695
* https://forum.qubes-os.org/t/passwordless-sudo-selinux-understanding-security-logic/22446
* Researched, discussed with Qubes OS devs. Put research and discussion results here: https://www.kicksecure.com/wiki/Dev/Qubes#Root_Privilege_Isolation_and_libxenvchan
== user-sysmaint-split - passwordless-root fixes ==
* /usr/bin/passwordless-root needs fixes?
* add dummy-dependency --cached option to avoid creating the dummy package at every boot
** Patrick: Done.
* store in a persistent directory
** Patrick: Done. /var/lib/dummy-dependency/dummy-user-sysmaint-split_99_all.deb
* make directory persistent using Qubes bind-dirs
** TODO
** which package would be suitable for the bind-dirs snippet?
*** I don't see why helper-scripts itself is bad, we do similar things for systemcheck, legacy-dist, and sdwdate.
*** https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/dummy-dependency-qubes
== security - upgrade comment ==
* please comment as discussed
* https://forums.kicksecure.com/t/upgrade-nonroot-privilege-escalation-issue/886/3
== continuous review ==
* before merging newer derivative-maker git tag, please [[Dev/git#Compare|compare]] doing theoretic review
* please discuss and/or open tickets in case commentary is applicable
* +1, will do this regularly.
== permission-hardener - make migration code faster ==
* The following is too slow. Can take more than a minute on a fast system. Appears as if the system is broken.
readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
readarray -t custom_hardening_arr < <(find /usr/lib/permission-hardener.d /etc/permission-hardener.d -type f)
* Can find be used?
** find has many pitfalls: https://mywiki.wooledge.org/UsingFind
** Especially when using readarray?
* Aaron I'm using dpkg -V specifically to find ''modified'' permission-hardener files. It does a similar job to debsums. However, right now I'm letting it scan all packages on the system, when it really only has to scan security-misc, anon-apps-config, and user-sysmaint-split.
** Commit fixing speed issues: https://github.com/ArrayBolt3/security-misc/commit/396372c1295e2a09d596f3e23fccc26794a26f05
** Note: Not tested yet.
* Patrick: modified_pkg_data_str might include:
+ modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
* Patrick: merged. Tested. Please review my changes on top. (Theoretic only.)
** Aaron: Reviewed, recommended changes at {{Github_link|repo=security-misc|path=/compare/master...ArrayBolt3:security-misc:master}}
*** Patrick: Merged.
== user-sysmaint-split - fix pkexec for sysmaint user ==
* Aaron:
** Note, gparted and zulucrypt probably *should* work in sysmaint session. pkexec also doesn't work in sysmaint session. I believe the reason they don't work is
because there's likely a polkit-related systemd unit we need to be depending on in sysmaint-boot.target.
* Fixed, turns out it was a missing user-side startup process. https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/polkit
** Patrick: Merged.
== user-sysmaint-split - Whonix documentation review ==
* please review https://www.whonix.org/wiki/Sysmaint
** Fixed some typographical errors, otherwise looks good to me.
== user-sysmaint-split - Qubes support ==
* user-sysmaint-split - useful to install in Qubes for Kicksecure or Qubes-Whonix? Probably yes, due to sudo hardening.
** Patrick: Done.
* Plan for Kicksecure-Qubes and Qubes-Whonix-Workstation?
** No longer install qubes-core-agent-passwordless-root by default.
*** Patrick: Done.
** Install user-sysmaint-split by default in new Qubes-Whonix-Workstation templates.
*** Patrick: Done.
** Install qubes-core-agent-passwordless-root by default in new Qubes-Whonix-Gateway templates.
*** Patrick: Done.
** Users could not really use account sysmaint due to missing X server. Instead, user needs to use a [[Root#Qubes_Root_Console|Qubes Root Console]].
*** Patrick: Done.
* Plan for Qubes-Whonix-Gateway?
** Keep [[unrestricted admin mode]] to be on par with Non-Qubes-Whonix-Gateway?
*** Patrick: Done.
* user documentation
** Patrick. Done: https://www.whonix.org/wiki/Sysmaint
* suggestions for [https://github.com/QubesOS/qubes-issues/issues/9519 create user `admin` by default and add user `admin` to group `sudo` by default]?
== legacy-dist - enable GRUB force_efi_extra_removable ==
debconf-set-selections <<< 'grub-efi-arm64 grub2/force_efi_extra_removable
* please add to {{Github_link|repo=legacy-dist (postinst|path=?),}} if sane
* code needs to be defensive. GRUB might not be installed. (Qubes; chroot; direct kernel boot; unknown)
* Risky to do for existing users (might overwrite other bootloaders). Therefore not doing this.
== kicksecure-meta-packages fixes for qubes-template-kicksecure ==
* packages in https://github.com/Whonix/qubes-whonix/blob/master/debian/control need to be re-implemented in kicksecure-meta-packages as appropriate
* Fixes needed ('''NOT YET DONE'''):
** Add qubes-core-agent-networking, qubes-core-agent-thunar, and xfce4-settings to package kicksecure-qubes-gui.
** Add user-sysmaint-split to template code.
*** Requires user-sysmaint-split to be published in Kicksecure's repos
**** Patrick: Done.
* Branch with enhanced metapackages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/kicksecure-qubes
** Was not able to test this locally, couldn't figure out how to get a locally built package to be used in a Kicksecure build. Need to research that further in the future. I was able to build the package with genmkfile though.
*** Patrick: Merged, built and uploaded and tested. (No bugs found.)
== user-sysmaint-split - consider disabling polkit-agent-helper-1 ==
* for potentially affected packages, see: "apt purge polkitd"
* does it break Network Manager WiFi configuration from account "user"?
* cat usr/lib/permission-hardener.d/20_user-sysmaint-split.conf
## TODO:
## See also:
## /usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf
#/usr/lib/policykit-1/polkit-agent-helper-1 4750 root sysmaint
#/lib/policykit-1/polkit-agent-helper-1 4750 root sysmaint
* Current verdict: '''I believe this is likely safe to disable.'''
** Affected applications I tested were gparted, zulucrypt, and the NetworkManager widget.
** NetworkManager "just works" even with this executable's permissions hardened.
** gparted and zulucrypt are both broken for both account user and user sysmaint even without this executable's permissions hardened.
*** Note, gparted and zulucrypt probably *should* work in sysmaint session. pkexec also doesn't work in sysmaint session. I believe the reason they don't work is because there's likely a polkit-related systemd unit we need to be depending on in sysmaint-boot.target.
**** Patrick: follow-up ticket created
* Patrick: disabled
== live-build - enable GRUB force_efi_extra_removable ==
* todo
* if applicable
* Already done in 2800_create-lb-iso. Shouldn't need any further changes to live-build to make work.
== permission-hardener - disable action does not remove existing_mode and new_mode statoverride file ==
* bug? as discussed.
** Neither database should be ''removed'' wholesale.
** existing_mode should keep tabs on any file permission-hardener touches, recording the original file modes as appropriate. It's fine for it to not be modified when disabling hardening on a file.
** Removing entries from existing_mode is potentially dangerous since it can make it impossible for the user to disable permission hardening on a file if a bug is encountered that re-hardens the file after hardening has been disabled.
** On my system, new_mode is appropriately modified when disabling one or all files. However, new_mode had some problems (it wasn't being copied forward to the new v2 location, thus rendering it useless, and the original file had some corruption issues), so I put a migration system in place for new_mode that is similar to the one we created for existing_mode.
** https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/more-permission-hardener
== publish Debian security report ==
* as discussed
* Published: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225#115
== qubes-template-kicksecure ==
* https://github.com/QubesOS/qubes-issues/issues/9573
* try if {{Github_link|repo=qubes-template-kicksecure can be built locally
* document on [[Dev|path=/Qubes}}]] how to download, verify Qubes builder v'''2''' (or fix upstream documentation if that seems more feasible)
** https://github.com/QubesOS/qubes-builderv2/
* Documentation written and tested.
* Upstream PR at https://github.com/QubesOS/qubes-builderv2/pull/170, approved and merged.
** Patrick: Done.
* Fixes needed ('''DONE'''):
** Figure out why repository-dist isn't being called, environment variable seems to not be getting through
*** Fixed in qubes-builderv2 PR, also required fixes to the Kicksecure and Whonix templates.
**** https://github.com/ArrayBolt3/qubes-template-whonix
**** https://github.com/ArrayBolt3/qubes-template-kicksecure
***** Done. Both merged.
== review list of remaining SUIDs ==
/usr/lib/qubes/qfile-unpacker: Probably still needed.
- Appears to be an integral part of file transfer between qubes, stripping SUID from this in an AppVM results in that AppVM being unable to receive files any longer. (It can still send files to other qubes though.)
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
- Needed for D-Bus system activation to work, see https://dbus.freedesktop.org/doc/system-activation.txt. May be vital for desktop features to work normally. Appears to have been designed with security in mind and can only be called by root or a user in the `messagebus` group (which currently has one member, namely user `messagebus`).
/usr/lib/chromium/chrome-sandbox: Probably OK.
- This is safe to disable. Chrome/Chromium now uses namespace-based sandboxing rather than a SUID sandbox for most use cases, and while the SUID sandbox is still technically supported (https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md), it's also virtually unused (https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md). Chromium still works fine when it is stripped of its SUID bit and rendered no longer executable, and opening `chrome://sandbox` while in this state shows that sandboxing is still working perfectly fine.
/usr/lib/openssh/ssh-keysign: ?
- Used only for SSH host-based authentication (https://linux.die.net/man/8/ssh-keysign), needed to allow access to the machine's host key for use in the authentication process. This is a non-default method of authenticating to SSH, and is likely rarely used, thus this should be safe to disable.
/usr/lib/polkit-1/polkit-agent-helper-1: Should be handled in user-sysmaint-split?
- Required for Polkit to function at all (https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid#, https://gitlab.freedesktop.org/polkit/polkit/-/issues/168). Changing permissions here may break more than just normal privilege escalation. May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, however even that might not be safe.
/usr/sbin/pam-tmpdir-helper: ?
- Used by the pam_tmpdir module to create a secure temporary directory for the user that is logging in. (https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html) Apparently specific to Debian, there isn't actually any Git repo with this code in it, it's just a "floating" package in the Debian archive. Written by the same person who maintains the package. Almost certainly cannot be disabled without causing serious problems, but may be worth auditing. (Worthy of note, it doesn't seem this program takes any user input, but relies solely on the calling user's UID and GID, though this could require further review.)
/usr/bin/fusermount3: ?
- Critical component of FUSE (Filesystem in USErspace), used by things such as AppImages and Docker. If not SUID, unprivileged users will be unable to use FUSE any longer - this completely breaks AppImages, among other things. Should be left enabled to avoid causing problems.
/usr/bin/qfile-unpacker: Probably still needed.
- Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker, and stripping SUID from this does *not* break file copying. Unsure what this is for, asked in Qubes OS Matrix room for clarification.
* Patrick: Migrated these comments to permission hardener configuration.
* Patrick: Disabled SUID for chrome/chromium sandbox and SSH.
== permission-hardener - restore permissions on configuration changes - #2 ==
* bug: when package user-sysmaint-split is removed, permission-hardener fails to restore sudo and pkexec permissions
** Fix with migration alert: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/permission-hardener-migrate
** TODO: Need to actually write the documentation for this on the wiki!
* Patrick:
** Please move state file variable v2_state_file from inline to /usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded or so. That would make that file more easily maintainable.
** Please open a PR.
Instead of
echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride'
Replace
cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
** Aaron: Done.
** potential bug: Some files exist only in some situations. Legitimately.
*** '/usr/lib/permission-hardener.d/30_ping.conf' is Whonix-only.
**** Aaron: Not a problem, the existing_state for the ping executable is the same on Kicksecure and Whonix, regardless of whether anon-apps-config is installed or not.
*** user-sysmaint-split may or may not be installed
**** Aaron: Also not a problem for similar reasons.
*** Please make sure these situations do not result in "custom configuration detected".
**** Aaron: Tested, behaves as intended now.
** Please INFO echo any custom configuration file found.
*** Aaron: Done.
** Please exclude new image builds from this migration code. If folder /var/lib/permission-hardener does not exist, there is no need for the migration code to run.
*** Aaron: Done, by checking for the existence of the old-style /var/lib/permission-hardener directory.
* PR with all changes integrated: {{Github_link|repo=security-misc|path=/pull/295}}
== user-sysmaint-split - shutdown action - #2 ==
* a systemd unit to lock the sysmaint account on shutdown
* ExecStop cannot be used. Quote man page:
** "Also note that the stop operation is always performed if the service started successfully, even if the processes in the service terminated on their own or were killed."
** "Note that the commands specified in ExecStop= are only executed when the service started successfully first."
* A separate, real shutdown systemd unit required. Please compare with some other shutdown related systemd units using shutdown.target.
* Should lock unconditionally no matter what boot mode. That should be safe on shutdown.
* https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/lock-sysmaint-on-shutdown
** Redone to avoid ExecStop and use a shutdown-time systemd unit instead. Also locks down unconditionally on shutdown.
== Kicksecure DNS proper /etc/resolv.conf during build process ==
* Kicksecure DNS setting is currently "implicit" as per https://forums.kicksecure.com/t/dns-nameserver-10-139-1-1/858/15
* It however, should be "explicit".
* Until more secure settings are implemented (waiting for replies from unbound), a sane /etc/resolv.conf file needs to be created during the build process
* VM builds vs ISO builds
* Implemented in initializer-dist to make sure it works no matter how things leak: https://github.com/ArrayBolt3/initializer-dist/tree/arraybolt3/resolv-conf
** Patrick: Not compatible with Whonix, there /etc/resolv.conf is package managed.
*** Patrick: Implemented in derivative-maker help-steps/chroot-raw instead.
== analyze pam stack ==
* old:
/usr/bin/sudo /usr/bin/apt update
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
Command exited. You may close this window safely.
* new:
[template user ~]% sudo apt update
Sorry, user user is not allowed to execute '/usr/bin/apt update' as root on localhost.
zsh: exit 1 sudo apt update
* due to pam wheel changes, this works better now
* todo: why does this work better now? the pam wheel changes should not affect that.
* moved content here: [[Dev/Strong_Linux_User_Account_Isolation#Analyze_PAM_Stack|Analyze PAM Stack]]
== debian grub-pc with grub-efi co-installation issue bug report ==
* please check if one already exists, report a bug or feature request against Debian for grub-pc with grub-efi co-install-ability
* https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=904062
== user-sysmaint-split - review changes ==
* Patrick made some minor changes.
** Reviewed, looks good to me. Will test when adding the sysmaint account lock shutdown action.
== address Linux Installer review ==
* some review comments about Linux installer have been sent privately
* please address, if applicable
* root_cmd or another function should be used instead of sudo
** this is for the benefit of using end-of-options ("--")
* real_file="$(sudo realpath "${file}")"
** please do not hardcode sudo, use root_cmd
** is variable real_file actually used for anything?
* use shellcheck
* All problems fixed:
** https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/root-cmd-improve
** https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/dist-installer-sysmaint-polish
== DNS - Kicksecure Default DNS Discussion ==
* https://www.kicksecure.com/wiki/DNS
* https://www.kicksecure.com/wiki/DNS_Security
* https://forums.kicksecure.com/t/dns-nameserver-10-139-1-1/858/15
* https://forums.whonix.org/t/default-dns-provider-discussion-for-kicksecure-not-whonix/16870
* https://forums.whonix.org/t/use-dnscrypt-by-default-in-kicksecure-not-whonix/8117
* please read, comment, edit as applicable
** Read, updated documentation and wrote a long comment suggesting next steps for implementing DNSSEC
== document ARP related sysctl changes ==
* please create a [[networking]] wiki page
* {{Github_link|repo=security-misc|path=/pull/288}}
* {{Github_link|repo=security-misc|path=/pull/289}}
* {{Github_link|repo=security-misc|path=/pull/290}}
* {{Github_link|repo=security-misc|path=/pull/291}}
* Created, also tested arp_ignore's effects on a common virtualization use case.
== permission-hardener - usrmerge ==
* assume usrmerge, make it a dependency
* simplify configuration (/bin no longer needed)
* Distribution morphing: document, if applicable
** No need to depend on usrmerge, Bookworm requires merged /usr
** No need to document for the same reason
** Fixed security-misc with no more /bin modifications: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/usrmerge
== user-sysmaint-split - rads integration ==
* review Patrick's changes
* avoid "systemctl start rads" hardcoded, if possible.
* Reasons: Qubes does not come with rads by default. System might not have rads. User might have uninstalled rads. Difficult to check if a systemd unit is installed. (systemctl list-units | grep rads - might find a similar names systemd unit.)
* Fixed, now starts rads using the systemd target instead: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/avoid-rads-in-script
== permission-hardener refactor ==
* Avoid lazy loading, instead build state arrays ancd apply them in an idempotent fashion
* Currently planned algorithm:
** Build the state first, starting with an empty state array if there is no state or loading an existing state array if there is state. For each file mentioned in the policy, check to see if it's in the state array, and if not, add its current user owner, group owner, and permissions state to the array. (TODO: How to handle capabilities? For now we can just support stripping them and not support adding them back.)
** Next, apply the policy to the state. Copy the state array to a new array, and then change the user owner, group owner, permissions state, and capabilities to match the policy. It is important that it be done this way, because this means if the policy used to modify a file, but now no longer does, that file's original permissions state will exist in the state array, and thus will be considered part of the state that permissions-hardener applies.
** Apply the built, policy-enhanced state to the filesystem's active state. For each file in the state array, delete the file's entry in dpkg-statoverride, then change the file's actual state to match the state array (again using dpkg-statoverride to do this)
** To undo a policy for a file, load the state file, wipe the dpkg-statoverride entry for it, and then apply the stored state to the real file.
* Ready for review: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/permission-hardener-refactor
* PR: {{Github_link|repo=security-misc|path=/pull/293}}
== user-admin-split - installer sysmaint support ==
* context: [[Linux]]
* wrap all commands in run_as_root versus run_as_user, if useful
* improve privilege escalation tool detection
* sudo -u user
* keep unrestricted admin mode / "normal" Linux distribution compatibility
** PR with the bulk of the changes: {{Github_link|repo=usability-misc|path=/pull/13}}
** Sudoers exception needed to make the above work in sysmaint session: https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/dist-installer-sysmaint
== user-sysmaint-split - Wayland support ==
* sddm support (because that is LXQt's default login manager)
** Can set default user account and session by modifying /var/lib/sddm/state.conf
* Needs to use labwc as window manager instead of xfwm4 when in Wayland mode
* Might need separate sessions for Wayland and X11, provided either by different packages or with some configurable switch
** Patrick: multiple packages best avoided as discussed
* Implementation (SDDM tested, Wayland untested): https://github.com/ArrayBolt3/user-sysmaint-split/tree/arraybolt3/wayland-sddm-support
* Will be difficult to fully test until Kicksecure's Trixie port is underway
== calamares - investigate keyboard layout issue ==
* https://forums.kicksecure.com/t/problems-with-the-installation/836
* Asked user for more information, cannot reproduce.
* No response, archiving.
== report research results to purism ==
* as discussed
* Done.
== pam wheel - review ==
* please review Patrick's new pam wheel implementation
** Reviewed and tested, looks good and works as intended on my end.
== sysmaint-panel - Qubes support ==
* bug: when qubes-core-agent-passwordless-root is not installed but user-sysmaint-split is not installed, sysmaint-panel fails to notify the user that root escalation is failing
/usr/bin/sudo /usr/bin/apt update
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
Command exited. You may close this window safely.
* issue introduced by Kicksecure. not applicable with Qubes qvm-template install debian-12-minimal
* Issue caused by security-misc/usr/share/pam-configs/wheel-security-misc. If account user is not in group sudo, this check fails and causes PAM authentication to fail, even if user has no password.
** This file seems obsolete - the file states that it prevents users who aren't part of group wheel from using su, but su isn't even executable by anyone other than root due to permission hardening.
** Issue should be resolvable by adding user to sudo in the template, or by removing this config file.
** After discussion with Patrick, preferred solution is to create a script that can detect if the `su` command is being called, and only ensure that the user account in use is in the `sudo` group if this is the case.
** After further research, su actually has a PAM configuration file that can be used here, allowing us to use pam_wheel as intended without causing conflicts.
* Fix: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/fix-sudo
** Patrick: not merged. implemented with a different implementation. follow-up ticket created.
== ISO - ARM64 build failing ==
./derivative-maker --target iso --flavor kicksecure-xfce --repo true --remote-derivative-packages true --arch arm64
Setting up python3-pil:arm64 (9.4.0-1.1+deb12u1) ...
