Open andrewdavidwong opened 6 years ago
Looks like we might need confirmation about whether the reported behavior is actually the default:
https://github.com/QubesOS/qubes-doc/pull/538#issuecomment-364419212
Even if it's not the default, however, it might be worth considering having some kind of warning in case the user gets themselves into this situation.
Fresh install of R4.0rc4 and anon-whonix's default_dispvm
is set to whonix-ws-dvm. netvm
on both is set to sys-whonix, so out of the box this is not an issue.
Changing the system default dispvm with qubes-prefs
does NOT change default_dispvm
in anon-whonix or whonix-ws-dvm.
So it's not a default/out of the box concern, but the system does let people shoot themselves in the foot if they start changing anon-whonix or whonix-ws-dvm values around. I'll revise the the doc PR accordingly.
However @andrewdavidwong , the Qube Setting GUI is a bit buggy. If I use it to view anon-whonix's default_dispvm
on the advanced tab, it claims it's set to the qubes-prefs' default_dispvm
, even though it's actually using the value in qvm-prefs anon-whonix default_dispvm
. I think there might be a similar issue out there too about the kernel value on this tab.
Also, hitting the drop-down for dispvm only lists default
and (none)
, when I'd expect it to list all templates where template_for_dispvms
= true
.
Thanks for checking and documenting, @awokd. I'll update this issue to be one about footgun protection and open another one for the general Qube Setting GUI buginess.
In https://github.com/QubesOS/qubes-issues/issues/3595#issuecomment-366460728, @mirrorway reports that the one whonix-ws
-based VM that happens to be pre-made with the name anon-whonix
does not exhibit this problem, but all the subsequent use-created ones do.
Qubes OS version:
R4.0-rc4
Affected TemplateVMs:
whonix-ws
Steps to reproduce the behavior:
~In a default
R4.0-rc4
installation, launch a DispVM fromanon-whonix
.~Change
anon-whonix
'sdefault_dispvm
setting to something other thanwhonix-ws-dvm
.Expected behavior:
~The DispVM uses
sys-whonix
as its NetVM so that its traffic is Torified.~The user is warned about the privacy implications of doing this.
Actual behavior:
~The DispVM uses
sys-net
as its NetVM, resulting in a high risk of deanonymization.~No warning is given.
General notes:
See: https://github.com/QubesOS/qubes-doc/pull/538#issuecomment-364388808
CC: @adrelanos