Display a privacy risk warning when attempting to change anon-whonix's default_dispvm value

QubesOS / qubes-issues

The Qubes OS Project issue tracker

https://www.qubes-os.org/doc/issue-tracking/

536 stars 47 forks source link

Display a privacy risk warning when attempting to change anon-whonix's default_dispvm value #3561

Open andrewdavidwong opened 6 years ago

andrewdavidwong commented 6 years ago

Qubes OS version:

R4.0-rc4

Affected TemplateVMs:

whonix-ws

Steps to reproduce the behavior:

~In a default R4.0-rc4 installation, launch a DispVM from anon-whonix.~

Change anon-whonix's default_dispvm setting to something other than whonix-ws-dvm.

Expected behavior:

~The DispVM uses sys-whonix as its NetVM so that its traffic is Torified.~

The user is warned about the privacy implications of doing this.

Actual behavior:

~The DispVM uses sys-net as its NetVM, resulting in a high risk of deanonymization.~

No warning is given.

General notes:

See: https://github.com/QubesOS/qubes-doc/pull/538#issuecomment-364388808

CC: @adrelanos

andrewdavidwong commented 6 years ago

Looks like we might need confirmation about whether the reported behavior is actually the default:

https://github.com/QubesOS/qubes-doc/pull/538#issuecomment-364419212

Even if it's not the default, however, it might be worth considering having some kind of warning in case the user gets themselves into this situation.

awokd commented 6 years ago

Fresh install of R4.0rc4 and anon-whonix's default_dispvm is set to whonix-ws-dvm. netvm on both is set to sys-whonix, so out of the box this is not an issue. Changing the system default dispvm with qubes-prefs does NOT change default_dispvm in anon-whonix or whonix-ws-dvm. So it's not a default/out of the box concern, but the system does let people shoot themselves in the foot if they start changing anon-whonix or whonix-ws-dvm values around. I'll revise the the doc PR accordingly.

awokd commented 6 years ago

However @andrewdavidwong , the Qube Setting GUI is a bit buggy. If I use it to view anon-whonix's default_dispvm on the advanced tab, it claims it's set to the qubes-prefs' default_dispvm, even though it's actually using the value in qvm-prefs anon-whonix default_dispvm. I think there might be a similar issue out there too about the kernel value on this tab. Also, hitting the drop-down for dispvm only lists default and (none), when I'd expect it to list all templates where template_for_dispvms = true.

andrewdavidwong commented 6 years ago

Thanks for checking and documenting, @awokd. I'll update this issue to be one about footgun protection and open another one for the general Qube Setting GUI buginess.

andrewdavidwong commented 6 years ago

In https://github.com/QubesOS/qubes-issues/issues/3595#issuecomment-366460728, @mirrorway reports that the one whonix-ws-based VM that happens to be pre-made with the name anon-whonix does not exhibit this problem, but all the subsequent use-created ones do.