Traceback (most recent call last):
File "/usr/bin/py3compile", line 323, in
main()
File "/usr/bin/py3compile", line 302, in main
compile(files, versions,
File "/usr/bin/py3compile", line 187, in compile
cfn = interpreter.cache_file(fn, version)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/python3/debpython/interpreter.py", line 212, in cache_file
(fname[:-3], self.magic_tag(version), last_char))
^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/python3/debpython/interpreter.py", line 246, in magic_tag
return self._execute('import imp; print(imp.get_tag())', version)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/python3/debpython/interpreter.py", line 359, in _execute
raise Exception('{} failed with status code {}'.format(command, output['returncode']))
Exception: ('python3.11', '-c', 'import imp; print(imp.get_tag())') failed with status code -11
dpkg: error processing package python3-pil:arm64 (--configure):
installed python3-pil:arm64 package post-installation script subprocess returned error exit status 1
* This appears to be a bug in either Xen or QEMU. python3 intermittently segfaults when run in an arm64 chroot emulated on an amd64 machine. To reproduce simply, boot into Qubes OS, open a Debian 12 AppVM, ensure qemu-user-static and mmdebstrap are installed in the AppVM, then run sudo mmdebstrap --architecture=arm64 bookworm armtest. Then bind-mount important dirs with sudo mount --bind /dev armtest/dev && sudo mount --bind /dev/pts armtest/dev/pts && sudo mount --bind /proc armtest/proc && sudo mount --bint /sys armtest/sys. Then chroot in, run apt update && apt install python3, and then finally run the following segfault reproducer:
for i in {1..800}; do
python3 -c 'import imp; print(imp.get_magic())' >/dev/null 2>/dev/null
exit_code="$?"
echo "$exit_code"
if [ "$exit_code" != '0' ]; then
break
fi
done
* This should output a lot of zeros, but eventually it should segfault and return non-zero. This usually happens at least once in 400 runs for me, but it's possible that it won't happen that soon, thus why the above reproducer tries 800 times.
* This issue only occurs under Qubes OS for me. In a KVM VM, even 1600 attempts does not segfault on my machine.
* The version of QEMU in bookworm-backports appears to have solved this. Run sudo apt install -t bookworm-backports qemu-user-static in your Debian 12 (or Kicksecure) template, shut down the template and reboot affected AppVMs, then attempt the above reproduction steps again. It should not segfault even with 1600 attempts. I have also confirmed that an ISO build succeeds when doing this.
* Worth reporting to Debian as a bug report against Bookworm specifically? (This probably doesn't affect Sid since it's using a newer QEMU version, approximately the same version as in bookworm-backports.)
* Worth enhancing the derivative-maker dependency installation code to allow specifying specific packages from backports so that we can ensure that qemu-user-static from bookworm-backports is used?
== iso - calamares - Argon2id ==
* are we using Argon2id because it is a cryptsetup default?
* please follow-up if useful on these tickets
* https://github.com/calamares/calamares/issues/2127
* https://invent.kde.org/system/kpmcore/-/merge_requests/43
* We are currently using Argon2id, but only because it is the default in Debian's cryptsetup.
* Followed up at https://invent.kde.org/system/kpmcore/-/merge_requests/43#note_1084941. No follow up needed on the Calamares ticket, the choice of which version of LUKS to use is already configurable and there's a good reason for Calamares to not default to LUKS2 yet.
* Waiting on a response from the original MR creator. Will make an MR of my own if allowed or if the original author doesn't respond in a week or so.
* Original MR creator did not respond, filed my own MR: https://invent.kde.org/system/kpmcore/-/merge_requests/56
* Merged upstream.
== heads ticket ==
* https://github.com/linuxboot/heads/issues/1881
* https://mjg59.dreamwidth.org/70630.html
** Potentially useful for the remote use case scenario, not useful for the local scenario, will add to wiki
* content useful for [[Verified Boot]]?
** Added.
== user-sysmaint-split - ISO - sysmaint session - #3 ==
* follow-up
** live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/sysmaint
*** Patrick: Not merged. Needs revision to be compatible with "traditional boot mode" when user-sysmaint-split is not installed -> copied to new ticket
**** Aaron: Fixed.
== research verified boot and measured boot ==
* https://www.kicksecure.com/wiki/Dev/About_Computer_(In)Security
* https://www.kicksecure.com/wiki/Hardware_Wallet_Security
* https://www.kicksecure.com/wiki/Verified_Boot
* https://www.kicksecure.com/wiki/Measured_boot
* review, watch, improve, keep notes
* in preparation for consultation with firmware developer
Update #1:
Please review:
* https://www.kicksecure.com/wiki/Verified_Boot#Boot_Block_versus_TPM
** Aaron: Reviewed, updated. Note, the TPM doesn't use XOR when extending PCR values, and banks don't really matter half so much as PCRs, based on my research.
* https://www.kicksecure.com/wiki/Verified_Boot#Boot_Block_Based_Attacks_Against_Measured_Boot
** Aaron: Reviewed, updated, but I'm not sure where the fake TPM comes into play so I'm not sure I correctly understood this.
* https://www.kicksecure.com/wiki/Verified_Boot#TPM_EK_-_Endorsement_Key
** Aaron: Reviewed, updated.
Considered:
How does android implement relock bootloader with user custom keys?
* Document shortcomings with a vendor-provided, no-true-ROM solution
** There may not be serious shortcomings with this after all.
* Android trusts the hardcoded android hardcoded bootloader?
** The firmware does appear to be implicitly trusted. It is possible that the device SoC cryptographically verifies the firmware similar to Boot Guard, but if so, this isn't documented anywhere obvious, and it doesn't appear that Android Verified Boot considers malicious system firwmare in the threat model.
* https://android.stackexchange.com/questions/238980/why-is-it-possible-to-re-lock-the-bootloader-after-installing-a-custom-rom-on-s
* [https://source.android.com/docs/security/features/verifiedboot/device-state#user-settable-root-of-trust Android: User-settable root of trust]
* [https://source.android.com/docs/security/features/verifiedboot/boot-flow Android: Boot Flow]
* [https://source.android.com/static/docs/security/images/verified-boot-flow.png Android: Figure 1. Verified boot flow.]
* rollback protection
* theft protection
* factory reset protection
* watch some videos on how Android is flashed, locked, unlocked, relocked
* Figure out how Heads avoids relay attacks with firmware verification, if it does -> https://github.com/linuxboot/heads/issues/1881
* android hardware keystore (HSM)
** This is of questionable use for verified boot. It might be useful for factory reset protection but there may be better ways to do that. It also relies on an ARM TrustZone "secure world" which is scary.
* See if adding some sort of secure, append-only storage is useful and work it in if so (hardware keystore hsm)
** Most likely is useful for rollback protection, documented. It could be implemented using a "secure world" similar to TrustZone but it seems better to implement it in hardware, potentially.
* TPM MITM issue
** This is only really a problem if the attacker can modify the motherboard, which is a threat model that is extremely difficult to defend against and should probably be considered out-of-scope.
* offline theft protection
* online theft protection (remote locking)
** Likely too difficult. Requires a cloud service in the middle, which is bad for privacy and a potential security hole itself.
* compare TOTP vs challenge response based (NitroKey). Or "nothing" (Android)?
** TOTP and HOTP are both potentially vulnerable to relay attacks, HOTP less so if used carefully. Better yet still would be a data signature challenge (i.e. here's a blob of random data, sign it and send it back to me so I can check that your signature is good).
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6e:45:f9:a8:af:38:3d:a1:a5:c7:76:1d:02:f8:77:00.
Please contact your system administrator.
Add correct host key in /home/hostname /.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:4
RSA host key for pong has changed and you have requested strict checking.
Host key verification failed.
* either send own hardware or TOFU
** Send own hardware is highly preferable
* maybe solvable if cloud vendor reveals TPM EK fingerprint beforehand?
** Not sufficient. The TPM can be fooled by firmware if Boot Guard isn't in use, and the user can't be sure that Boot Guard is in use unless they can either remotely verify the authenticity of the CPU (likely not possible unless using Intel TDX or AMD SEV) or they can verify it locally.
* explain how others do it, compare: With Android, where companies are protecting themselves from the user, the same thing is true. The "owner" (manufacturer) can provision the system the way they want and the "attacker" (user) can't do anything about it ([[Miscellaneous_Threats_to_User_Freedom#Device_Attestation_such_as_SafetyNet|Device Attestation such as SafetyNet]])
* remote attestation is possible without verified boot? if known, please document, if unknown answer, please mention.
** Yes, it is possible, see https://safeboot.dev/attestation/. It appears that TPM measurements are used by the machine being attested to prove its identity to the machine doing the attesting.
* custom kernel modules? re-invent MOK?
** If we're using UEFI Secure Boot like our current plan states, we can just use the MOK mechanism as-is. We also could have the user sign their kernel modules so they pass Secure Boot normally.
* boot guard -> dasharo (3MDEB) firmware -> heads (?) -> verify Debian's kernel against Debian's key?
** No need for Heads, we're just using UEFI.
* maybe the unchangeable root of trust would be well placed with boot guard, dasharo. the hopefully socially incorruptible organisation becoming the caretaker of taking care the most difficult parts.
** Easier to have no single root of trust, instead have toggleable roots of trust for each distro and also allow the user to set their own root of trust.
* key management could be done at a "simpler level". at the level of heads (or similar).
** Some sort of key management tooling will be needed, and since we're using UEFI directly this may be difficult. Perhaps a UEFI application can be made that will make this easier? Or do we just need special firmware features? (We may need some way for the user to change Secure Boot keys remotely for the purposes of credential rotation, although this might not be needed and could be scary.
Concept improvements:
* stage 0 - super simple, write firmware from USB, no display graphical output support, truly read-only
* stage 1 - dasharo default firmware
* stage 2
* Verify distribution (Debian) kernel against distribution public key. Making use of EFI signatures but without using EFI.
* Mention why not using EFI.
* What if evil maid flashes using stage 0? -> Should break TOTP or similar mechanism.
* stage 1 preinstalled dasharo/heads firmware is required to match usability of user-settable root of trust, re-lock bootloader with user key supported Android phones such as Google Pixel.
* OS rollback protection
* factory reset protection
* Firmware rollback protection? if the user changes firmware keys on every update that might give us this "for free", but the key changes could be an expensive operation
* Document the need for a true ROM for firmware installation in the current design
* Create alternate design that involves no true ROM and vendor-provided firmware
* Review Google's Android docs more and pull in anything that would make either design better
* usability: at least as good as Android phones, if not better
* no concept of OEM ROMs -> user chosen operating systems are the primary focus
* compatibility with standard Linux distributions, if possible
* windows compatibility? Probably not, unless there's an alternative enable EFI option in the firmware
* android: users can their own key but they can also use images by distributions
* replay attacks
* relay attacks
== user-sysmaint-split - remove advanced boot options for first time start ==
* rationale: "advanced boot options" are useless (because there are no multiple kernel versions for new VM images or after ISO installation) and confusing for new users
* helper-script: invent a new script grub-cfg-remove-advanced-boot-options to edit /boot/grub/grub.cfg directly
* run_once:
** chroot-scripts
** calamares
* document this on the [[Grub]] wiki page
* Ended up going with a different solution that moves all of the advanced boot entries to the end of the list. Looks cleaner, all functionality is retained. Changes were made to the following packages:
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/grub-cfg
** grub-live: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/grub-cfg
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split
== iso sysmaint session - #2 ==
* as discussed
* Current state (WIP):
** live-config-dist changes for unrestricted admin mode, probably shouldn't be merged until Trixie: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/sysmaint
*** Patrick: merged
** user-sysmaint-split bugfix: https://github.com/ArrayBolt3/user-sysmaint-split
*** Patrick: merged
** sysmaint-panel Calamares support: https://github.com/ArrayBolt3/sysmaint-panel
*** Patrick: merged
** live-build changes to add sysmaint and unrestricted admin changes (PROBABLY SHOULD HAVE PUSHED THIS TO A DIFFERENT BRANCH, '''DO NOT MERGE'''): https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
*** Patrick: merged - should git revert 4f1f20bb6f86e6a8ff2ae3aed450d83eb726a55e? (resolved as discussed)
** derivative-maker changes to enable sysmaint and unrestricted admin changes, probably shouldn't be merged until Trixie: https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/sysmaint
*** Patrick: merged - should I git revert 68a91cb9a00a5e9f00947e002e2642f3da14e800? (resolved as discussed)
*** Patrick: What is the significance of Trixie here?
**** Aaron: I had thought we wanted to wait until Trixie to enable user-sysmaint-split by default, however as we discussed we could enable it earlier.
* Next round of changes, all should be merge-ready:
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/sysmaint
** live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/sysmaint
** usability-misc: https://github.com/ArrayBolt3/usability-misc/tree/arraybolt3/sysmaint
** sysmaint-panel: https://github.com/ArrayBolt3/sysmaint-panel/commit/f8db224e179ca7b32cffe7c21d8a159ef3e5abc3
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/sysmaint
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split
* Patrick: all merged
* Another batch of patches:
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split
*** Patrick: merged
** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arraybolt3/sysmaint
*** Patrick: needs revision as discussed
** grub-live: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/sysmaint
*** Patrick: same as above
** helper-scripts: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/sysmaint
*** Patrick: merged
** live-build: https://salsa.debian.org/ArrayBolt3/live-build/-/commit/8484b589775c9783d396a84babd3c6c4eb53b7c2
*** Patrick: merged
** live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/sysmaint
*** Patrick: not merged -> but broken: breaks unrestricted admin mode
* Patrick: TODO:
** use config-package-dev displace for /etc/grub.d/10-linux for generic GRUB_DISTRIBUTOR setting based on already existing marker files
*** Ended up not doing this as it was avoidable and avoiding modifying 10_linux is probably a good idea for safety and maintainability reasons.
** live-config-dist: fix restricted admin mode
* Revised patches:
** live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/sysmaint
*** Patrick: Not merged. Needs revision to be compatible with "traditional boot mode" when user-sysmaint-split is not installed -> copied to new ticket
** user-sysmaint-split: https://github.com/ArrayBolt3/user-sysmaint-split
*** Patrick: Merged.
** grub-live: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/sysmaint
*** Patrick: Merged.
** kicksecure-base-files: none, patch deleted as it is no longer needed
== review wiki - shadow and ssh ==
* https://www.kicksecure.com/wiki/User#Meanings_of_Special_Characters_in_the_Password_Field_of_/etc/shadow_File
* https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
* Reviewed, added some info to both pages.
== sysmaint - no autologin if password is set - #2 ==
* If there's a password set, do not auto login. Prompt for password using normal login or display manager mechanism instead.
* users always need an opt-in way to set passwords, disable autologin.
* Done: https://github.com/ArrayBolt3/user-sysmaint-split
* Patrick: bug found
** /usr/libexec/user-sysmaint-split/sysmaint-boot. currently we're checking twice kernel boot parameter. i think the logic can be simplified.
*** if in non-sysmaint (user) boot mode -> lock sysmaint and safe-rm any autologin config files that might exist
** bug: and let's say "/usr/sbin/lightdm" does exist. but we're not in sysmaint session. currently what happens: do not delete the lightdm configuration file.
** Both issues fixed: https://github.com/ArrayBolt3/user-sysmaint-split
== live-config-dist- check-unrestricted-admin TMP folder ==
* /usr/libexec/live-config-dist/check-unrestricted-admin
export TMPDIR='/tmp'
* necessary? needs to be commented or removed
* Fixed dummy-dependency and removed this from check-unrestricted-admin.
== calamares - implement - Allow distros to restrict what filesystems can be used in manual partitioning ==
* https://github.com/calamares/calamares/issues/2397
* PR here: https://github.com/calamares/calamares/pull/2400 Awaiting full review from devs.
* Reviewed and merged.
== fix Secure Boot fallback bootloader problems ==
* as discussed
* Fix part 1: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/secure-boot-fix
** Patrick: merged
* Fix part 2: https://github.com/ArrayBolt3/derivative-maker/commit/2ddc2dd7b8275cb440223c57a95305d8fb40cddc
** Patrick: merged
== ISO - Debug chsh failure ==
/var/lib/dpkg/info/dist-base-files.postinst: INFO: Setting shell for user 'user' to zsh.
Password:
chsh: PAM: Authentication failure
/var/lib/dpkg/info/dist-base-files.postinst: ERROR: Command 'chsh --shell /usr/bin/zsh user' failed. This is only a minor issue.
* Possibly caused by this commit? {{Github_link|repo=dist-base-files|path=/commit/e4ba4e8ffc43f5ec3326c742bf86d56c34f23d79}}
* We're trying to set the shell to zsh before the /etc/shells file is updated. Setting zsh as a Pre-Depends of dist-base-files silently failed to resolve this, thus had to be added to Kicksecure's package list at the appropriate location.
* Fixed: https://github.com/ArrayBolt3/derivative-maker/commit/ce6e8e5da6b3428eb36b1f7650edfab54436e5d2
** Patrick: merged
== ISO - use BUILD_INITRAMFS_PKGS ==
* todo: could you please use $BUILD_INITRAMFS_PKGS (already existing variable) instead of hardcoding dracut as initramfs generator?
* Done: https://github.com/ArrayBolt3/derivative-maker/tree/master
** Patrick: merged
== boot modes wiki page review ==
* [[Dev/user-sysmaint-split]] has been updated
* Please review.
* Ideas for chapter [[Dev/user-sysmaint-split#Server_Support|Server Support]], and
* chapter [[Dev/user-sysmaint-split#Todo|Todo]]?
* Related to upcoming tasks run0, sudoless, doas.
* I do not believe we should be implementing opt-out by having the user uninstall or delete things. Instead, let's provide a "Classic" option that the user can select at the boot menu, and provide guidance on modifying the default boot option.
** Patrick: The "classic" option would be confusing in the boot menu. Better to make user-sysmaint-split package uninstallable: dummy-dependency user-sysmaint-split
*** Aaron: Sounds good.
**** Patrick: Wiki page updated.
* Do we really want a recovery mode admin option? We specifically wanted to get rid of easy recovery mode access elsewhere.
** Patrick: Wiki was outdated on that. Recovery mode can stay disabled. Wiki has been updated to remove recovery mode.
* Server support can be handled by changing the default boot entry using grub-set-default most likely.
** Patrick: This would mean to boot the server always into admin mode? In that case, perhaps better to go back to "classic"?
*** Aaron: Yes, and that's included in the dummy-dependency user-sysmaint-split plan, so that's what we can do. Perhaps kicksecure-host-cli should use "classic" mode by default and kicksecure-host-xfce should use "user-sysmaint-split" by default?
**** Patrick: Yes. Wiki page updated.
* We need to choose what the default, topmost boot entry will become. Should that be "PERSISTENT mode User"?
** Patrick: Yes.
* We may want to prepend "Kicksecure" to all of these boot menu entries for clarity as to which operating system is which. For Whonix, we can prepend "Whonix" to the boot menu entries.
** Patrick: Yes.
* Added some more ideas, including thoughts for server support. I don't think we need a todo chapter since this dev/todo document works as that.
== review USBGuard pull request ==
* {{Github_link|repo=security-misc|path=/pull/166}}
* https://usb-ids.gowdy.us/read/UC/
* Reviewed PR, requested changes, did some simple tests to make sure it didn't cause major issues.
== review ARP related network settings ==
* {{Github_link|repo=security-misc|path=/pull/279}}
* Reviewed, can document if desirable
== document sysmaint warnings in wiki ==
* as discussed
* [[sysmaint]]
* Documented. Didn't add a screenshot of the warnings from LightDM though since I didn't think they were worth the space on the page, I can add them if desirable.
== user-sysmaint-split and sysmaint-panel improvements ==
* rationale:
** A single command dummy-dependency --yes --purge user-sysmaint-split would be sufficient to go back to classic sudo setup. Uninstallation of sysmaint-panel would be unnecessary. Users could use sysmaint-panel even in classic sudo setup.
** sysmaint-panel should be fully independent from user-sysmaint-split. It could also be used in classic sudo mode, where user "user" has access to sudo/pkexec.
** easier to test sysmaint-panel
** Qubes compatible
subprocess.Popen(["/usr/libexec/helper-scripts/terminal-wrapper",
"/bin/sh", "-c", "$SHELL"])
* Is /bin/sh needed? /usr/libexec/helper-scripts/terminal-wrapper "$SHELL" works for me (manually tested).
* {{Github_link|repo=sysmaint-panel|path=/blob/master/etc/X11/Xsession.d/15_no_sysmaint_xfce}}
** remove xfce from the name, if applicable
** move to user-sysmaint-split
* sysmaint-panel Depends: usability-misc or is that a superfluous dependency?
echo "[Desktop]
Session=sysmaint-session" \
| sponge -- '/home/sysmaint/.dmrc'
* needs to be run under user sysmaint to avoid permission issues
* needs Depends: safe-rm maybe?
* sysmaint-panel folder /usr/lib/systemd/system doesn’t seem right for a gui package. Maybe...
** user-sysmaint-split-cli
** user-sysmaint-split-gui
** sysmaint-panel
*** would be a good split?
*** But actually we can get that down to 2 packages only. user-sysmaint-split + sysmaint-panel
* move {{Github_link|repo=sysmaint-panel|path=/blob/master/usr/libexec/sysmaint-panel/sysmaint-session}}
** to user-sysmaint-split
** How? By making sysmaint-panel a "plugin" or "extension".
xfwm4 &
# Needed to prevent window ordering problems
sleep 1;
sysmaint-panel
* could be changed to: if available, run sysmaint-panel. otherwise, just open a terminal. Pseudo code, untested:
xfwm4 &
# Needed to prevent window ordering problems
sleep 1;
## NOTE: bashism
if command -v sysmaint-panel &>/dev/null ; then
sysmaint-panel
else
/usr/libexec/helper-scripts/terminal-wrapper "$SHELL"
fi
* add a sysmaint-panel /usr/share/desktop/sysmaint-panel.desktop file
* check file help-steps/pre function root_check
** something similar is required for sysmaint-panel
** if sudo cannot be executed -> show an error message, explain to boot into sysmaint, show a link
* sysmaint-panel: honor signal sigterm
* https://github.com/ArrayBolt3/sysmaint-panel
** Patrick: merged
* https://github.com/ArrayBolt3/user-sysmaint-split
** Patrick: merged
* https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/sysmaint
** Patrick: merged
== investigate dracut-config-generic ==
* VM images use dracut-config-generic because help-steps/variables has:
[ -n "$BUILD_INITRAMFS_DRACUT" ] || BUILD_INITRAMFS_DRACUT="dracut dracut-live dracut-config-generic binutils dmsetup pigz"
* ISO images do not have dracut-config-generic
apt-file list dracut-config-generic
dracut-config-generic: /etc/dracut.conf.d/20-generic-image.conf
cat /etc/dracut.conf.d/20-generic-image.conf
hostonly="no"
* TODO: Would it be useful to have this package also on the ISO? Specifically since it would be useful if this package ends up on the installed system to always have a generic initial ramdisk as well as for feature/bug parity with VM images.
* Patrick: Seems actually already done as per:
live-build/scripts/build/config: NEEDED_PACKAGES="live-config live-config-systemd systemd-sysv dracut-live dracut-config-generic dracut"
* Aaron: Confirmed, chrooting into the squashfs on a live-build-built Kicksecure ISO and running dpkg-query -s dracut-config-generic shows that it is install ok installed. Furthermore the 20-generic-image.conf file exists on the ISO.
== investigate sudoless ==
* https://github.com/secureblue/secureblue/releases/tag/v4.2.0
* https://www.kicksecure.com/wiki/Dev/secureblue#sudoless
* Could we go sudoless by default?
* sudo no longer readable/executable by account user should be equally good or better as sudoless? sudo SUID issues would not be a problem if account user cannot execute sudo anymore? Only user admin would be allowed to execute sudo.
* In case going "sudoless" (actually similar to sudoless), it would not even be required to port to either run0 or doas?
* This would require finding solutions for existing sudoers.d exceptions. This is can be drafted on the [[Dev/sudo]] wiki page.
* Sudoless desktop-config-dist: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/sudoless Ready for merge whenever desirable.
** Patrick: Was merged.
* '''WIP''' Persistent admin mode (EDIT: this is now bitrotten and is not the direction we're going in to implement this):
** Currently missing separate user account support!
** grub-live: https://github.com/ArrayBolt3/grub-live/tree/arraybolt3/sudoless Adds an admin mode boot entry.
*** This may be the wrong package to put this in, do we want a new package for this?
**** Patrick: grub configuration looks good but requires dedicated package.
** security-misc: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/sudoless Actually implements the permissions changes for user and admin modes.
*** Patrick: Does not really? Does not belong into security-misc. Dedicated package required.
== user-sysmaint-split ==
* implement package user-sysmaint-split as per [[Dev/user-sysmaint-split]]
* Control panel app for sysmaint session: https://github.com/ArrayBolt3/sysmaint-panel
* Updated user-sysmaint-split with fixes, integrates with control panel app: https://github.com/ArrayBolt3/user-sysmaint-split
* sysmaint user account lock detection: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/sysmaint
* terminal-wrapper fix for better UX: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/terminal-wrapper
== pam-info improvements for user-sysmaint-split ==
* todo
* Done: https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/sysmaint
== admin-gui ==
* open terminals - helper-scripts /usr/libexec/helper-scripts/terminal-wrapper
* update software
* reboot
* shut down
* Done: https://github.com/ArrayBolt3/sysmaint-panel
== VirtualBox unattended installation pass-through ==
* how does that mechanism work?
* Short, highly simplified answer: for Debian, it finds a file on the ISO at /.disk/info and parses it for info. This file identifies Kicksecure ISOs as being Debian, and it's difficult to customize the contents in live-build. Needs either customization options added or downstream patches.
* Might be worth asking the VirtualBox people if they would consider adding a feature that would allow ISOs to "opt out" of autoinstall support, so that the user can't even try to use it in autoinstall mode.
== investigate dracut-config-rescue ==
* https://forums.whonix.org/t/replacing-initramfs-tools-with-dracut/4487/8
* https://packages.debian.org/bookworm/dracut-config-rescue
cat /etc/dracut.conf.d/20-rescue.conf
dracut_rescue_image="yes"
* related to https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724?
* TODO: good to keep or should be omitted?
* There appears to be no differences between an initramfs built with dracut-config-rescue installed and one without it. According to the Arch Wiki (https://wiki.archlinux.org/title/Dracut), the "rescue" module is supposed to provide tools such as vi, ping, etc., which are useful in the rescue shell, but I know from experience those are NOT present in Kicksecure's initramfs images. Thus I don't think it makes any difference either way. We could remove it in order to lighten our images, I don't expect this will cause any harm.
* Diff output between initramfs generated with dracut-config-rescue present (old-unpack), and initramfs generated without it (newer-unpack):
root@localhost:~# diff -r -u old-unpack/ newer-unpack/
File old-unpack/main/dev/console is a character special file while file newer-unpack/main/dev/console is a character special file
File old-unpack/main/dev/kmsg is a character special file while file newer-unpack/main/dev/kmsg is a character special file
File old-unpack/main/dev/null is a character special file while file newer-unpack/main/dev/null is a character special file
File old-unpack/main/dev/random is a character special file while file newer-unpack/main/dev/random is a character special file
File old-unpack/main/dev/urandom is a character special file while file newer-unpack/main/dev/urandom is a character special file
diff: old-unpack/main/etc/systemd/system/initrd.target.wants/dracut-cmdline-ask.service: No such file or directory
diff: newer-unpack/main/etc/systemd/system/initrd.target.wants/dracut-cmdline-ask.service: No such file or directory
diff: old-unpack/main/var/lock: No such file or directory
diff: newer-unpack/main/var/lock: No such file or directory
== dummy-dependency purge feature ==
dummy-dependency [remove|purge] pkgname
* Done: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/dummy-dependency-purge
== dracut rescue shell disablement maybe broken - VirtualBox install unattended option result in dracut rescue shell ==
* todo
* Fixed: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads The ISO will no longer be detected as an autoinstallable Debian ISO any longer after merging this.
== simple integrity check boot option ==
* not hidden under utilities
* simple hash check
* probably an existing dracut feature
* At ISO build time, a utility implantisomd5 (from the package isomd5sum) must be run on the built ISO to embed the md5 sum into it.
* Passing the kernel command line argument rd.live.check will trigger Dracut to run isomd5check to check the ISO's contents against this embedded md5 sum at boot time.
* Could add this to derivative-maker or live-build. Willing to implement wherever is preferred.
* Patrick (from chat): best upstream
* Upstream MR: https://salsa.debian.org/live-team/live-build/-/merge_requests/392
* live-build fork with enhancements: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
* derivative-maker change to enable the feature: https://github.com/ArrayBolt3/derivative-maker/tree/master
== ISO - GRUB - failing to boot after installation ==
* version 17.2.8.2
* environment VirtualBox, EFI, Secure Boot
* ISO is booting
* after installation, does not boot
* Secure Boot issue: functional after disabling Secure Boot
* Fixed: https://github.com/ArrayBolt3/derivative-maker/tree/master
== ISO - GRUB - cosmetic GRUB error message ==
* environment: VirtualBox + EFI + Secure Boot (might be reproducible elsewhere too)
error: prohibited by secure boot policy
* Turns out you can't load unsigned fonts when Secure Boot is enabled. It's possible that even the default unicode.pf2 font in GRUB is unsigned.
* Can't find an easy way to detect Secure Boot so that we can avoid running commands that will result in errors.
* There probably isn't an easy way to fix this, combining this into the "silence cosmetic errors" task.
== recovery mode disabling ==
* https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
* https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
* Done, but bootloader password still needs implemented. https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/no-recovery-mode
== ISO - GRUB boot menu - add timeout to live boot menu ==
* todo
* Done: https://github.com/ArrayBolt3/derivative-maker
* Requires live-build changes from https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads for all changes to work.
== ISO - GRUB boot menu - utilities option does nothing ==
* tested where: inside Qubes OS VM
* is memtest missing on the ISO?
** Yes, it is. Adding it should fix this issue.
* Done: https://github.com/ArrayBolt3/derivative-maker
* Requires live-build changes from https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads for all changes to work.
* note: increase RAM in Qubes VM to avoid dropping to CLI (no GUI). Full instructions are here: [[Qubes#ISO|Qubes, ISO]]
== ISO - GRUB boot options text - add version number ==
Kicksecure Live ISO 17.2.8.1 GNU/Linux
${dist_build_type_short_pretty} Live ISO ${dist_build_version} GNU/Linux
* remove: built
* remove: linux
* remove: live-build
* remove: live-config
* possible to use live-build-data/grub-config/splash.svg as a template, copy it to temporary folder (as usual? derivative-binary?) and adjust?
* reason: dist_build_version is the most important if user post screenshots with this. everything else adds confusion?
* Done: https://github.com/ArrayBolt3/derivative-maker
* Requires live-build changes from https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads for all changes to work.
== ISO - GRUB boot menu cosmetic efi related error messages ==
* tested where: inside Qubes OS VM
* difficult to see unless recorded on video
error: file `/boot/grub/i386-pc/efi_gop.mod' not found.
error: file `/boot/grub/i386-pc/efi_uga.mod' not found.
* Debian bug for the core image? Got some search results:
site:debian.org error: file `/boot/grub/i386-pc/efi_gop.mod' not found.
* Maybe live-build fails to install a grub package?
* Side effect of no longer installing Debian-Installer?
** This is the result of fixing the missing font bug. If the unicode.pf2 font can be loaded, GRUB sets a static display resolution of 800x600 and attempts to load four different video drivers, two of which are the efi_gop.mod and efi_uga.mod drivers, and the other two of which are video_bochs and video_cirrus. If the font load fails, it allows the resolution to be automatically detected, and loads a driver called all_video. We're now ending up with the codepath involving the efi_gop and efi_uga drivers always hit since the font is now always found.
** Coincidentally, I noticed a bug where VMs with virtio graphics would not get a fancy graphical prompt, presumably because virtio is handled by the all_video driver and not the other four drivers.
** I think it would be best to just unconditionally use the all_video driver and autodetect resolution. The existing logic doesn't make sense to me, and because the font didn't even exist in the expected spot previously, we'd just be going back to the codepath we were hitting previously.
** After experimentation, this didn't work well at all. Went back to old GRUB config code from upstream with a note that it does not work. Fixing this will require more study to see how to get GRUB to not show cosmetic errors like this.
== ISO - btrfs versus grub-live bug - hotfix ==
* bug: btrfs is persistent in grub-live mode, while it should not be
* hotfix: please disable btrfs
* Hotfixed and merged into Kicksecure.
== derivative-maker git tag following ==
* to empower reviewers to follow changes from one tag to another
* as discussed
* TODO: a generic script to reviews any (nested) git submodules going from one tag (or commit) to another
** This turned out to be nearly impossible and definitely impractical.
* TODO: document this on [[Dev/git]]
* Discovered git diff --submodule=diff, which is useful
* Created sample script that provides difftool-like features with meld, and shared it with Patrick.
* Sent feature request / offer to contribute for git difftool --submodule=diff support in Git: https://lore.kernel.org/git/20241208030222.60e7ac70@kf-ir16/T/#u
* Found PatchViewer tool and documented use under [[Dev/git]]
== investigate run0 ==
* https://forums.whonix.org/t/replace-sudo-with-doas/17482/28
* https://www.freedesktop.org/software/systemd/man/256/run0.html
* as alternative to doas
* does run0 abolish the need for [[Dev/user-sysmaint-split]]?
** It does not, in fact its presence may make implementing the user/admin split difficult since it means systemd is providing a "backdoor" for running programs as root even without SUID bits being used.
*** Can be disabled using polkit config, change all auth options to no in the org.freedesktop.systemd1.manage-units section of /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy
* Posted reasons to avoid use at https://forums.whonix.org/t/replace-sudo-with-doas/17482/29
== grub-live debian control best practices ==
* please review, improve
* {{Github_link|repo=grub-live|path=/blob/master/debian/control}}
* Should grub-live Depends: grub-live-dracut | grub-live-initramfs-tools?
** The existing setup seems fine to me. It is unfortunate that Debian lacks the ability to specify a group of packages in a dependency declaration, as the existing structure seems like an awful lot of work to depend on either dracut, or live-boot + live-tools. But, it works, and it seems to me like the best way to do this given Debian's limitations and structure.
== ISO - fwupd ==
* Add fwupd
* fwupd-signed
* note: architecture specific? (As it turns out, yes.)
* Done: https://github.com/ArrayBolt3/derivative-maker/tree/master
== ISO - GRUB unicode.pf2 error message ==
error: `/grub2/fonts/unicode.pf2' not found
* Please fix.
* Should be fixed in latest derivative-maker improvements.
== ISO - live-build - misc improvements ==
* Any other misc improvements?
* live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/d-i-disable
* derivative-maker: https://github.com/ArrayBolt3/derivative-maker
== advice on safe_echo vs dist-installer-cli ==
* {{Github_link|repo=usability-misc|path=/blob/master/usr/bin/dist-installer-cli}}
* https://forums.whonix.org/t/whonix-linux-installer-development-discussion/15917/188
* Comment left, can work on implementing suggested fix if desired
== live-build downloads ==
* investigate
* Handled.
== review source code - str_replace file garbage bug - str_match ==
* already fixed in git master
* please review
** str_replace
** str_match
* Determined root cause - failing to truncate file when rewriting.
* Reviewed code, added minor improvements to reliability and performance: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/str_python_scripts
== swap-file-creator improvements ==
* https://forums.kicksecure.com/t/enhanced-heuristics-for-determining-the-swap-file-size-in-swap-file-creator/749/2
* swap-file-creator changes: https://github.com/ArrayBolt3/swap-file-creator/tree/arraybolt3/heuristics
* helper-scripts changes: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/heuristics
== ISO - consider installing by default on ISO ==
packages_to_be_installed+=" mokutil "
packages_to_be_installed+=" keyutils "
packages_to_be_installed+=" efibootmgr "
* mokutil is already installed.
* How about the others?
* Note: architecture specific. AMD64 vs PPC etc.
* These packages don't really cause any harm if installed on a BIOS machine, and both amd64 and arm64 UEFI machines may benefit from them. I don't see any reason why not to include them by default.
* All of these are being installed by default on both amd64 and arm64 builds, and appear to be pulled in either by Calamares or by GRUB. I think we should leave these up to live-build to choose whether to automatically install them or not, since if we end up supporting platforms that use firmware other than BIOS or UEFI in the future, these might not be relevant.
== multi architecture support ==
* the following code can be removed from build-steps.d/1200_prepare-build-machine?
* required by grml-debootstrap for arm64 builds?
* please add support for other architectures to build-steps.d/2800_create-lb-iso
* just only mostly generic code. theoretical support only. no actual builds test needed for all architectures at this time.
## The following grub packages are (partially) build dependencies by Debian live-build.
## Certainly required for amd64 ISO images booted with shim and grub.
if [ "${host_architecture}" = "amd64" ]; then
## These packages are all available for the amd64 platform.
## "grub-mkrescue will automatically include every platform it finds." [1]
## [1] https://lists.gnu.org/archive/html/grub-devel/2014-03/msg00009.html
## Install them all for best compatibility and reproducible builds.
## Some might be unnecessary and waste a bit space.
## Maybe this can be optimized later.
packages_to_be_installed+=" grub-efi-amd64-bin grub-pc-bin grub-coreboot-bin grub-efi-ia32-bin grub-xen-bin grub-ieee1275-bin "
packages_to_be_installed+=" grub-efi-amd64-signed "
packages_to_be_installed+=" shim-unsigned shim-signed shim-signed-common "
packages_to_be_installed+=" shim-helpers-amd64-signed "
elif [ "${host_architecture}" = "i386" ]; then
packages_to_be_installed+=" grub-efi-amd64-bin grub-pc-bin grub-coreboot-bin grub-efi-ia32-bin grub-xen-bin grub-ieee1275-bin "
packages_to_be_installed+=" grub-efi-ia32-signed "
packages_to_be_installed+=" shim-unsigned shim-signed shim-signed-common "
packages_to_be_installed+=" shim-helpers-i386-signed "
elif [ "${host_architecture}" = "ppc64el" ]; then
packages_to_be_installed+=" grub-ieee1275-bin "
elif [ "${host_architecture}" = "ppc64" ]; then
packages_to_be_installed+=" grub-ieee1275-bin "
elif [ "${host_architecture}" = "sparc64" ]; then
packages_to_be_installed+=" grub-ieee1275-bin "
elif [ "${host_architecture}" = "arm64" ]; then
packages_to_be_installed+=" grub-efi-arm64-bin "
packages_to_be_installed+=" shim-unsigned shim-signed shim-signed-common "
elif [ "${host_architecture}" = "riscv64" ]; then
packages_to_be_installed+=" grub-efi-riscv64-bin "
else
true "${red}${bold}WARNING:${reset} ${under}The ISO to be build might be unbootable!${eunder}
- This is because bootloader support is not implemented when building on this
systems's host_architecture.
- Either the build script does not know how to install the required grub '-bin'
package for this architecture or the package is simply unavailable.
- Therefore ISO cross builds are unsupported. Patches welcome.
Might be possible to implement this by running image-to-iso using qemu.
- There is also a small chance that host_architecture detection failed. (Using multiarch, wine?)"
fi
* Better multi-arch support now at https://github.com/ArrayBolt3/derivative-maker/tree/master
* I tested amd64 and arm64 builds to reduce the risk of breaking things, but I did not test other architectures
= ARCHIVED 1 =
== move archived tasks to Dev/todo/archived ==
* move to [[Dev/todo/archived]]
== iso - calamares - key stretching ==
* please review [[Passwords#Key-Stretching|Key-Stretching]]
* opportunities to improve calamares encryption settings?
* Looks good to me, Kicksecure is already using this, but there's room to potentially help other distros set this if they want.
== tirdad - dkms amd64 to arm64 cross build bug ==
* Qubes (amd64) build VM
* bug: Somehow DKMS is using the chroot's host (Qubes VM) kernel headers instead of the chroot's kernel headers.
* might be related to live-build commit:
** 4a8b01df80a958b0fe83d2bf8958d9e2124cb71c
** but that build already included that commit
* tirdad doesn't work on arm64 sadly (requires Livepatch, but arm64 lacks Livepatch), thus has to be omitted from arm64 builds.
** Commit: https://github.com/ArrayBolt3/derivative-maker/commit/a58d65f7f83e93e23ae9f46ed979a083f1245808
== passwordless-root ==
* todo: review
* [[Root#passwordless-root|passwordless-root]]
* {{Github_link|repo=usability-misc|path=/blob/master/usr/bin/passwordless-root|text=/usr/bin/passwordless-root}}* Looks good to me. The actual admin/user split can be implemented at least to begin with very simply, by using a systemd unit that reads a kernel parameter and adjusts available user accounts and SUID bits accordingly.
== review /usr/bin/passwordless-root ==
* usability misc - /usr/bin/passwordless-root
* Assuming it's been tested and works, the code looks good, I don't see any security holes here.
== live-build - localrepos - permission issue ==
* related to above?
* Qubes (amd64) build VM
N: Download is performed unsandboxed as root as file '/root/localrepos/kicksecure/pool/main/a/apparmor-profile-hexchat/apparmor-profile-hexchat_5.1-1_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
...
+ error 'ERROR: Live build chroot stage failed!'
* Not a problem, this is a normal message for apt to show when installing packages from a local repo.
== doas - submit a pwfeedback feature request ==
* todo
* Request sent via email, see https://marc.info/?l=openbsd-tech&m=173284374231855&w=2
* Rejected by upstream.
== doas - submit a /usr/local/etc/doas.d /etc/doas.d drop-in configuration feature request ==
* todo
* parse only configuration files ending with .conf (to avoid parsing editor backup files ending with "~", ".bak", ".dpkg-old" or similar)
* Request sent via email, see https://marc.info/?l=openbsd-tech&m=173284374231855&w=2
* Rejected by upstream, response to the suggestion was borderline hostile.
== live-build - test arm64 cross-build support ==
* as discussed
* Changes were required to derivative-maker to support cross-building and arm64 ISO builds, also had to fix a couple bugs in live-build to make things work.
** Live-build changes: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
** derivative-maker changes: https://github.com/ArrayBolt3/derivative-maker/tree/master
*** Native arm64 builds have NOT yet been tested
== immutable /usr /etc without overlay ==
* Try to boot Kicksecure with read-only (immutable) /usr /etc.
* There should be no overlay. "Real" read-only. Not similar to live mode with non-persistent overlay.
* In case of issues, try with Debian, as there might be Kicksecure specific issues.
* This task is in preparation for [[Dev/user-sysmaint-split]].
** Kicksecure booted but failed to reach a graphical desktop environment. Console login was impossible because PAM faillock errors out when it can't write to the tally file.
** Debian booted but failed to reach a graphical desktop environment. Console login worked, but neither systemctl restart lightdm nor startx were able to reach a login screen or desktop environment.
== implement umask hardening ==
* as discussed
* PR: {{Github_link|repo=security-misc|path=/pull/282}}
== grep review harden pkexec ==
* please grep all source code for pkexec and review
* Checked, everything that hasn't been reviewed in other tasks looks safe.
== review and harden repository dist policykit polit policy file ==
/usr/lib/python3/dist-packages/repository_dist_wizard/repository_dist_wizard.py
command = ['pkexec', 'repository-dist', '--enable'] + repository
Ok?
* Checked, this doesn't look like a threat to me, except in situations where the system is already badly compromised. Shared the one possible scenario with Patrick.
== umask research ==
* please research, find solutions for umask
* this is in preparation of
* https://forums.whonix.org/t/change-default-umask/7416
* {{Github_link|repo=security-misc|path=/pull/18}}
* {{Github_link|repo=security-misc|path=/issues/185}}
pam_umask.so debug umask=027
run a script, if root, do nothing, otherwise set umask
[success=2 default=ignore] pam_succeed_if.so debug uid eq 0
[success=1 default=ignore] pam_succeed_if.so debug use_uid uid eq 0
replace with pam_exec?
* Research recorded at {{Github_link|repo=security-misc|path=/issues/185#issuecomment-2492614076,}} still discussing if this is something we want to do or not.
* Investigate how ssh opens a session and how to set umask there
** Answer: The default umask set by OpenSSH is whatever umask it is launched with but with world and group write permissions disabled (so newly created files don't end up world-writable or group-writable by accident). If the user is entering an interactive SSH session, a login shell is launched, otherwise the command the user specifies is run using the user's default shell and a -c argument. If we want to configure the umask for all commands, we will have to set it via a shell launch script that runs even on non-login shells (i.e. bashrc or zshrc). If only login shells need configured, a profile script should suffice. There does not appear to be a configuration setting in OpenSSH for setting a umask outside of these mechanisms, the umask override for disabling world write and group write bits is hardcoded.
== Protection_Against_Physical_Attacks wiki page revision ==
* please improve [[Protection_Against_Physical_Attacks]]
* Done, did not document advanced GRUB password configuration because it requires writing a grub.cfg file by hand, and that would be best documented elsewhere.
== installed ISO - fix localhost ==
After installing from the ISO using calamres:
[user ~]% setsid -- sudo -- /usr/bin/test -x /usr/bin/test
[user ~]% sudo: unable to resolve host localhost.localdomain: Name or service not known
This causes an issue with systemcheck.
/etc/hosts is empty. But should be same as on Kicksecure Xfce for VirtualBox. Where it is:
[user ~]% cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
[user ~]% cat /etc/hostname
localhost
If this was to change, it would need to be changed in Kicksecure for VirtualBox (and KVM) too. Would need to be changed in derivative-maker.
Probably best to set ISO /etc/hostname and /etc/hosts to the same value as Kicksecure for VirtualBox (derivative-maker) or what would be the canonical name?
* Fixed. https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/network-config Uses same values for /etc/hosts and /etc/hostname as for VirtualBox builds, these values originally came from grml-debootstrap and the $dist_build_hostname variable.
== review and harden our pkexec policykit polkit policy files ==
* review
* harden, if there is something to harden
./packages/kicksecure/anon-connection-wizard/usr/share/polkit-1/actions/com.kicksecure.anon-connection-wizard.policy
./packages/kicksecure/live-config-dist/usr/share/polkit-1/actions/com.kicksecure.install-host-calamares-wrapper.policy
* Reviewed, shared results with Patrick.
* update 1: Please fix.
* Fixes:
** anon-connection-wizard: https://github.com/ArrayBolt3/anon-connection-wizard/tree/arraybolt3/pkexec
** tor-control-panel: https://github.com/ArrayBolt3/tor-control-panel/tree/arraybolt3/pkexec (needed changes to remain compatible with anon-connection-wizard changes)
== FYI - systemcheck test ==
After each build, please do a test.
{{CodeSelect|code=
systemcheck --verbose
}}
This catches major issues such as localhost issue.
* Will keep that in mind, my last build after fixing the localhost issue seems to pass this check.
== investigate absence of sudo doas pkexec ==
* SUIDs are a security issue.
* How realistic would it be to implement all sudoers / pkexec exceptions using Linux capabilities, file permissions or similar?
* Long term goal should be to have no application running as root / no user reachable SUIDs.
* Maybe doas, pkexec should only be reachable from user admin.
* If too complex, might be far future work and meanwhile we'll go doas (+ pkexec).
* Looks very complex but potentially doable, see https://man7.org/linux/man-pages/man7/capabilities.7.html. However, some sort of privilege escalation framework will still be needed for running things such as apt and requiring a password for that purpose.
* Applications that depend on checking for a root UID can be "fooled" into thinking they have root but really only having a limited set of capabilities
* May interact poorly with Debian, experimentation will be needed to find out
* Limiting access to sudo or doas can be done without having to go into an all-capabilities environment, a systemd unit could be used to ensure that the SUID bits on those applications are absent in user mode and present in admin mode
* Probably better to start with doas, will likely hit less hurdles attempting that.
* After further research, this looks very difficult or impossible to do with Debian. The capabilities system does not provide substantial additional security when used alongside "legacy" (i.e. user account based) privilege management, and using it on its own requires both executable files and systemd unit configuration to be configured to use capabilities properly. Most of Debian's applications are probably not configured to work this way, so we would need to ship ''extensive'' permission modifications in permission-hardener, as well as replace many, many systemd units for things such as display managers, servers, or anything else that ran as a systemd system unit and needed privileges to do its job properly. This does not seem practical, therefore I would highly recommend we stick with porting to doas.
* I tried searching for distros that use capabilities in lieu of root access - Google was very unhelpful, and Perplexity.ai just told me there weren't any distros like that.
== review rads ==
* {{Github_link|repo=rads
* [[RAM Adjusted Desktop Starter]]
* Issues, both minor:
** rads_minimum_ram is set to 480 in the config file with rationale given, but defaults to 500 in rads itself, which could be problematic
** rads_no_swtich_vt is typo'd both in the variable itself and in the config file
* Very unlikely to be the source of the distro morphing bug reported earlier, the user had a working display manager at that point and was observing auth failures in their logs.
* update, Patrick: fixed
== review and harden our |path=/etc/sudoers.d}} snippets ==
* review
* harden, if there is something to harden
* Done, hardening code merged
== rewrite from perl to python ==
* todo
* After auditing, I don't believe most of our uses of Perl need to be replaced. str_replace and str_match seemed potentially important to port however.
** Rewritten versions of str_replace and str_match: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/perl-to-python
== python perl etc pitfalls ==
* please study https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
* Studied. The first three vulnerabilities are not PERL-specific, only the last two (involving two-argument open()) were. Of particular interest was https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890543 which warned about the <> and open().
* Reproduced the poison NUL byte and two-argument open() issues mentioned by https://phrack.org/issues/55/7.html#article locally. They are still a problem, even today. Also discovered that the poison NUL byte issue is a known and documented weakness in Perl: https://cwe.mitre.org/data/definitions/626.html
* https://stackoverflow.com/questions/1011431/common-pitfalls-in-python has useful advice for Python.
== fix sudoers.d related issues ==
* todo
* Fixes:
** https://github.com/ArrayBolt3/sdwdate/tree/arraybolt3/sudoers
** https://github.com/ArrayBolt3/sdwdate-gui/tree/arraybolt3/sudoers
** https://github.com/ArrayBolt3/security-misc/tree/arraybolt3/sudoers
** https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/sudoers
** https://github.com/ArrayBolt3/systemcheck/tree/arraybolt3/sudoers
** https://github.com/ArrayBolt3/tb-starter/tree/arraybolt3/sudoers
== research archivebox and alternatives ==
* installation source issue
** nice but optional, because might be unavailable: signed releases available? available from packages.debian.org?
*** A Docker image is available, but Docker has supposedly had severe security issues related to image verification in the past: https://titanous.com/posts/docker-insecurity
*** There's also a package available via pip but it seems to make signing of releases optional and GPG support is very limited, so just because the package is on PyPI doesn't mean it's signed.
*** No signed release visible on releases page.
* predictable links issue
** web.archive.org is nice because using our [https://github.com/Kicksecure/mediawiki-link-to-archive mediawiki-link-to-archive] MediaWiki extension, each link gets appended with an archive symbol linking to https://web.archive.org/archive/.
** investigate if archivebox (or alternative) has such a feature
** post a feature request if not
** if such a feature does not exist, then mass wiki editing will be required to append links to our self-hosted archivebox (or alternative)
*** wiki mass editing is best avoided. Either we would use a different self-hosted archival tool or perhaps contribute such a feature upstream, if feasible?
**** A URL-encoded URL can be passed as a search query, similar to how archive.today allows searching for archives of a site with https://archive.today/https://google.com. This takes a bit more effort due to the URL encoding being mandatory, but it is doable it appears.
**** Feature request for archive.org style links (originally filed by the primary ArchiveBox author, commented on by me): https://github.com/ArchiveBox/ArchiveBox/issues/1085
**** The feature already exists and is usable upstream: https://github.com/ArchiveBox/ArchiveBox/issues/1085#issuecomment-2487121890
* public archive issue
** Ideally, the archive would not be "our archive" but a public archive.
** That does not mean, that we want to host a public archivebox archive that anyone can use. That would unfortunately be problematic (disk space, legal issues).
** We're already offering various downloadable backups on the [[Offline Documentation]] wiki page (including rsync access).
** For archived links it would be good if these could be offered in a backup format available to the public. I.e. someone could use rsync and download all links that we archived.
** With archivebox that might be problematic because links might be unpredictable. Archivebox has a search function but it relies on server functionality, server database (?), which we probably cannot share as is.
*** Should we nuke admin credentials so we can share the database with the public for backup purposes?
**** ArchiveBox actually has explicit support for publishing an archive as a static website. See https://github.com/ArchiveBox/ArchiveBox/wiki/Publishing-Your-Archive. Assuming this doesn't save any sensitive data, this would be a pretty easy way of doing this.
* design:
** Keep archive box web interface accessible to admins and bots only. (security)
** Keep link archival accessible to admin and bots only. (legal)
** Keep archived links reading accessible to the public.
** After wiki backup (already existing on the server) using mediawiki-shell, have a script that can parse the wiki for new links and add them to archivebox.
*** Needs support for a list of domains to avoid archiving (since archiving might be broken).
*** Due to some links being offline, often, need to probably fail open if some links are not archiveable.
== live-build - permission lockdown still functional test ==
* https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#access_rights_restrictions
* Kicksecure installations from post-live-build media and pre-live-build media behave the same way in this regard.
** Initial user account user has home directory /home/user with permissions 750 (read/write/execute for owner, read/execute for group, nothing for other)
** User account created with adduser with name user2 has home directory /home/user2 with permissions 700 (read/write/execute for owner, nothing for group, nothing for other)
** User account created with useradd with name user3 has no home directory. Created home directory manually with sudo mkdir /home/user3; sudo chown user3:user3 /home/user3, permissions on directory are 755. Installing a package thereafter (such as git) '''does not''' change the permissions on /home/user3 to something more secure, despite what the linked documentation implies.
** It's possible that permission lockdown is broken, however if so, it is not the result of live-build, assuming my tests were sufficient to diagnose this.
== apt-get - recommends can no longer get installed after installation with --no-install-recommends - bug report ==
`apt install --no-install-recommends diffoscope`
User story: Good, I did not want these recommends. And I didn't get these. Great. But... Now I noticed that i cannot figure it out or something and want these dependencies anyhow.
`apt install diffoscope`
* expected result: `Recommends:` get installed now
* actual result: not happening
`sudo apt satisfy diffoscope` or even `sudo apt install --install-recommends diffoscope` does not install the `Recommends:`.
The only way to get the dependency is `apt remove` followed by `apt install`.
* Turns out there is already a feature request for this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894976 Would be willing to try and implement.
* Patrick: now documented here: https://www.kicksecure.com/wiki/Install_Software#--no-install-recommends
== grub boot menu - regression - mini symbol stuck bug ==
* the Kicksecure lock (or in case of Whonix the hat symbol) on the left next to the first boot menu entry looks confusing. This is because when selecting a different boot menu entry, that symbol will stay where it is.
* simple solution: remove that symbol without replacement
* harder solution: when pressing arrow down, move the highlight (different color for selected boot menu entry) as well as the mini symbol
* Ended up going with the simple solution, because I didn't think the UX of the harder solution would make sense. In a multiboot scenario, having the Kicksecure icon show up next to an OS other than Kicksecure would potentially be weird.
* Modified branches:
** Kicksecure: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arraybolt3/no-grub-theme-icon
** Whonix-Gateway: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/no-grub-theme-icon
** Whonix-Workstation: https://github.com/ArrayBolt3/anon-ws-base-files/tree/arraybolt3/no-grub-theme-icon
** Note: I only tested the Kicksecure changes so far (they work fine on both BIOS and UEFI systems). The Whonix-Gateway and Whonix-Workstation changes are not tested, though they are functionally identical to the Kicksecure changes and as such should work.
== start discussion about Weak-Depends on debian-devel mailing list ==
* as discussed
* see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942303
* Discussion at https://lists.debian.org/debian-devel/2024/11/msg00018.html
* Discussion seems to have halted, the idea that seemed the most promising was allowing the user to specify what packages they wanted to install the recommends of, while leaving other packages out.
* Should a task be added for implementing a proof of concept for this?
== calamares - timezone issue ==
* https://forums.kicksecure.com/t/kicksecure-installation-cannot-set-timezone-link-creation-failed-target-usr-share-timezone-link-name-etc-localtime/652
* Could not reproduce, tried one UEFI "Erase disk" installation, one BIOS "Erase disk" installation, and one BIOS "Replace partition" installation. Forum comments at https://forums.kicksecure.com/t/kicksecure-installation-cannot-set-timezone-link-creation-failed-target-usr-share-timezone-link-name-etc-localtime/652/4
* Turned out to be the result of attempting to install Kicksecure onto a FAT32 partition.
== calamares - file system unit test ==
* possible to translate https://forums.kicksecure.com/t/kicksecure-installation-cannot-set-timezone-link-creation-failed-target-usr-share-timezone-link-name-etc-localtime/652/6 into a calamares unit test so it would show a better error message?
* Feature request made for allowing distros to deny certain filesystems from being used for certain mountpoints: https://github.com/calamares/calamares/issues/2397
* Should a task be added for implementing the functionality in this feature request?
== review kloak makefile pull request ==
* https://github.com/Whonix/kloak/pull/5
* Review complete, nothing malicious found, some quality and functionality issues were found for which I suggested several changes.
* All issues fixed, approved PR.
== live-build - mmdebstrap should use security.debian.org repository ==
* bug: Debian security repository is not being used.
* Using Debian security repository is however a security feature and reason why using mmdebstrap. To bootstrap from more than 1 repository (Debian "normal" + Debian security) repository.
* Issue should be resolved with the following changes:
** live-build changes: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads (same branch as before, Kicksecure's fork will need to be updated to match it)
** derivative-maker changes: https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/mmdebstrap-enhance (this '''will''' break the ISO build if merged without updating live-build)
== salsa debian - salsa signing key setup ==
* https://salsa.debian.org/ArrayBolt3/live-build/-/commits/arraybolt3/lb-dracut?ref_type=heads
* please upload your gpg public key to salsa.debian.org, if that is acceptable.
* similar to github.com
* so we get "verified" marks everywhere
* Done.
== kloak - Qubes support - implement kloak within qubes-gui-daemon ==
* https://github.com/QubesOS/qubes-issues/issues/8541#issuecomment-2377325699
* Ensure code is modular and can be easily broken out into a separate library or executable if requested by Qubes devs
* Use common code between standalone version and Qubes version to keep differences as small as possible (perhaps create libkloak?)
* Prototype implemented and mostly working, draft PR at https://github.com/QubesOS/qubes-gui-daemon/pull/149
* Waiting on response from Qubes OS devs
* Got response and review, currently working out final implementation and doing testing
* All code has now been merged.
== Implement live mode with 90overlayfs ==
* context: [[grub-live]]
* {{Github_link|repo=grub-live
* https:|path=//github.com/Kicksecure/grub-live/blob/master/etc/grub.d/11_linux_live}}
* stop using 90overlay-root
* port grub-live to 90overlayfs
* This does not work in Bookworm, but does work in Trixie.
* Once Trixie is released and we're upgrading Kicksecure to it, switch modules. See https://github.com/dracutdevs/dracut/issues/1565#issuecomment-2378133277
** Since there is a source code comment pointing that out, mygrep -r TODO | grep trixie will find this task when it is due
== live-build - live_build_package_list_kicksecure - do not hardcode amd64 ==
* live-build-data/live-build-config/live_build_package_list_kicksecure
linux-image-amd64
linux-headers-amd64
* should be generic based on already existing variable ${dist_build_type_short}
* Fixed in https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/avoid-amd64-hardcode
== live-build bug - cannot create /dev/null: Permission denied ==
build machine:
* CI: passing
* using a Qubes Kicksecure based App Qube: broken
* /usr/bin/apt-key? Where in derivative-maker or live-build is /usr/bin/apt-key being used anyhow?
** apt update is calling it. Verified by chrooting into the broken live-build chroot and running sudo apt update.
* Note: apt-key is deprecated as per apt-key Debian upstream man page anyhow and should not be used.
** Since this is apt itself using it, I think this is working as intended.
* Root cause of the problem: /home is mounted with nodev inside Kicksecure Qubes. This results in the chroot's /dev/null being unwritable even by root.
* Should be fixed here: https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/home-nodev-fix Remounts /home with the dev option to resolve the problem.
== uwt torsocks TORSOCKS_LOG_LEVEL ==
* check if package uwt /etc/sudoers.d/uwt is still required
* https://forums.whonix.org/t/disable-torsocks-warning-spam/19084
* if still an issue, please send a pull request to upstream making TORSOCKS_LOG_LEVEL configurable in /etc/tor/torsocks.conf
* This does not appear to be an issue any longer. I commented out all `TORSOCKS_LOG_LEVEL` setting lines in `uwt.sh`, `uwtwrapper`, and `/etc/sudoers.d/uwt`, and saw no log messages similar to that in the logs. I also did export TORSOCKS_LOG_LEVEL=5; sudo -E torsocks apt-get.anondist update, and while this produced lots of debugging messages from torsocks due to the high verbosity level it was set to, none of those messages were the offending message from the linked bug report. With any lower loglevel, torsocks was silent.
== url_to_unixtime review and hardening ==
* {{Github_link|repo=sdwdate|path=/blob/master/usr/bin/url_to_unixtime}}
* (mostly) out of scope? validation of command line inputs
* out of scope: timeout - this is enforced on sdwdate level and does not need to be implemented at the url_to_unixtime level
* todo: check if minimum + maximum string lengths are properly enforced
* already has a dedicated AppArmor profile:
** {{Github_link|repo=sdwdate|path=/blob/master/etc/apparmor.d/usr.bin.url_to_unixtime}}
** {{Github_link|repo=sdwdate|path=/blob/master/etc/apparmor.d/abstractions/url_to_unixtime}}
* threat model:
** remote code execution
** outputting too short/long/non-numeric strings or malicious binary data that could confuse/exploit sdwdate
* Issues found:
** request_data_from_remote_server: The remote_port argument is never used in this function (or anywhere in the script). There doesn't appear to be an immediately obvious way to even use an argument like this with Requests.
** data_to_http_time does not enforce a maximum number of characters in the http_time string. This means that even an extremely long string will be parsed as a date later on in http_time_to_parsed_unixtime, which could theoretically be used to consume resources on a machine under attack.
** Multiple locations in the code will print to stderr values that may be bad in one way or another (most notably, every single HTTP header the script gets from the server will be printed in many instances) in the event of an error condition. The code specifically notes that it "prints debug and errors to stderr", thus I do not believe this is a serious concern. I didn't see any substantial processing happening on stderr elsewhere in sdwdate except to ensure it wasn't excessively large and to print it to stdout, which I believe ends up in the journalctl logs.
** unixtime_sanity_check doesn't ensure that the timestamp it returns is non-negative.
** The socks module is being imported for no reason. requests does not require it to be imported to access Tor over a socks5 proxy.
** Some miscellaneous unused variables, unneeded parentheses, and typos are floating around according to PyCharm.
* Other than that, it seems good:
** minimum date string length is enforced in data_to_http_time
** maximum timestamp length is enforced in unixtime_sanity_check
** only a sufficiently short timestamp derived from a sufficiently long date string will be printed to stdout (only a single print command is used for that purpose, and it only prints a variable that has passed all checks)
** I don't see any RCE risk aside from unknown and unknowable issues in the Python interpreter itself. The only bit of code that's really scary in this respect is when http_time_to_parsed_unixtime calls dateutil and trusts it to properly handle arbitrary, untrusted date headers from HTTP connections. dateutil is written entirely in Python though, so this isn't much of a threat - the worst that could happen is url_to_unixtime could crash, or return a garbage time value. (However, see the note about a lack of negative time prevention above.)
* sdwdate branch with all listed issues resolved: https://github.com/ArrayBolt3/sdwdate/tree/arraybolt3/url-to-unixtime-tidy
== tbb version parser hardening ==
* '''todo:''' discuss
* The local version parser function `tbbversion_installed` could be moved to /usr/bin/update-torbrowser for now as it is considered low risk.
* The remote version parser function `tbbversion` requires hardening:
** Out of scope: `tbbversion` taking too much time (can be easily handled from update-torbrowser by using standard Linux program timeout).
** Currently has good error handling, but errors have not been reported yet. We could give up on good error handling except for distinguishing between exit 0 (ok) and exit 1 (error).
** Needs to be written as securely as possible:
*** Attack surface currently includes at least: `jq`, `bash`, `/usr/libexec/msgcollector/striphtml`.
*** Remote version file cannot be verified (only through HTTPS or onion).
*** '''todo research:''' Will upstream provide signed version files? How does Tor Browser internally verify the version file? Can we use the same mechanism?
*** Version parser should be moved into its own standalone script.
*** Should it be rewritten in Python for better security?
*** The new version parser could be confined using AppArmor.
*** The version parser would either accept an input file and output file, with no other console output:
**** If the version parser gets exploited but is still contained by AppArmor, malicious advice could still be outputted to the console. Therefore, error codes should instead be communicated through exit codes:
***** Exit 1: General, not specifically handled/expected error.
***** Exit 2: Input file does not exist.
***** Exit 3: `jq` failed.
***** Etc.
*** String length sanity checking with if [ "$actual_string_length" -gt "$max_string_length" ]; then makes a lot of sense but should not be done within the version parser:
**** If `jq` is compromised, the string length check could be omitted. Therefore, string length checking should be handled externally.
**** Assumption: If string length is kept minimal, exploitation might be difficult or even impossible.
**** Version number is currently 14.0.2. Maximum string length is 20 characters. Since version numbers are short and reasonable, the maximum string length could be further reduced.
**** If the version parser is compromised, outputting evilevil instead of 14.0.2 might be insufficient to exploit update-torbrowser. However, allowing the parser to output a 10 MB file increases risk significantly.
**** A robust design could involve the version parser accepting an input file and generating an output file, with no console output allowed:
***** File-based input/output design allows update-torbrowser to safely check file size. If too large, it can be rejected as either a bug or an exploitation attempt.
**** Separation between version parser (AppArmor'ed) + file size checker (AppArmor'ed) + tb-updater might be overkill?
**** Should be placed into /usr/libexec/tb-updater?
** Should Tor Project and ARM64 version parsers be different?
* After discussion with Patrick, this is the solution I wrote:
** Parsing of untrusted input is entrusted to a dedicated Python script that is heavily confined using AppArmor.
** The original tbbversion function is still necessary to sanitize the output from this script.
** The script reads an input file, writes an output file, and gives an exit code indicating if the operation was successful. Console output to stderr ''is'' generated for debugging purposes, but is discarded by tbbversion.
** The exit codes are:
*** 0: Success.
*** 1: Invalid arguments.
*** 2: File I/O issues (file doesn't exist or cannot be read from/written to)
*** 3: Parse failure (invalid or malicious input)
** tbbversion runs a battery of checks against the returned value, ensuring it is small, contains only ASCII chars, non-empty, and looks like a valid version number. Once the full battery of tests passes, the value is considered trusted and is passed to tbbversion's caller.
** Callers source /usr/libexec/tb-updater/version-validator, set environment variables, and call tbbversion to do Tor Browser version parsing. This is identical to the previously existing API, with two exceptions:
*** tbbversion is now part of a script called version-validator. version-parser is now the confined Python script that does the real parsing. Thus scripts that rely on tbbversion need to be changed to source the correct script.
*** tbbversion supports Tor Browser ARM64 JSON from SourceForge. An environment variable tbb_version_parse_as_arm64 must be set to y to attempt to parse this JSON format.
** Code changes to tb-updater: https://github.com/ArrayBolt3/tb-updater/tree/arraybolt3/json-parse-hardening
** Code changes to developer-meta-files: https://github.com/ArrayBolt3/developer-meta-files/tree/arraybolt3/json-parse-hardening
** This is ready for review, a full test plan was developed, executed, and passed.
== archive.today link archiving ==
* mediawiki-shell already has code for downloading all wiki pages to the disk in mediawiki markup format, as well as parsing all local wiki text pages for links tool:
** mw-specific-backup-kicksecure
** mw-specific-backup-whonix
** git_mediawiki_backup_folder variable: todo
TMPFOLDER=/tmp/mediawiki-shell-temp \
wiki_backup_folder="$git_mediawiki_backup_folder" \
wiki_namespace_list_extra="274 500" \
"$tool"
* (FYI: this is used server-side to keep updating {{Github_link|repo=kicksecure-wiki-backup |path=/}} https://github.com/Whonix/whonix-wiki-backup)
* todo: implement and execute archival of all links using archive.today CLI, create a list of links and archived links (extendible format original-link, archive.today, archivebox, ...)
* todo: mass edit the wiki to add the archived links.
** Should we use a wiki template such as [[Template:Archive_link]]?
*** This might require a custom plugin, but I believe it should work. Archive.today works with links such as https://archive.today/https://google.com - clicking a link such as this will take you to a search page showing all of the archived copies archive.today has of that particular link so far. The user is then free to choose which version to look at
*** Custom mediawiki extension already existing: {{Github_link|repo=mediawiki-link-to-archive
**** Moved to separate task.
**** It's already adding the web archive links.
**** Could be extended to add the archive.today links.
** Or only append the archive.today link behind the link|path=?}}
*** Requires lots of manual work. The code I had that was rendering a fairly nice-looking archive "button" was something along the lines of [https://www.freedos.org/books/cprogramming/part5/ C Programming for DOS tutorial, part 5] [[Image:Archive-today-favicon.png|frameless|16px|link=https://archive.ph/https://archive.ph/https://www.freedos.org/books/cprogramming/part5/|text-top|Link to archive.today version]]. Using a plugin to automate that would be very valuable. Additionally, by doing this, we don't have to automatically archive every link someone adds (which CAPTCHAs make nearly impossible). People can simply archive the links as they add them, and people who find an unarchived link can archive it right then and there.
** To be kept in mind: if archive.today goes down one day, we might need to mass wiki edit to remove these links.
*** Use of a plugin like what we're using for the archive.org links should hopefully make that easy.
Plan #2:
* Current implementation plan for archiving:
** 1. Download all wiki pages from Kicksecure and Whonix wikis
** 2. Get all links from them
** 3. For each link, check if already in log file. If found, skip. If not continue.
** 4. search the link on archive.today
*** If found:
**** ok, skip
*** If not found:
**** Archive it
** When a CAPTCHA page is hit, stop and wait for the user to provide a new CAPTCHA cookie
** Needs a hardcoded list of excluded domain names. Some domains unfortunately can not be archived. Either failing or only unusable archived results. For example, archive.ph probably cannot archive web archive links.
update #2:
* no need to automatically re-archive links, can actually worsen the quality
* Tentatively finished archiver tool here: https://github.com/ArrayBolt3/mediawiki-shell/tree/arraybolt3/wiki-link-archiver Currently running this, it seems to be working well.
== kloak - add Qubes support ==
* review to understand the history:
** https://github.com/QubesOS/qubes-issues/issues/1850
* [https://github.com/QubesOS/qubes-issues/issues/8534 enable qvm-service gui-agent-virtual-input-device for Whonix-Workstation App Qubes by default]
** https://github.com/QubesOS/qubes-gui-agent-linux/pull/194
** https://github.com/QubesOS/qubes-app-linux-input-proxy/pull/30
* notify https://github.com/vmonaco/kloak/issues/74
Aaron:
* Final implementation needs orchestration, asked for advice from Qubes OS devs at https://github.com/QubesOS/qubes-issues/issues/1850#issuecomment-2374908358
* May also implement as part of GUI daemon, see https://github.com/QubesOS/qubes-issues/issues/8541#issuecomment-2377325699
* Ultimately we ended up using the GUI daemon approach.
== kloak - Qubes support - consider using Qubes API for orchestration ==
* https://github.com/QubesOS/qubes-issues/issues/1850#issuecomment-2374908358
* Waiting on response from Qubes OS devs
* Didn't end up doing this, kloak-like functionality has been merged into qubes-gui-daemon.
== document boot-repair ==
* Add to [[Broken Boot]]
* Decided against doing this. Boot-Repair has several features that upload system info and usage statistics to the Internet, some of which are potentially dangerous. The tool is useful when used properly, but it's too easy for someone to accidentally upload something they didn't want to upload.
== mediawiki-shell self-introduction ==
* Please look around in mediawiki-shell source code folder to get an idea about all its already existing functionality. This will be handy for follow-up tasks below.
* Done, got a good idea of the way it works and what features were needed for implementing the archiver.
== add py-archive-today to helper-scripts ==
* please add py-archive-today to helper-scripts as archive.today
* Done, https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/archive-today
== automation of tb-updater hardcoded version number update - #2 ==
* please integrate with tb-updater
** has code to perform securely download tbb version number using upstream provided version file
** has code to parse tbb version number
** performs sanity testing
** there should only be 1 code path for download/parsing of tbb version in 1 repository
** Done, modified branch is at https://github.com/ArrayBolt3/developer-meta-files/tree/arraybolt3/tbb-version-detection-v2
== add archive.ph support to mediawiki-link-to-archive mediawiki extension ==
* Custom mediawiki extension already existing: {{Github_link|repo=mediawiki-link-to-archive
* It's already adding the web archive links.
* Please add archive.ph links.
* Based on archive.ph supporting https:|path=//archive.today/https://google.com}} format.
* No testing required. (Because setting up a mediawiki test environment can be quite involved.)
* Branch with archive.today support here: https://github.com/ArrayBolt3/mediawiki-link-to-archive/tree/arraybolt3/archive-today
** Untested, however I did lint the code using php -l.
** See TODOs in code, this will not be usable as-is since an image needs added to the server and a CSS class may need to change.
** The intended result of the code is that an archive.today link icon will be added to every normal link, immediately after the archive.org icon. Onion links and archive.org links should ''not'' have an archive.today link icon added after them, whereas links to archive.today should have ''only'' an archive.today link icon added after them (with similar behavior to the existing link buttons for archive.org links and onion links).
== implement archive.today CLI frontend ==
* Use https://github.com/wabarc/archive.is/blob/main/cmd/archive.is/is.go as general guidelines
* Use as few dependencies as possible
** Currently using only the Python standard library and Requests.
** Implementation finished, temporary repo deleted, this is now at https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/archive-today
== automation of tb-updater hardcoded version number update ==
* example of what is currently done manually:
** {{Github_link|repo=tb-updater|path=/commit/f1f48f57021502b7c0d17b7ce50929860e72244f}}
** {{Github_link|repo=tb-updater|path=/commit/9d790396a7439ceb6b8c494c790be6f80a304430}}
** notify forums https://forums.whonix.org/t/tor-browser-integration/11912/118
* post in forums can probably one day be avoided when there is packages.kicksecure.com which makes version numbers, changelogs more easily accessible including a "news blog" of recent changes
* On the surface, making this fully automated would likely require making commits to code in an automated fashion. This is a bit worrying to me since it requires a machine to have access to a non-password-protected, trusted GPG key that is used to automatically sign commits. This would potentially be a valuable target for an attacker, and could potentially introduce supply-chain attacks. Would it be sufficient to make this able to alert a sufficiently trusted person that it's time to update the version numbers? This could be combined with a tool that will update the version number to whatever is appropriate with a single command, allowing an administrator to simply run the command, verify the diff is correct, then commit and push.
* From chat with Patrick: "so in /usr/bin/dm-packaging-helper-script there could be a functional which shows the "git diff" before auto-committing, because then I can still stop it, should it look weird"
* Implemented. https://github.com/ArrayBolt3/developer-meta-files/tree/arraybolt3/tor-browser-version-update
== live-build - build broken - kicksecure repository apt-cacher-ng configuration ==
* This is the result of apt-cacher-ng HTTPS tunneling not being enabled on the CI server. Our sources.list files from repository-dist and anon-apt-sources-list are causing the problem.
* There is no practical, upstreamable way to only insert the sources.list files into the system after all apt commands have run. At best, it might be possible to insert our sources.list files immediately after sqaushfs-tools is installed but immediately before the squashfs is generated, then immediately delete them as soon as the squashfs was done being generated (as further apt commands are run after this point). This would be extremely hacky and would mandate that we keep our own live-build fork indefinitely, as such a change could not be practically upstreamed.
* Enabling apt-cacher-ng HTTPS tunneling is undesirable, as it could result in the wrong packages being used in the ISO build.
* One option might be to simply not install the sources.list files on the ISO at all, but rather have a script in the live session generate them, and have Calamares and debian-installer create them when appropriate. This goes against the design we want, but at this point it may be the only good solution.
* The solution we ended up using was to modify repository-dist to generate the derivative.list file when a particular systemd unit runs, then enable that system unit only when the --repo true option is set in derivative-maker. Options to repository-dist are passed via a file at /var/lib/repository-dist/derivative_apt_repository_opts, which is written at build time by the build system and then loaded at runtime by the systemd unit.
* Current fix branches:
** derivative-maker: https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/apt-fix
** repository-dist: https://github.com/ArrayBolt3/repository-dist/tree/arraybolt3/deb-fix
== live-build - build failing due to fasttrack not using apt-cacher-ng syntax ==
* https://github.com/Whonix/derivative-maker/actions/runs/11794583611
* Fixed, also fixed a related bug with the kicksecure.com URL. Fix is present at https://github.com/arrayBolt3/derivative-maker
== test and review archive.today CLI frontend ==
* archive.today is interesting because it is an independent third-part
* candidate: wabarc/archive.is (supports CAPTCHA avoidance through cookie)
* https://github.com/wabarc/archive.is?tab=readme-ov-file#archivetoday-is-unavailable
** test for functionality first in a throwaway VM
*** Builds with Go 1.22 from bookworm-backports (sudo apt install -t bookworm-backports golang), to build you must go into the cmd/archive.is directory first, then go build
** test functionality and CAPTCHA avoidance
*** Searching appears to work without a CAPTCHA avoidance cookie, archiving requires the cookie.
*** Takes about a minute or two for a small page to be archived, then an additional five to ten minutes before that URL will show up when searched for using ./archive.is -p https://url in searches.
*** Tor is supported, but it's unclear how to make that support work, and research was inconclusive, filed a feature request to fix this at https://github.com/wabarc/archive.is/issues/58
** test archive.today onion (might help with CAPTCHA avoidance), will help with IP restrictions
*** http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion
*** TODO, need to figure out how to properly trigger the use of Tor first.
** review for malicious content
*** Reviewed main package code, no malicious content found. Code looked mostly straightforward, though it made use of some advanced Go techniques. The code does however have a number of dependencies, at least three of which are written by this tool's author and one of which is relatively obscure judging from the Github star count, so I want to review those too (and potentially their sub-dependencies as well).
** create a github fork from reviewed version (just pressing fork button, no other changes, unless required)
*** No fork created yet as I'm not yet ready to declare this safe, however the commit I have and am reviewing is f6bc92ea8a399df64d4772de73ecf695e48ac16b
* After initial investigation, we believe it will be safer and better to implement our own CLI frontend for this, using the Go code from wabarc's tool as inspiration.
== investigate doas ==
* determine if it's a suitable replacement for sudo in Kicksecure
** will using it resolve https://github.com/sudo-project/sudo/issues/415? It has to allow nopasswd exceptions to be distinguished from normal authentication in PAM
*** Yes, it will. I tested running a nopass command with doas and it did NOT reset the faillock counter. I checked the doas source code, and it looks like this is because doas nopass exceptions don't go through PAM at all (though I didn't thoroughly check the code so I'm not entirely sure of this).
* estimate work required to port to it
* Research and time estimate recorded at https://forums.whonix.org/t/replace-sudo-with-doas/17482/18.
== refactor dm-unicode-check ==
* {{Github_link|repo=developer-meta-files|path=/blob/master/usr/bin/dm-check-unicode#L47}}
* 1 line per entry for white list
* Done, branch is at https://github.com/ArrayBolt3/developer-meta-files/tree/arraybolt3/dm-check-unicode-enhance
== check live-build_installation function in derivative-maker ==
* todo
* Spot-checked, looked fine to me. Comment about improper live-build installation due to dependency packages mentioned to Patrick.
== build raw VM images - base images - consider porting from grml-debootstrap to live-build ==
* Building fully persistent images? Replacing grml-debootstrap?
--system normal
--binary-image hdd
* Useful? Low priority? arraybolt3: this would potentially be very useful, will investigate.
* Looks like this is potentially useful, but definitely needs a lot of help to make useful. To get a useful build, it was necessary to use the following configuration in auto/config:
#!/bin/sh
set -e
lb config noauto \
--distribution bookworm \
--system normal \
--binary-image hdd \
--hdd-size auto \
--chroot-filesystem none \
--binary-filesystem ext4 \
"${@}"
* The generated image contained no user account, no root password, and no properly configured fstab, thus it was necessary to mount the built image, chroot into it, configure fstab, add a user, and add the new user to the sudoers group.
* The generated image also used Syslinux as the default bootloader, which is obviously strange for a desktop system. Furthermore, the kernel command line was not configured properly, and it was necessary to manually add root=/dev/vda1 to the command line to get the system to boot. Probably should have set --bootloaders grub-pc,grub-efi. Unsure if --bootappend-live will work for setting the kernel command line, this may have to be fixed as a post-build operation (chrooting in and running sudo update-grub or similar).
* Was able to make a basic, mostly-working (aside from the bootloader issues) image with IceWM as the desktop.
* Patrick, paraphrased Aaron: While it might be doable to create fully persistent (VM) raw images using live-build, porting from grml-debootstrap to live-build is probably not worth it.
== refactor dm-packaging-helper-script ==
* Enhance readability and maintainability, document all functions and features
* Current iteration of refactor: https://github.com/ArrayBolt3/developer-meta-files/blob/arraybolt3/dm-packaging-helper-script-refactor/usr/bin/dm-packaging-helper-script
* Ready for final review. I did NOT change from using tee to using sponge because of the performance implications it would have (appending to a file with sponge will rewrite the entire file).
old (ok):
* kicksecure-meta-packages:
* Add xdg-desktop-portal(-gtk) (Thanks to Aaron Rainbolt!).
* No longer install `alsa-utils` by default https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/45.
* Add `accountservice` to `kicksecure-desktop-environment-essential-xfce`, which fixes error message:
* > localhost lightdm[911]: Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files package `lightdm` `Suggests:` `accountservice`.
* Allow installation of `pipewire-media-session-pulseaudio` as an alternative to `wireplumber`.
...
new (bug):
* kicksecure-meta-packages:
* Fix ISO build failure (missing 's' in accountsservice) (Thanks to @ArrayBolt3!)
* kicksecure-meta-packages:
* Add xdg-desktop-portal(-gtk) (Thanks to @ArrayBolt3!)
* kicksecure-meta-packages:
* no longer install `alsa-utils` by default https://forums.whonix.org/t/port-from-pulseaudio-to-pipewire-for-audio-support/16879/45
* kicksecure-meta-packages:
* add `accountservice` to `kicksecure-desktop-environment-essential-xfce` fixes > localhost lightdm[911]: Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files package `lightdm` `Suggests:` `accountservice`
* kicksecure-meta-packages:
* Bug fixed, forgot to set package_header_written='y' after writing the package header in pkg_git_packages_git_log_writer.
== audit grub profile pf2 files ==
* Files from upstream deleted, replaced with a Makefile that generates pf2 fonts from the Inter and Terminus fonts in the Debian archives at package build time. Also split out common GRUB theme code into dist-base-files.
* Repos modified:
** dist-base-files: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/grub-theme
** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arraybolt3/grub-theme-fix
** anon-gw-base-files: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/grub-theme-fix
** anon-ws-base-files: https://github.com/ArrayBolt3/anon-ws-base-files/tree/arraybolt3/grub-theme-fix
== live-build - build failing ==
* either live-build lb-dracut branch is not fully merged or forked live-build isn't installed by derivative-maker
* forked live-build wasn't being installed previously. Code for automatic installation written and tested, present at https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/lb-autoinstall
== archive.today CLI ==
* since archive.org might go offline permanently, a quick replacement is required
* archive.today alternative domain names: archive.is, archive.ph (for search terms)
* todo: find a functional archive.today CLI tool
* todo: fork it, check if the code is static (does not load tons of other libraries) and is non-malicious
* arraybolt3: archive.today officially does not support automated archival of pages, see https://blog.archive.today/post/678411898279067648/hello-i-am-developing-an-application-that. They use CAPTCHAs to prevent automated tools from working, so it is unlikely such a tool exists, and even if it did, its use would potentially harm archive.today, and the tool would not function properly in the long run.
== continuous documentation effort - FYI only ==
* Patrick liked the new super grub disk additions to [[Broken Boot]]. If something else comes to mind, please continue improving the wiki.
== live build cdlabel change ==
* CDLABEL=Kicksecure_17
* --iso-volume 'Kicksecure 17' \\
* better set to just Kicksecure so the version number upgrade isn't needed and not forgotten in the future?
* set to Kicksecure already by Patrick
* arraybolt3: Fine with me, archiving.
== local editor settings - delete trailing spaces ==
* please kindly configure your local editor to deleted trailing spaces upon saving files
* Done.
== live-build - investigate options ==
* because it contains options and todo
* (originally from build-steps.d/1350_create-iso-config)
* not all comments might be needed. some of my comments might be superfluous / obvious.
old:
## folder derivative-maker/live-build can be re-created using:
## 2. help-steps/live-config
## Should not be done at live-build level if avoidable? Better done in package live-config-dist as /etc/default/grub.d drop-in
#--bootappend-live PARAMETER|"PARAMETERS"
# arraybolt3: Cannot be done via a package as the bootloader config for the ISO is set directly by live-build. Instead, source grub.d scripts from security-misc at build time and use variables from there to set the bootappend value.
# Patrick: Not only security-misc is setting grub configuration. Also other packages do or might in the future. Therefore all of /packages/ folder needs parsing.
# arraybolt3: We now use grub-mkconfig and config file parsing to automatically detect the proper GRUB kernel parameters.
## TODO: cleaner to not have these? better for reproducible builds?
#--apt-indices false
# arraybolt3: Added.
## Kicksecure enabled backports by default so live-build does not need to
## (kicksecure ships /etc/apt/sources.list.d/debian.list static file in package anon-apt-sources-list)
#--backports true|false
# arraybolt3: Left unset, seems to work.
## Probably not needed.
#--checksums md5|sha1|sha224|sha256|sha384|sha512|none
# arraybolt3: left unset
#--debian-installer cdrom|netinst|netboot|businesscard|live|none
# arraybolt3: This MUST be set to "--debian-installer=live" (different values other than "none" may also work?). Not doing so results in the on-CD apt repo that contains bootloader packages not being created, and alternate ways of making that repo ended up erroring out in my experiments.
## Kicksecure enables fasttrack repository by default. If build works, probably not needed.
#--keyring-packages PACKAGE|"PACKAGES"
# arraybolt3: left unset, but perhaps it should be set to include the fasttrack repository key. Currently I'm using "--debootstrap-options" to include it.
#--cache-stages "bootstrap rootfs"
# arraybolt3: left unset. This automatically "just works".
## For cross-build support.
# --architecture "$dist_build_target_arch"
# arraybolt3: Note that for cross builds to work, this must be paired with "--bootstrap-qemu-arch" if building for a foreign architecture like arm64. Needs testing.
# --distribution "$dist_build_apt_stable_release"
# arraybolt3: set.
## TODO: should we keep as is (Debian default) for better compatibility or set to
## $SHORT_VMNAME / $VMNAME (already defined in help-steps/variables) to avoid conflicts with Debian (dual-boot)?
# --hdd-label LABEL
# --image-name NAME
# --iso-application NAME
# --iso-publisher NAME
# --iso-volume NAME
# arraybolt3: all are now set
## Not applicable?
# --hdd-size SIZE
# arraybolt3: for ISO build, not applicable
## TODO: source not needed
# --source
# arraybolt3: left unset, defaults to false.
## yes. not bothering/mixing any other bootloaders such as isolinux (except shim, which live-build handles automatically)
# --bootloaders grub-efi
# arraybolt3: left unset, live-build figures this out automatically and generates an ISO that is both BIOS-bootable and UEFI-bootable with GRUB by default.
## already existing variable
# --linux-packages "$BUILD_KERNEL_PKGS"
# arraybolt3: set.
## already existing variable
## usability feature
## we want kernel headers installed by default (required for tirdad compilation (has a dependency); virtualbox guest utils (lacks dependency))
## probably
# --linux-packages "$BUILD_HEADER_PKGS"
# arraybolt3: set.
## We can probably set this because we cache using ${REPO_PROXY}? Double caching not useful?
## This option might have side effects.
# --cache-packages false
# arraybolt3: set `--cache false`.
## TODO: Does this work? Is our apt-cache-ng (already existing variable ${REPO_PROXY}) functional?
# --apt-ftp-proxy "${REPO_PROXY}"
# --apt-http-proxy "${REPO_PROXY}"
# arraybolt3: set, but unsure if it actually works yet
## important. using apt with --no-install-recommends
## but not setting and apt config file for the user
# --apt-recommends false \
# arraybolt3: already set.
## if using debootstrap
## important because we pull packages using packaging not using $debootstrap or live-build
# --debootstrap-options "--variant=minbase" \
# arraybolt3: set.
## if using mmdebstrap
## '--variant=required' is only supported by 'mmdebstrap'. It might not be supported by 'debootstrap'.
# --debootstrap-options "--variant=required" \
# arraybolt3: "required" and "minbase" appear to be treated identically by mmdebstrap, therefore not setting this.
## same as above
# --firmware-binary false
# --firmware-chroot false
# arraybolt3: already set.
## Seems correct.
# --binary-image iso-hybrid \
# arraybolt3: set.
lb config \
--distribution "$dist_build_apt_stable_release" \
--mirror-binary "$dist_build_apt_sources_mirror" \
--mirror-binary-security "$dist_build_apt_sources_security_mirror" \
--mirror-bootstrap "$dist_build_apt_sources_mirror" \
--mirror-chroot "$dist_build_apt_sources_mirror" \
--mirror-chroot-security "$dist_build_apt_sources_security_mirror" \
--mirror-debian-installer "$dist_build_apt_sources_mirror" \
--parent-mirror-binary "$dist_build_apt_sources_mirror" \
--parent-mirror-binary-security "$dist_build_apt_sources_security_mirror" \
--parent-mirror-bootstrap "$dist_build_apt_sources_mirror" \
--parent-mirror-chroot "$dist_build_apt_sources_mirror" \
--parent-mirror-chroot-security "$dist_build_apt_sources_security_mirror" \
--parent-mirror-debian-installer "$dist_build_apt_sources_mirror" \
--archive-areas "main contrib non-free non-free-firmware" \
# arraybolt3: set.
## use $dist_build_apt_stable_release instead of hardcoded "bookworm"
--distribution "bookworm"
# arraybolt3: no longer hardcoded.
## probably needed? same as Kicksecue default APT sources archive areas
## should we get this by parsing? in buildconfig.d/25_apt_sources.conf
--archive-areas "main contrib non-free non-free-firmware" \
# arraybolt3: set. Getting from 25_apt_sources.conf is not ideal because it does not have a simple variable that can be used for this purpose.
## sources not needed
--apt-source-archives false \
# arraybolt3: set.
--source false \
# arraybolt3: defaults to false, does not need set.
## zsync not used
--zsync false \
# arraybolt3: set.
## useful? irrelevant?
# --chroot-filesystem ext4 \
# --binary-filesystem ext4 \
# arraybolt3: both seem irrelevant.
## useful to see what is going on. why not.
# --verbose \
# --debug
# arraybolt3: set.
## sanity testing and nice to compare logs
lb config --dump
lb config --validate
# arraybolt3: integrated.
## better verbose than not knowing what is going on
lb build --verbose --debug
# arraybolt3: integrated.
* Reviewed and integrated.
== ISO - port to live-build ==
* check derivative-maker source code git history: previously there was a port to live-build. Useful to resurrect it? [DONE]
* port to live-build
* make use of Debian's dracut branch for live-build [DONE]
* add live-build git submodule to derivative-maker (as long all our changes aren't upstreamed)
* Ensure --remote-derivative-packages still works [DONE]
* Test building Kicksecure on top of Kicksecure [DONE]
* live-config-dist fork needed for installer to work with live-build ISO: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/live-build
* dist-base-files fork needed for proper user account generation: https://github.com/ArrayBolt3/dist-base-files/tree/arraybolt3/live-build
* anon-apt-sources-list fork needed to avoid a naming conflict with live-build: https://github.com/ArrayBolt3/anon-apt-sources-list/tree/arraybolt3/live-build
* live-build fork: https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
** All changes submitted upstream, TODO work with upstream to get these polished and merged
* derivative-maker fork with live-build support: https://github.com/ArrayBolt3/derivative-maker/tree/arraybolt3/live-build
* PR: {{Github_link|repo=derivative-maker|path=/pull/2}}
== Whonix grub-theme ==
* similar to above
* add to https://github.com/Whonix/whonix-base-files
** Branch at https://github.com/ArrayBolt3/whonix-base-files/tree/arraybolt3/grub-theme, moved 30_whonix.cfg to 25_whonix.cfg and used rm_conffile to remove the old version
* possible make a slightly different theme for [https://www.whonix.org/wiki/Whonix-Host Whonix-Host], [https://www.whonix.org/wiki/Whonix-Gateway Whonix-Gateway] and [https://www.whonix.org/wiki/Whonix-Workstation Whonix-Workstation]?
** https://github.com/Whonix/anon-gw-base-files
*** Branch containing theme at: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arraybolt3/grub-theme
** https://github.com/Whonix/anon-ws-base-files
*** Branch containing theme at: https://github.com/ArrayBolt3/anon-ws-base-files/tree/arraybolt3/grub-theme
** Whonix-Host not yet dealt with, can add a specific GRUB theme for it when desired.
== Kicksecure grub-theme ==
* maybe https://github.com/AdisonCavani/distro-grub-themes can be helpful?
* add to {{Github_link|repo=kicksecure-base-files
* With the way Debian is designed, the proper way to do this (as far as I can tell) is to pull in the desktop-base<|path=/code}}> package, then use the alternatives system to override the Debian artwork with vendor-specific artwork. However there is a LOT more artwork than just GRUB themes that has to be overridden here. Currently working on this, I think the best package to do this in would be desktop-config-dist although I'm not certain.
* Possible issues with current implementation:
** Potential aspect ratio weirdness, we may or may not care. Debian uses 4x3 aspect ratio for BIOS and 16x9 aspect ratio for UEFI, I've followed that convention here.
* investigate if dh_link can used to create symlinks
** arraybolt3: dh_link is part of debhelper, which is a tool intended for use only at package build time. It is not intended to be used at maintainer script run time to my awareness, and using it in this context would require pulling in debhelper as a dependency, which would be weird because debhelper is a developer tool, not an end-user tool. Thus I don't think we should do this. ln works fine here and makes sure that the proper GRUB screen sizes are used.
* Implemented at: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arraybolt3/grub-theme
== dummy-dependency improvements ==
* use Provides:
* please merged my changes / work on top of Patrick changes (Kicksecure/helper-scripts)
* Latest update: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/dummy-dep-generator
== upgrade-nonroot comment ==
* please see https://forums.whonix.org/t/qubes-sudo-su-root-hardening-development-discussion/8561/43 and add comments, if any
* Added comment at https://forums.whonix.org/t/qubes-sudo-su-root-hardening-development-discussion/8561/45
== zswap commment ==
* please comment on https://forums.kicksecure.com/t/enable-and-use-zram-instead-for-swap/654/1
* Commented at https://forums.kicksecure.com/t/enable-and-use-zram-instead-for-swap/654/2, probably prefer zswap solution over zram
* update 1: https://forums.kicksecure.com/t/enable-and-use-zram-instead-for-swap/654/7
* Replied at https://forums.kicksecure.com/t/enable-and-use-zram-instead-for-swap/654/8, I meant to reply to this before and then forgot
== minimize grub themes ==
* please remove all files that are only required for pretty multiboot (without breaking actual multiboot)
* Done, same repositories and branches are still in use.
== document grub.cfg extraction methods or chainloading ==
* Worthy of note, the Linux boot entries are only populated if the disk is unencrypted. Encrypted systems require the use of one of the grub.cfg extraction entries, or (in the case of BIOS systems) chainloading. Additionally, it would be recommended to always use the grub.cfg extraction methods or chainloading, as the use of a "normal" Linux boot entry works but does not enable any kernel hardening features.
* please add to wiki ([[grub]]?)
* Documented under [[Broken Boot]], along with detailed instructions on installing and using Super Grub2 Disk.
== dummy-dependency package generator ==
* helper-script (or usability-misc?) to use equivs (or similar small dependency) to generate a dummy-dependency
* dummy-dependency script written, branch is at https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/dummy-dep-generator
== review and refactor meta packages ==
* {{Github_link|repo=kicksecure-meta-packages
* https:|path=//github.com/Whonix/whonix-meta-packages}}
** Review, suggestions for refactoring: https://gist.github.com/ArrayBolt3/1312aa401d0b7ade970210b3f526f9e8
* please review, discuss
** Forum post at https://forums.kicksecure.com/t/metapackages-tweak-suggestions/663 to get feedback on suggested changes
* purpose of this task is to address and (maybe required) refactoring, bug fixes in preparation for the future, maintainability, next task below
Update 1:
* please proceed with the "small" tasks that can be done safely during Debian bookworm based releases
* create a ticket for Debian trixie port
* Update for Kicksecure metapackages: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/relocate-packages
* Update for Whonix metapackages: https://github.com/ArrayBolt3/anon-meta-packages/tree/arraybolt3/relocate-packages
== kloak readme fix ==
* https://github.com/Whonix/kloak/issues/4
* Fixed in https://github.com/ArrayBolt3/kloak/commit/9c57eba2e77082f1967ec54a0a42226843df7f17
== live-build - source code integration into derivative maker ==
* assume at in derivative-maker/live-build
* Done by Patrick.
== live-build - use live-build to create grub.cfg GRUB configuration ==
* Possible?
* Not possible due to live-build's design, we apply a lot of customisations here that probably should not be upstreamed.
== live-build - remove unicode ==
* please remove unicode if possible from live-build/share/bootloaders/splash.svg
* Fixed, pushed to my fork of live-build. Looks like there were two non-breaking spaces causing issues. This probably cannot be upstreamed as one assumes these were made non-breaking for a reason, and while we may not care about that reason, they probably do.
== review Super Grub2 Disk ==
* see https://github.com/supergrub/supergrub/tree/master/menus/sgd
* any cool/needed features there which would be useful to add to the ISO or non-ISO boot process?
* Don't see much extra that is needed there if it works reliably. The tool appears very capable, I was able to use it to boot an installed Kicksecure system in several different ways. Also was able to loopback boot ISOs. If a user runs into a problem trying to use it for boot recovery, then we should add a task to fix the issue to this list.
== confidential computing ==
* Please read tickets from private issue tracker and update [[Dev/confidential computing]] with new contents based on that.
* Read, added notes on tamper protection and generation of one's own Secure Boot keys.
== append-once bug ==
livecheck:
append-once "${save_file}" "${click}"
append-once "${save_file}" "${click}"
Does not work. Only the first "click" gets appended. "txtclick" is missing. This is a bug in append-once.
(Patrick applied a workaround in livecheck for now.)
Please fix append-once, if possible.
* arraybolt3: Fixed by making a variant of the str_replace script called str_match and using it in lieu of grep. Also caught a bug with livecheck in general due to running lsblk too early.
** helper-scripts change branch: https://github.com/ArrayBolt3/helper-scripts/tree/arraybolt3/append-once-fix
** desktop-config-dist change branch: https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/livecheck-fix2
== live-build - fork of live-build ==
* please create fully merged live-build repository on github so Patrick can fork it and add the git submodule to derivative-maker
* Fork publicized at https://salsa.debian.org/ArrayBolt3/live-build/-/tree/arraybolt3/lb-dracut?ref_type=heads
* Synced with upstream as of 2024-10-25, includes the merge of Dracut support to master.
== live-build - use derivative-maker variable APT_OPTIONS ==
* for reference, see derivative-maker help-steps/variables APTGETOPT, APTGETOPT_ALT, APTGETOPT_WITHOUT_APT_CACHE
* set live-build APT_OPTIONS to APTGETOPT
* these include --error-on=any and more
* Added.
== live-build - avoid live-build specific boot splash ==
* https://github.com/ArrayBolt3/derivative-maker/blob/arraybolt3/live-build/live-build-data/splash.svg
* Avoidable? Can be done in /packages/ instead please?
** Difficult to avoid, the splash screen is dynamically modified by live-build at build time, and is sourced from live-build's configuration directory at build time (live-build does not use packages installed under the chroot to find this). The entirety of the bootloader configuration is done without use of packages installed in the built system as I understand it.
* there are later tasks for GRUB boot menu styling
** This has to be dealt with now because otherwise we risk causing confusion to end-users. The default GRUB splash on live-build ISOs uses a strange construction hat logo, and states that the ISO is specifically Debian. Not changing this screen could even be legally problematic as the name "Debian" is a trademark. (https://www.debian.org/trademark) This GRUB screen is also specific to live-build and should not be used for installed systems. Debian uses separate GRUB screens for installed systems and live-build ISOs.
* live-config-dist uses to add "Live ISO" to grub boot menu in {{Github_link|repo=live-config-dist|path=/blob/master/etc/default/grub.d/40_live-config-dist.cfg}} - possible to do the same with live-build?
** This file should probably be deleted once live-build becomes the default ISO build mechanism.
* Figure out what unicode is in the splash screen SVG and remove it if at all possible
** Fixed, it was a non-breaking space.
== report TCP ISN specification issue ==
* TCP ISN is an issue in the spec
* Could you please report this upstream in to the spec, if possible?
* Reported.
== live-check - run once only ==
* to avoid log spam (passwordless root)
* create a done file in folder /run/user/$USER so the livecheck script does not run sudo over and over again
* https://github.com/ArrayBolt3/desktop-config-dist/tree/arraybolt3/livecheck-fix Tested and ready for review/merge.
== review kloak RPM specfile ==
* https://github.com/Whonix/kloak/pull/2
* please review for non-maliciousness only
* Reviewed, all contents appear normal, useful, and non-malicious. However, the systemd unit for kloak is not enabled by default due to the lack of a systemd preset file. This may be something we want to resolve later.
== desktop-config-dist - livecheck - rd.live.image ==
* FYI: this is now fixed in git. no more patch for live-build required. livecheck should now work out of the box (no matter if old or new live-build kernel parameters)
* FYI only. Ticket can be archived.
* arraybolt3: I haven't archived this yet since it doesn't seem to actually be working in my ISO builds and I'm not sure why.
* Patrick: Fixed yet again.
* arraybolt3: Looks good now.
== automate VirtualBox version update in the wiki ==
* example what is being done manually: https://www.kicksecure.com/w/index.php?title=Template%3AVirtualBox_Host_Software_Installation&diff=87404&oldid=86914
* suggestions on how to automate this? using mediawiki-shell
* automation of the script that does the change?
* automation to auto run that script?
* add to developer-meta-files
* Prototype code: https://github.com/ArrayBolt3/auto-version-update
* Final code, ready for review: https://github.com/ArrayBolt3/developer-meta-files/commit/d053175dd27beb6eee8ad853a35efb57928e4f04
== calamares - change to BTRFS by default - including subvolumes ==
* change to BTRFS by default
* make use of subvolumes
* https://forums.kicksecure.com/t/use-btrfs-as-the-default-journaling-file-system/626
* Added btrfs-progs to kicksecure-recommended-cli: https://github.com/ArrayBolt3/kicksecure-meta-packages/tree/arraybolt3/btrfs-support (necessary to avoid installation failures)
* Added BTRFS support to live-config-dist: https://github.com/ArrayBolt3/live-config-dist/tree/arraybolt3/btrfs-support
* Note that Calamares installs BTRFS with subvolumes on the root filesystem by default, so no special work was needed to make that happen.
== live-build - path may be being set in a non-ideal fashion ==
* $source_code_folder_dist/live-build for the git sub module (our fork) (pristine source code)
* $dist_binary_build_folder/live-build should be used for the "config" folder (which will contain binaries after running live-build) (can be safely deleted and re-created using derivative-maker)
** arraybolt3: currently using $dist_binary_build_folder/kicksecure-live-build for this, change to use live-build name instead
** Done.
== live-build - boot-time scripts handling ==
* boot-time scripts aren't marked as executable
* the boot-time scripts are an implementation detail of the live-build config (used to set the default shell to ZSH and change the username from "Debian live user" to "Kicksecure live user")
* should be done by to /packages/
** arraybolt3: This cannot be done by /packages/ because these scripts are installed by live-build and are not vendored as a package. This is the recommended way of doing things in live-build, see https://live-team.pages.debian.net/live-manual/html/live-manual/customizing-contents.en.html#customizing-contents section "9.2.3 Boot-time hooks"
** Patrick:
*** Where is the source code for these scripts?
**** arraybolt3: Integrated in derivative-maker/build-steps.d/2800_create-lb-iso.
*** Can we avoid using some of these scripts? Is this a missing live-build feature? If it is what I vaguely remember before, these could be disabled with a symlink to /dev/null inside the configuration folder.
**** arraybolt3: The scripts are custom-written for the ISO, and have two purposes - one of them renames "Debian live user" to "Kicksecure live user", the other one changes the default shell in the ISO live environment from bash to zsh.
*** Switching default shell from bash to zsh is already implemented in dist-base-files debian/dist-base-files.postinst. It also supports configuration, simplifies customized builds / forks. Doing this in dist-base-files as well as on the live-build level, adds extra complexity, which should be avoided.
**** arraybolt3: Doing this in a package requires shipping files under /lib/live/config. This is because the live session user on the ISO is actually created ''at ISO boot time'', not at build time. As a result the user's default shell and most of the user configuration is controlled by live-build boot-time hooks, which are located in /lib/live/config. Technically this is doable, but it diverges from the documented method described in live-build's manual.
* All extra boot-time scripts have been made obsolete and are thus removed.
== live-build - avoid scripting at calamares level - avoid /etc/calamares/modules/shellprocess_useradd.conf ==
* Can this be done at /packages/ level instead please?
** Very difficult. live-build ISOs generate the user account on the ISO at boot time, meaning that after an initial Calamares installation, the installed system has no usable user account. Creating one requires either using the Calamares users module (which as previously discussed is undesirable) or requires a hook similar to what is implemented with shellprocess_useradd.conf.
* Already implemented in dist-base-files debian/dist-base-files.postinst
** This should not be implemented here. This method of implementation is fundamentally incompatible with live-build, and the only reason it hasn't caused issues is because the logic disables itself when not running under Qubes or derivative-maker, and when live-build is running it obscures the use of derivative-maker from the package.
* Better to keep it there due to planned changes. (User "user" will no longer be a member of group "sudo" and a new user "admin" will be introduced.) Otherwise having two places to maintain this would complicate things.
** Can it be moved to live-config-dist and maintained there going forward?
* shellprocess_useradd.conf removed, user creation managed by dist-base-files as before.
== livecheck - FYI - rd.live.image kernel parameter detection broken==
* fixed in git
* FYI only
* please archive this ticket
== live-build - upstream pull requests ==
* Please check, continue working with upstream.
* Updated fork to reflect new changes to master, commented on the localrepo merge request.
* All three live-build patches are listed in "WAITING ON", indicating that work on them is ongoing. I will make sure to monitor activity there regularly and respond quickly.
* Patrick: This was about:
Merge blocked: 1 check failed
Merge request must be rebased, because a fast-forward merge is not possible.
== pam_faillock ticket ==
* What runs /etc/pam.d/sudo versus /etc/pam.d/sudo-i? No other file in /etc/pam.d references such a file.
** sudo's source code allows sudo to identify itself to PAM as either sudo or sudo-i depending on how sudo is being used. See https://github.com/sudo-project/sudo/blob/17aa7688c955e58adffdfb0300d485a2b859b128/plugins/sudoers/auth/pam.c#L220. Theoretically it might be possible to patch this location in sudo to make it identify itself to PAM in a special manner when running a NOPASSWD command.
** Bug report filed against sudo: https://github.com/sudo-project/sudo/issues/415
* Useful to add? https://github.com/linux-pam/linux-pam/issues/842
`/etc/pam.d/sudo`
```
#%PAM-1.0
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
@include common-auth
@include common-account
@include common-session-noninteractive
```
`/etc/pam.d/sudo-i`
```
#%PAM-1.0
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
@include common-auth
@include common-account
@include common-session
```
----
`/etc/sudoers.d/upgrade-passwordless`
```
%sudo ALL=NOPASSWD: /usr/bin/apt-get-update-plus dist-upgrade
```
* May be useful, but I don't believe it is necessarily useful right now. Would like to wait for now.
** Patrick: Agreed because this bug seems to be a sudo bug instead and was reported against sudo.
* Ticket can be archived.
== fix broken recovery mode ==
* Recent Kicksecure ISOs seem to simply hang during boot when booted in recovery mode. Investigate.
* Turns out the default kernel in the latest ISO has a broken recovery mode. However, the next kernel update thereafter works without issues. This will therefore resolve itself during regular updates, and the next ISO build should have it fixed.
== live-build - keep generated live-build folder out of source code folder ==
* treat "lb config" as pristine/source code
* place live-build folder in ~/derivative_binary folder (use already existing variable binary_build_folder_dist)
* reason: live-build mixes config and binaries inside the same folder
This is how it was done in the past:
mkdir --parents "$binary_build_folder_live_build"
cd "$binary_build_folder_live_build"
* live-build config is autogenerated at build time now.
== review root related documentation ==
* read
* improve
* https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation
** Read, added improvements including rewriting the console login attacks section.
* https://www.kicksecure.com/wiki/Root
** Read, added improvements including documenting how to run GUI applications as root under Wayland
* https://www.kicksecure.com/wiki/Default_Passwords
** Read, didn't see anything that needed added.
* https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks
** Read, fixed a link and clarified some things related to IOMMU.
* https://www.kicksecure.com/wiki/Dev/user-sysmaint-split
** Read, didn't see anything that needed added.
== faillock ==
=== security-misc - review pam-configs ===
* please have a look here in security-misc usr/share/pam-configs/ for introduction
* Looked at it, seems reasonable and useful
* Found documentation for pam-configs at https://wiki.ubuntu.com/PAMConfigFrameworkSpec
=== security-misc - faillock - stop reset after reboot ===
* should not be reset after reboot
* the faillock status file is configureable already, see man pam_faillock
* Requires pam config modifications to make work right, working proof-of-concept config determined and shared in chat.
* Fixed in commit https://github.com/ArrayBolt3/security-misc/commit/690e8dd826d1cb39c0c12c03792781862cc2dd23
=== security-misc - faillock - stop reset after 24 hours ===
* should not be reset after 24 hours
* no need to automatically reset at all
* user should always have a chance to learn about failed login attempts
* this can (likely?) be configured in our already existing configuration file in security-misc
* Lockout reset is preventable, tally reset cannot be configured out and the largest possible delay between resets that can be set is arbitrarily limited to 7 days.
* Fixed as much as possible in commit https://github.com/ArrayBolt3/security-misc/commit/690e8dd826d1cb39c0c12c03792781862cc2dd23
== security review ==
* as discussed
* done, notes shared in chat
== live-build - stop installation extraneous packages ==
* dhcp / networking related packages
* whiptail
* should not be pulled by live-build
* if deemed useful packages, needs to be discussed in forums and and done inside the derivative-maker /packages/ folder through Depends:
* Looks like this is solved, cannot find isc-related packages, ifupdown, or whiptail in my latest build.
== live-build - dracut related fixes ==
* please report and/or fix upstream anything dracut related that needs fixing due to new results with live-build
* Reported the one main issue I ran into at https://salsa.debian.org/live-team/live-build/-/merge_requests/353#note_537378, verified that other issues I had encountered were no longer a problem.
== kloak - add support for /dev/input/mice ==
* VM has no /dev/input/mouseX
* VM has only /dev/input/mice
* kloak ignores /dev/input/mice.
* (user reported using a Ubuntu 24.4 VM)
* kloak only uses /dev/input/eventX devices by design, these are provided by the evdev driver and seem like they should always exist
* Could not reproduce issue with QEMU using either Kicksecure or Lubuntu 24.04 - /dev/input/eventX devices for mouse always exist, as do individual /dev/input/mouse devices. Need to know what hypervisor was in use to test further
Patrick:
* asked user about which VM. waiting for reply.
** probably user error. archiving.
== ISO - check git history ==
* check derivative-maker source code git history as it might have useful options
* Found and extracted lb config command. Commit used was from 2023-07-20, and is the latest live-build commit on that day.
== desktop-config-dist package version issue ==
* kicksecure /dists/bookworm-developers/main/binary-amd64/Packages
Package: desktop-config-dist
Version: 3:10.1-1
desktop-config-dist(master)]% git describe
10.1-1
* todo: investigate
** How did an outdated desktop-config-dist version (older than in git) end up in the test ISO? Did it install packages from local repository? Then this issue should be impossible to happen. Or did it test wise use the remote, stable repository? Then this is not surprising. The stable repository often has older versions. These are for the most part only updated once a new stable release has been released.
* note: updated due to below now
* The version of the desktop-config-dist package installed on the ISO had contents older than in Git, but the version number was *newer*. This leads me to believe that most likely the machine used to build the ISO had testing code left in derivative-maker/packages/kicksecure/desktop-config-dist or similar.
== research chvt security impact ==
* in context of root
* Researched and added to console login attacks section of https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation. Does not appear to be a concern.
== tirdad - fix ==
* please send a pull request for the recent tirdad fix to Kicksecure/tirdad
* Merge commit at https://github.com/ArrayBolt3/tirdad-kicksecure/commit/2301b1c1413d8013b5c3b30976732bbf23d2f9ac, cannot open pull request due to having a fork of upstream already in my account.
== Security Through Amnesia: A Software-Based Solution to the Cold Boot Attack on Disk Encryption ==
* https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=e5f940decaa589f3b2030429f48739281839e4d8
* please read
* add to [[Dev/confidential computing]]
* Added notes, including one about a potential attack vector via NMIs.
== wiki improvements related to Open Source hardware and firmware ==
* https://www.kicksecure.com/wiki/Open_Source_Hardware
* https://www.kicksecure.com/wiki/Out-of-band_Management_Technology
* check for correctness
* improve these pages
* Added notes about OpenPOWER to the open-source hardware page.
* Added notes about Computrace to the out-of-band management page.
== e-mail processing ==
* read e-mail on confidential computing, digest, add to wiki (cannot be copied/pasted)
* Added notes to confidential computing page.
== keepassxc org.freedesktop.secrets Linux distribution compatibly feature request ==
* Shortcoming have been identified in https://forums.kicksecure.com/t/error-storing-passphrase-in-keyring-the-name-org-freedesktop-secrets-was-not-provided-by-any-service-files/582/2
* Post a feature request for kepassxc what kind of changes they would have to make so keepssxc can be easily used as a org.freedesktop.secrets provider as a Linux distribution.
** Feature request at https://github.com/keepassxreboot/keepassxc/issues/11342
* kepassxc would probably need an /etc/kepassxc.d drop-in configuration folder where a distribution could add a configuration snippet to enable this functionality.
* Post the link to the feature request in the forum thread.
** https://forums.kicksecure.com/t/error-storing-passphrase-in-keyring-the-name-org-freedesktop-secrets-was-not-provided-by-any-service-files/582/4
== research enclaive ==
* https://github.com/enclaive
== research constellation ==
* https://github.com/edgelesssys/constellation
** https://www.edgeless.systems/press-release-edgeless-systems-releases-first-runtime-encrypted-kubernetes-as-open-source
* https://www.edgeless.systems/docs/
* https://docs.edgeless.systems/continuum/
* https://docs.edgeless.systems/continuum/security-goals
* https://docs.edgeless.systems/continuum/attestation/overview
* https://www.edgeless.systems/products/contrast
* Added Constellation, Contrast, and Continuum to Confidential Computing page with notes (Constellation looks particularly handy if one trusts a silicon vendor)
== research Intel TDX ==
* https://en.wikipedia.org/wiki/Trust_Domain_Extensions
* https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html
* https://github.com/intel/tdx-module
* https://azure.microsoft.com/en-us/blog/azure-confidential-computing-on-4th-gen-intel-xeon-scalable-processors-with-intel-tdx/
* Integrated research into confidential computing page.
== ISO - wrong bootloader entry ==
* https://forums.kicksecure.com/t/boot-issue-after-installking-kicksecure/602/16
* Unsure why this happened. Debian's Wiki has a recorded instance of this happening (at the bottom of https://wiki.debian.org/GrubEFIReinstall) and the suggested workaround is to install rEFInd instead of GRUB.
== ISO - fallback boot loader broken ==
* Similar to above.
* Ultimately this is not something we can fix until the migration to live-build is done.
** Debian Live doesn't install with a fallback bootloader enabled *at all* by default, only the Debian-specific path has a bootloader installed to it.
** Ubuntu installs a special "fix the UEFI NVRAM vars" bootloader under \EFI\BOOT\BOOTX64.EFI but that's Ubuntu-specific it appears.
** There is an option in Debian that allows always installing the GRUB bootloader to the fallback bootloader path in addition to the normal installation location (https://wiki.debian.org/UEFI#Force_grub-efi_installation_to_the_removable_media_path). This option would work great for us, however it requires that grub-efi-amd64 be installed, which requires grub-pc to be uninstalled, which looks like it will probably cause issues on non-UEFI systems.
** At this point we have to choose to have either slightly broken UEFI, or slightly broken BIOS, there is no middle ground until the live-build migration is complete. However, we may be able to tell Calamares to ''not'' install a fallback bootloader of its own anymore since this bootloader doesn't work at all.
== ISO - calamares - logo size reduction ==
* On the first page of calamares installer the Kicksecure logo looks a bit out of place because it is way to large. Please reduce the size a bit.
* Done in https://github.com/ArrayBolt3/live-config-dist/commit/15eb4be99fd5d933c3067c982a9a6ad3f4d06d23
== ISO - calamares - encrypt button bug ==
* See video provided.
* Followed up with Calamares developers. There don't appear to be blockers, the devs are just short on time and haven't gotten around to merging the fix yet.
* https://github.com/calamares/calamares/pull/2376
* https://github.com/calamares/calamares/issues/2375
* https://github.com/calamares/calamares/issues/2379
== ISO - live-config - dist shellprocess_fixconkeys_part ==
* Why is this required? Please report, fix this issue upstream in calamares, if possible. Otherwise, please add a comment to the file in live-config-dist so these files can be removed some day.
* Reported upstream at https://github.com/calamares/calamares/issues/2383
== research Secure Cloud Hardware ==
* [[Dev/confidential_computing#Secure_Cloud_Hardware_TODO_Research_List|Secure Cloud Hardware TODO Research List]]
* Done, notes added to confidential computing Wiki page.
== research AMD Infinity Guard ==
* https://www.amd.com/en/products/processors/server/epyc/infinity-guard.html
* https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD_Infinity_Guard
* Added a note to the confidential computing page, this is basically just branding for a number of other technologies, all of which are either not directly relevant or have been previously covered.
== tirdad ==
=== tirdad - read history and old discussions ===
* https://dl.acm.org/citation.cfm?id=1180410
* https://forums.whonix.org/t/tcp-isn-cpu-information-leak-protection-tirdad/8552
* https://phabricator.whonix.org/T543 -> broken link -> nowadays -> https://forums.whonix.org/t/cpu-induced-latency-covert-channel-countermeasures/18875
* https://trac.torproject.org/projects/tor/ticket/16659 -> https://gitlab.torproject.org/legacy/trac/-/issues/16659
* Read through all linked information.
=== tirdad - functionality review ===
* please investigate tirdad more closely
* https://bitguard.wordpress.com/2019/09/03/an-analysis-of-tcp-secure-sn-generation-in-linux-and-its-privacy-issues/
* check references, theory, implementation
* Reviewed, theory makes good sense, implementation could be improved but that's for future tasks
=== tirdad - backports compatibility ===
* currently failing to compile using backports kernel
* https://forums.whonix.org/t/using-kernels-from-backports/20503/5
* https://github.com/0xsirus/tirdad/issues/24
* please check if https://github.com/0xsirus/tirdad/commit/4720311ff21c3f71cc5e3670caf5dfde2b31c5f8 looks good and test
* Verified that this commit does indeed fix the issue.
=== tirdad - fix code issues ===
* 1 pull request per issue as found in your security review
* Some of the pull requests ended up fixing multiple issues simply by virtue of the fact that fixing some of the issues resulted in problematic code being removed entirely and thus no longer a concern.
* Pull requests:
** https://github.com/0xsirus/tirdad/pull/25
** https://github.com/0xsirus/tirdad/pull/26
** https://github.com/0xsirus/tirdad/pull/27
=== tirdad - upstream to Linux ===
* please discuss upstream
* see if it is possible to send a pull request upstream
=== tirdad - compile time hardening flags review ===
* Any compile time hardening flags that could be set?
* Setting compile-time flags could be dangerous. Would recommend just sticking with the defaults in the kernel.
=== tirdad - lwn article review ===
* https://lwn.net/Articles/455270/
* something important to know there?
* Using random 32-bit numbers from the kernel's RNG will avoid any potential security issues like the ones described here.
=== tirdad - development branch ===
* Please create a development branch that comes with all your PRs merged.
* This has been completed by Aaron in the rewrite branch.
== boot issues debugging ==
* increased priority because the user is still available
* https://forums.kicksecure.com/t/boot-issue-after-installking-kicksecure/602
* The user might be no longer available. But for the future, can we have a checklist on how to debug the boot process?
* Perhaps even a pre-installed script that can be run from live mode or from inside the broken system (if it is known that it would be no longer bootable after reboot)?
* https://packages.debian.org/bookworm/boot-info-script is already installed by default. Helpful?
* Please document here: [[Broken Boot]]
== research AMD TSME ==
* https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD_TSME
* sounds better than SME
* Researched and notes added to confidential computing doc.
== investigate locale issue ==
* https://forums.kicksecure.com/t/locale-layout-installation-error/611
* Issue identified and fixed: https://github.com/ArrayBolt3/live-config-dist/commit/fe3eb5da1a8a2c464026941c572e61de90d3e6e6
== tirdad ==
=== security review tirdad.c ===
* please review for code safety issues (memory safety)
* security review only for now
* functionality review at a later point
* {{Github_link|repo=tirdad|path=/blob/master/module/tirdad.c}}
* please report issues, if any, upstream: https://github.com/0xsirus/tirdad
* https://chatgpt.com/share/67029e9f-8e30-8000-9a22-114ff13c2b93
* Review at https://github.com/0xsirus/tirdad/issues/23
== hardware security features for RamCrypt ==
* If software-only isn't possible, maybe hardware features such as SGX need to be used.
** SGX itself does not appear to be useful for us. It allows running security-sensitive code in a secure "box" that nothing else on the system can pry into, but that security-sensitive code is limited in capabilities. It does not appear to be possible to run an entire virtual machine in an SGX enclave.
** Intel TXT and TME-MK are much better suited for our purposes.
* todo research: Are there still unpatched security issues in SGX or similar features that could be used for that?
** It appears known issues are patched in the latest processors. Microcode updates were used to fix some of the issues.
== report GTK touchscreen detection bug ==
* GTK should not be using hardcoded device names to detect "fake" touchscreens
* https://forums.whonix.org/t/weird-magnifier-feature/20502/12
* Reported at https://gitlab.gnome.org/GNOME/gtk/-/issues/7060
== investigate kloak bugs ==
* https://forums.whonix.org/t/weird-magnifier-feature/20502
** "marking text in mousepad shows magnifier" (confirmed by Patrick)
** "marking text in thunar shows magnifier" (confirmed by Patrick)
** "mousepad app I can scroll a long text as if I were swiping up and down with a touchscreen device" (not reproducible by Patrick)
** "no highlighting of mouse context menu and no highlight on system wide menu" (not understood)
** Turns out to be because of how GTK handles "fake" touchscreens, see https://forums.whonix.org/t/weird-magnifier-feature/20502/12
** Fixed in https://github.com/Whonix/kloak/commit/d4e7b4c0428527ea002e1ea61839effc0cb5e88e
== research Intel / AMD RAM Encryption ==
* https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/memory-encryption-white-paper.pdf
* https://www.intel.com/content/www/us/en/developer/articles/news/runtime-encryption-of-memory-with-intel-tme-mk.html
* https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html
* https://www.trentonsystems.com/en-us/resource-hub/blog/what-is-intel-tme
* https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393
* https://en.wikichip.org/wiki/x86/sme
* https://en.wikichip.org/wiki/x86/tme
* Researched and added to Whonix Dev/cloud page. tl;dr: AMD SEV and SME does not seem suitable. Intel TME-MK appears promising.
== pKVM research ==
* research if pKVM assumes a locked down host and/or remote attestation (Google SafetyNet)
* Researched and added to Whonix Dev/cloud page
== dracut follow-up ==
* https://github.com/dracut-ng/dracut-ng/issues/684
* https://github.com/dracut-ng/dracut-ng/pull/609
* Tested commit, followed up at https://github.com/dracut-ng/dracut-ng/issues/684#issuecomment-2394398786, this is done
== calamares luks encryption settings ticket ==
* please reply https://github.com/calamares/calamares/issues/2374
* replied: https://github.com/calamares/calamares/issues/2374#issuecomment-2394028666
== secure cloud research ==
* move notes from chat to wiki
* Revamped Confidential VMs section in wiki
== RamCrypt + no-fill cache mode ==
* Draft an email for the kernel development mailing list asking about the possibility of 100% RAM encryption, mounting CPU cache as RAM for the 3%.
Subject: Investigating practicality of full memory encryption techniques using frozen cache and TRESOR/RamCrypt
I am currently helping with software development for the Kicksecure and Whonix projects, which are heavily focused on privacy and security. One of the goals we'd like to achieve is making it possible to securely run virtual machines on x86_64-architecture cloud servers in a manner resistant to cold-boot attacks, without relying on technology such as Intel SGX and TDX or AMD SEV that requires trusting CPU-vendor-provided code, keys, etc.
The two main technologies we're looking into for this purpose are TRESOR[1] and RamCrypt[2]. TRESOR is a full disk encryption mechanism that stores all disk encryption keys in CPU registers, such that the key is never[3] stored in RAM. If used on the hardware of a VM host, this would prevent a cold-boot attack from finding the disk encryption key. RamCrypt is a full memory encryption mechanism that uses the same technique as TRESOR to hide an encryption key inside the CPU, using it to transparently encrypt and decrypt the memory of running applications using memory paging techniques. Both of them have working proof-of-concept implementations described in the linked papers. Our hope is to eventually get fully functional, production-ready TRESOR and RamCrypt implementations created and upstreamed into the Linux kernel. For the avoidance of doubt, I am not the author of or a contributor to either TRESOR or RamCrypt.
One issue we have with RamCrypt is that it leaves part of a protected process's memory unencrypted in RAM as necessary. By default, up to four 4k pages of RAM are unencrypted at a time, with new pages being decrypted and older ones being encrypted transparently as needed. This has the serious disadvantage of making a cold-boot attack potentially successful, even if it is statistically unlikely to work. The chances of a successful attack against RamCrypt are non-negligible - the RamCrypt paper shows that a RamCrypt-protected nginx instance left a critical encryption key exposed in RAM 3% of the time in their test scenarios. This is worrying to us, and we're wondering if there is a way to prevent this from being a problem.
Our current hope is to use a cache-as-RAM technique (similar to what is described in the Frozen Cache[4] project) to potentially overcome this limitation. The idea, roughly speaking, is to ensure that protected process memory is only ever present in decrypted form in one of the CPU caches, and is prohibited from ever touching system RAM. When a page of memory is accessed that is encrypted, a previously decrypted page will be encrypted, written to system RAM, then an encrypted page will be decrypted into cache and used. Cache should be approximately as hard to access in a cold-boot attack as registers, thus this would allow a protected process to be immune to cold-boot attacks by never storing any sensitive data decrypted in RAM. It appears that no-fill cache mode could potentially be used for this purpose, though doing so without entirely destroying system performance seems like it would be tricky and probably require dedicating one or more CPU cores to running "protected" software with this modified caching mode.
The high-level end goal is to allow KVM-accelerated QEMU processes to be run encrypted via RamCrypt, with no unencrypted VM memory touching system RAM, and with the physical machine running TRESOR to protect the filesystem on which the VM virtual disks are stored. To begin with, though, it would be useful to know whether it's even possible with Linux's architecture to combine RamCrypt and no-fill cache mode to transparently encrypt a process's memory without exposing it decrypted in RAM. Some advice on how to go about implementing something along these lines would also be welcome, so that we can implement it in a way that is most likely to be accepted into the upstream kernel.
Thanks for taking the time to read this, and have a great day!
[1] https://faui1-files.cs.fau.de/filepool/projects/tresor/tresor.pdf
[2] https://faui1-files.cs.fau.de/filepool/projects/ramcrypt/ramcrypt.pdf
[3] Well, almost never - the key is briefly stored in RAM when read from whatever device provides it, but it is immediately expunged from RAM thereafter.
[4] https://frozencache.blogspot.com/
* Parick: minor corrections have been made. Please post.
* Posted: https://lore.kernel.org/lkml/20241003194147.2566a393@kf-ir16/T/#u
== ISO - Fix encryption checkbox bugs ==
* https://github.com/calamares/calamares/issues/2375
* https://github.com/calamares/calamares/issues/2379
* PR at https://github.com/calamares/calamares/pull/2376
== ISO - calamares encryption settings ==
* https://forums.kicksecure.com/t/iso-cryptsetup-full-disk-encryption-fde-set-more-secure-default-encryption-settings/588
* Can we use shell aliases or wrapper to influence cryptsetup default options to set strong encryption settings such as AES512 instead of only AES256?
* https://github.com/calamares/calamares/issues/1452
* or add a calamares feature so distro developers or users can configure the cryptsetup command line options in /etc/calamares
{{CodeSelect|code=
sudo cryptsetup --verbose --use-random --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat
}}
* distribution developers should control most if not all of that line
* "sudo" - is probably a given since cameras runs as root.
* "cryptsetup" - maybe a distribution wants to use a wrapper.
* "--verbose --use-random --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random" these are certainly options which a distribution should be able to decide.
* "luksFormat" -
* "" - probably provided by calamares through a variable
Based on theoretic considerations only. Since calamares uses a library to use cryptsetup (?) it may not be as simple for a distribution to set these command-line options?
* Requires support in libkpmcore first, did research and started discussion at https://discuss.kde.org/t/making-libkpmcores-luks2-settings-more-secure/21764 to get the ball rolling
* Received no response for approximately six days, filed an MR: https://invent.kde.org/system/kpmcore/-/merge_requests/54
Patrick:
* on https://discuss.kde.org/t/making-libkpmcores-luks2-settings-more-secure/21764 please post a link to https://invent.kde.org/system/kpmcore/-/merge_requests/54
* on https://invent.kde.org/system/kpmcore/-/merge_requests/54 please post a comment such as (adjust as comfortable, after verification):
** No, /dev/random is not the same as /dev/urandom even on modern kernels. [Code Comparison - /dev/random vs. /dev/urandom](https://www.kicksecure.com/wiki/Dev/Entropy#Code_Comparison_-_.2Fdev.2Frandom_vs._.2Fdev.2Furandom)
** "cryptsetup --help" on Debian bookworm:
* aes-xts-plain64 seems to be the default indeed. The argument of not hardcoding it to automatically get safer the default in the future makes sense.
* Glad if we can get the hash size increase.
Aaron:
* Left desired notes on merge request: https://invent.kde.org/system/kpmcore/-/merge_requests/54#note_1044980
== org.freedesktop.secrets implementation ==
* https://forums.kicksecure.com/t/error-storing-passphrase-in-keyring-the-name-org-freedesktop-secrets-was-not-provided-by-any-service-files/582
* Researched and commented: https://forums.kicksecure.com/t/error-storing-passphrase-in-keyring-the-name-org-freedesktop-secrets-was-not-provided-by-any-service-files/582/2
== Cloud virtualization - research RAM-less encryption techniques for disk and RAM encryption ==
See https://www.whonix.org/wiki/Dev/cloud#Confidential_VMs
== live-build dracut test ==
* from a Debian perspective (because Kicksecure will start using it at some point) by building an ISO
* please test and notify upstream about your test results
* https://salsa.debian.org/live-team/live-build/-/merge_requests/353
* does the ISO have the "ISO - error message during boot: mount: /sysroot: special device LiveOS_rootfs does not exist" issue? (related to task below)
* Trixie and Bullseye both work well, Bookworm fails to boot with a sysroot mount failure. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082891
== ISO - error message during boot: mount: /sysroot: special device LiveOS_rootfs does not exist ==
* https://forums.kicksecure.com/t/iso-error-message-during-boot-mount-sysroot-special-device-liveos-rootfs-does-not-exist/418
* fixed in https://github.com/ArrayBolt3/derivative-maker/commit/894d0657b7cd69370d67759709fff166d469cc37
** Patrick: needs further work as discussed
** Patrick: please no modules in derivative-maker (if needed needs to be in a package)
** Patrick: please track down root cause
* Root cause found, reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082891
== unbootable system after installing dracut on a standard Debian installation ==
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078792
* Caused by a missing dracut dependency, "systemd-cryptsetup", see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078792#15
* Bugfix tested, works
* Merge request in Debian at https://salsa.debian.org/debian/dracut/-/merge_requests/37
== grub-live with 90overlayfs ==
* context: [[grub-live]]
* {{Github_link|repo=grub-live
* https:|path=//github.com/Kicksecure/grub-live/blob/master/etc/grub.d/11_linux_live}}
* stop using 90overlay-root
* port grub-live to 90overlayfs
## dracut support
## https://www.kicksecure.com/wiki/Grub-live#Developer_Information
##
## using Debian forked upstream module 90overlay-root (tested)
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rootovl"
Comment out.
## using dracut upstream module 90overlayfs (untested)
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.live.overlay.overlayfs=1 rd.live.overlay.readonly=1"
Comment in. Test. Fix if required. Report issues upstream to dracut.
If there are bookworm related issues, please test on trixie.
No backport required. The rationale of this task if to get away from Debian (fork) specific 90overlay-root to 90overlayfs one day. trixie is early enough since there are no major issues in the current implementation but might be in trixie if we don't port.
This works on Trixie - generate an initrd with the overlayfs module added, then boot with rd.live.overlay.overlayfs=1 on the kernel command line. '''The rd.live.overlay.readonly=1 parameter is unnecessary''' and should be removed - it's for systems where you have an immutable base filesystem and a persistent overlay, and you want to make the overlay read-only, putting another overlay on top of it.
This does '''not''' work on Bookworm - the overlayfs module script is simply not run despite being present. It's possible to drop to a rescue shell using rd.break=mount on the kernel command line, then run the script manually - this works, but is obviously not practical.
comment: [https://github.com/dracutdevs/dracut/issues/1565#issuecomment-2378133277 Boot Existing, Usual Linux Installation from Hard Disk in Live Mode / read-only mode with dracut #1565]
== dracut - test dracut without systemd ==
* as discussed earlier
* as it might fix the issue below
* Works, implemented as https://github.com/ArrayBolt3/derivative-maker/commit/894d0657b7cd69370d67759709fff166d469cc37
** Patrick: not going for this solution (as we would be the odd distribution out not using systemd in dracut, to avoid bugs as a result of that)
** Patrick: instead merged with task [[Dev/todo#ISO_-_error_message_during_boot:_mount:_.2Fsysroot:_special_device_LiveOS_rootfs_does_not_exist|ISO - error message during boot: mount: /sysroot: special device LiveOS_rootfs does not exist]]
== kloak - memory leaks ==
* chatgpt suggests...
** struct entry in main loop might not be freed
** n1 = malloc(sizeof(struct entry));
** please check for other variables (specifically in main loop) which might not be freed
* Double-checked just in case, this had been previously checked in my own ChatGPT code review and doesn't appear to be a problem. Entry items are created and stored temporarily in *n1, then queued. Those items are later assigned to the np variable and then freed in the event release loop (free(np)). The only edge case where I can see this going wrong is if kloak gets stuck and stops delivering events, which would also freeze the keyboard and make the user very likely to immediately termiante kloak.
* The other variable which ChatGPT warned me of is pfds, which is very clearly freed when the loop exits, needed throughout the loop's entire lifetime, and which will be automatically freed if the loop is terminated since terminating the loop terminates the whole program.
== kloak - Qubes support - read and comment in Qubes kloak in dom0 ticket ==
* https://github.com/QubesOS/qubes-issues/issues/8541
* please read
* please consider related to previous Qubes kloak work, communicate with Qubes
* consider future wayland support
* note: kloak doesn't necessarily need to run in dom0. Even if it "only" runs in a VM is a big win. Final decision is up to Qubes. This is yet to be discussed, decided.
* Added comment at https://github.com/QubesOS/qubes-issues/issues/8541#issuecomment-2377325699
== ISO - must choose encrypt vs not encrypt. Empty default setting ==
* https://forums.kicksecure.com/t/iso-no-default-for-encryption-on-off-user-should-choose-explicitly/567
* Done via https://github.com/ArrayBolt3/live-config-dist/commit/410c62e664e7d1387e7c013867242838ff2cb912
* Also discovered and offered a fix for https://github.com/calamares/calamares/issues/2375 while working on this
== kloak - update readme ==
* Please make sure compilation instructions are OK.
* Please check/fix readme.
* https://github.com/ArrayBolt3/kloak/commit/4bbdf38cc6c6f9162348d9b23deef3169f8465b8
== kloak - fix debug symbols ==
=== W: kloak-dbgsym: debug-file-with-no-debug-symbols [usr/lib/debug/.build-id/3a/ae8c705abefbd590d2206221eea4c2abd90cf4.debug] ===
N:
N: The binary is installed as a detached "debug symbols" ELF file, but it
N: does not appear to have debug information associated with it.
N:
N: A common cause is not passing -g to GCC when compiling.
N:
N: Implementation detail: Lintian checks for the ".debug_line" and the
N: ".debug_str" sections. If either of these are present, the binary is
N: assumed to contain debug information.
N:
N: Please refer to Bug#668437 for details.
N:
N: Visibility: warning
N: Show-Always: no
N: Check: binaries/debug-symbols/detached
N:
N:
* ISO build giving warning about missing debug symbols, advises adding -g flag to gcc commands
* Should be resolved by https://github.com/ArrayBolt3/kloak/commit/29477f98d1192ced4fb0e630c07dbd8b97942d22
== read Dev bash wiki page ==
* https://www.kicksecure.com/wiki/Dev/bash
* might be already known, just in case
* checked it, bookmarked it, some of the issues mentioned there were things I hadn't thought of before (like echo '-e' failing or security risks from failing to use -- to signal end of options)
== haveged test suite passes even if only 1s are produced? ==
* please try to reproduce
* comment on the ticket
* https://github.com/jirka-h/haveged/issues/81
* Doesn't appear to be an issue, tweaking the generator to output only 1s results in test failures, see https://github.com/jirka-h/haveged/issues/81#issuecomment-2372664967
== oomd ==
* please comment in case you have any useful input. otherwise nvm.
* https://forums.kicksecure.com/t/consider-installing-systemd-oomd-by-default/223
* Left comments at https://forums.kicksecure.com/t/consider-installing-systemd-oomd-by-default/223/4
== ISO - Install to system desktop icon: maximize window ==
* https://forums.kicksecure.com/t/install-to-system-desktop-icon-maximize-window/419
* Fixed with https://github.com/ArrayBolt3/live-config-dist/commit/ab8a7e1829f7050882385488a67e9a316a9270fd
== gpg sign all your future git commits ==
* similar to https://github.com/onionshare/onionshare/issues/221
* arraybolt3: enabled permanently in Git settings
== add gpg key to your github ==
* Currently in github commit history your keys still show up as unverified.
* https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account
* This is a personal decision for each developer. Some don't want to do it as it might cause a false sense of security letting github verify the gpg key. In case you don't wish to do that, this is OK too.
* arraybolt3: Added to Github, doesn't pose any particular problem for me.
== Add python3 dependency to mediawiki-shell package ==
* Lintian error during build of Kicksecure ISO from derivative-maker commit 8fa4ba76: "E: mediawiki-shell: python3-script-but-no-python3-dep /usr/bin/python3 (does not satisfy python3:any | python3-minimal:any) [usr/bin/mw-urlencode]"
== seccomp debugging documentation ==
copy notes on seecmop debugging from https://github.com/Whonix/kloak/pull/1 to https://www.kicksecure.com/wiki/Seccomp
(so in the future when this is happening, we can link to the documentation so users get an idea how to debug and fix this)
just briefly similar to the pull request
== autostart systemd user unit xdg-desktop-portal ==
* [[Dev/audio#mod.rt:_Can.27t_find_org.freedesktop.portal.Desktop._Is_xdg-desktop-portal_running.3F|mod.rt: Can't find org.freedesktop.portal.Desktop. Is xdg-desktop-portal running?]]
* {{Github_link|repo=desktop-config-dist
* note: is a systemd user (not system) unit
* using systemd preset
== kloak - add configuration option to disable rescue key ==
* user reported that some hotkeys aren't functional due to kloak rescue key.
* suggested solution, feature request: allow rescue key to be disabled thorough configuration
* a command line option + systemd unit drop-in configuration file|path=?}}
* example systemd unit drop-in configuration: https://github.com/vmonaco/kloak/issues/75#issuecomment-2196543109
== kloak - testing ==
* test kloak
* improve documentation on testing https://www.whonix.org/wiki/Keystroke_Deanonymization#Defense_Testing
* maybe try to find additional tests (if needed) using perplexity.ai
== kloak - document rescue key ==
* https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak
* document: rescue key
* document: disable rescue key
== kloak - makefile fix ==
* Makefile should check if pkg-config exist because otherwise it fails with libevdev error?
== kloak - verbose log sharing ==
Documentation is currently stating:
Warning: Privacy implications of log sharing are unknown!
Might verbose log reveal the typing fingerprint of the user?
== kloak - mouse click obfuscation ==
* please confirm https://github.com/vmonaco/kloak/issues/51
== kloak - xrdp support ==
* is xrdp support conceivable?
* user reports: when using xrdp, only /dev/input/event0 is there, which does not contain real keystroke.
* This does not seem possible. xrdp is its own X server, logging keystrokes at the X server level is doable but intercepting them does not appear to be doable, see https://www.kicksecure.com/wiki/Progress_Reports?shownotice=1#Investigate_xrdp_support.
== kloak development ==
* instead of this list, does it make more sense to review pull requests, issues and rewrite in python? (Works just fine in C, rewrite not planned at this time)
* strong compile time hardening flags (done)
* goal: perfect string parsing and error handling in case of corner issues, to not break input devices (keyboard, mice) (doesn't appear that much string parsing is done, currently not considered an issue)
* check pull requests, merge if sensible
** Add a header file to make future development easier - https://github.com/vmonaco/kloak/pull/61 (done)
** Chatgpt3 https://github.com/vmonaco/kloak/pull/65 (done)
** update readme - https://github.com/vmonaco/kloak/pull/70 (specific to vmonaco's version of Kloak, not Whonix's)
** add support for new devices attached after kloak starts (needs cleanup) - https://github.com/vmonaco/kloak/pull/67 (done)
* code review with ChatGPT, claude.ai (done)
* use AddressSanitizer (aka ASan) if doable with reasonable effort and considered useful (done)
* port to C++ if considered useful (rewrite not planned at this time)
* other improvements to increase stability
** strncpy - https://github.com/vmonaco/kloak/issues/66 (done)
* fix compile time warnings if reasonable (probably already resolved by above) https://github.com/vmonaco/kloak/issues/35 (done)
* ARM support, only if doable with reasonable effort - https://github.com/vmonaco/kloak/issues/25 (done)
* fix time related keyboard stops working bug (done)
** https://github.com/vmonaco/kloak/issues/31
** Root cause analysis and potential fixes: https://github.com/vmonaco/kloak/issues/31#issuecomment-2368666686
** https://forums.whonix.org/t/sdwdate-can-cause-system-time-to-jump-backwards-causing-issue-with-kloak/20433
* All relevant issues should be solved by https://github.com/Whonix/kloak/pull/1
= Footnotes =
{{Footer}}