This one is 100% tested and functional.
/usr/lib/systemd/system.conf.d/30_kicksecure.conf
[Manager]
DefaultEnvironment=TESTVAR=1
/usr/lib/systemd/system.conf.d/30_kicksecure.conf
[Manager]
DefaultEnvironment=TESTVAR=1
DefaultEnvironment=ZTESTDIR=/etc/zsh/dist
DefaultEnvironment=ZDOTDIR=/etc/zsh/dist
DefaultEnvironment=ZDOTDIRWHAT=/etc/zsh/dist
All functional.
env | grep ZDOTDIR
ZDOTDIRWHAT=/etc/zsh/dist
ZDOTDIR=/etc/zsh/dist
(Weâll of course not ship the other variables which are just there for testing. Production version will of course only have ZDOTDIR.)
No such issue. All good.
Last resort only. Reasons:
The systemd DefaultEnvironment approach seems much cleaner.
OK, will accept this method.
Will test then.
To which repo this should be added together with the dotfiles?
1 Like
Good question. Looking through Kicksecure ¡ GitHub I was wondering in which package it fits best without needing to invent yet another package. GitHub - Kicksecure/desktop-config-dist seems best. Since itâs kinda a âdesktopâ modification. Not desktop as in graphical desktop but desktop/notebook user interface related settings.
Currently description is Configuration for Derivative Xfce Desktop but Xfce can be removed from the description to make it more general. Changes by that package seem useful, some even have security impact but still optional and not of very critical importance.
1 Like
IJust to remeber to myself this doesnât work on Qubes, prefix should be /usr/local/lib
1 Like
Nevermind, I should have done this on the templateâŚ
1 Like
1 Like
W: desktop-config-dist: script-not-executable etc/zsh/dist/.aliasrc
N:
W: script-not-executable
N:
N: This file starts with the #! sequence that marks interpreted scripts,
N: but it is not executable.
N:
N: There has been some discussion to allow such files in paths other than
N: /usr/bin but there was ultimately no broad support for it.
N:
N: Refer to Bug#368792 for details.
N:
N: Severity: warning
N:
N: Check: scripts
N:
W: desktop-config-dist: script-not-executable etc/zsh/dist/.shrc
W: desktop-config-dist: script-not-executable etc/zsh/dist/.zshrc
Lintian warnings generally break the build but that linitian warning is more of a false-positive than actual issue. Any objection to just make these scripts executable? Would the the easiest solution I can do now quickly. Otherwise setting lintian to ignore this is also possible.
Sorry, I forgot to build the deb to test that as I just manuall copied the files to path.
No objections on them becoming executables, I is just not need because they are sourced, but if lintian complains, whatever.
Also if you note /etc/zsh zsh system scripts are not executable, I think the reason is that it is not needed? Or not mean to be âexecutedâ individually but âsourcedâ as a whole.
So with this in mind, what do you think? I make them executables or make the lintian not warn about that?
1 Like
Should be least privilege but this is theoretic in this case. Already resolved.
Something I didnât consider yet. A Qubes specific imperfection related to unnecessary dependencies.
sudo apt install --no-install-recommends desktop-config-dist
Reading package lists⌠Done
Building dependency tree⌠Done
Reading state information⌠Done
The following packages were automatically installed and are no longer required:
libbotan-2-17 libtspi1
Use âsudo apt autoremoveâ to remove them.
The following additional packages will be installed:
arc-theme gnome-colors-common gnome-icon-theme gnome-themes-extra gnome-themes-extra-data gtk2-engines-murrine gtk2-engines-pixbuf libgarcon-1-0 libgarcon-common librsvg2-common
libxfce4panel-2.0-4 xfce4-genmon-plugin xfce4-whiskermenu-plugin
Suggested packages:
murrine-themes mugshot
Recommended packages:
gnome-accessibility-themes
The following NEW packages will be installed:
arc-theme desktop-config-dist gnome-colors-common gnome-icon-theme gnome-themes-extra gnome-themes-extra-data gtk2-engines-murrine gtk2-engines-pixbuf libgarcon-1-0 libgarcon-common
librsvg2-common libxfce4panel-2.0-4 xfce4-genmon-plugin xfce4-whiskermenu-plugin
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.7 MB/14.2 MB of archives.
After this operation, 43.9 MB of additional disk space will be used.
Do you want to continue? [Y/n]
To fix, I can probably split desktop-config-dist into the a settings files package (some files would be not required for Qubes) and a dependencies package (that only gets installed in Non-Qubes).
1 Like
1 Like
Thereâs one issue with the migration to zsh for existing users. New builds wonât have this issue. After the packages update, default shell is switched from bash to zsh, the ZDOTDIR environment variable wonât be set yet. When opening a terminal before rebooting, the following surprise (violates principle of least surprise), complicated and confusing message (for most users)
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~). This function can help you with a few settings that should
make your use of the shell easier.
You can:
(q) Quit and do nothing. The function will be run again next time.
(0) Exit, creating the file ~/.zshrc containing just a comment.
That will prevent this function being run again.
(1) Continue to the main menu.
(2) Populate your ~/.zshrc with the configuration recommended
by the system administrator and exit (you will need to edit
the file by hand, if so desired).
--- Type one of the keys in parentheses ---
Users would certainly ask something like: Why does this happen? What should I configure?
Option A) Would creating an empty file /home/user/.zshrc be an acceptable solution?
if ! test -f /home/user/.zshrc ; then
sudo -u user touch /home/user/.zshrc || true
fi
Option B) Change default shell from bash to zsh only for new builds of Whonix but keep existing users on zsh for now? Then we could give users time to update, next time they update, theyâll already have ZDOTDIR environment variable and /etc/zsh/dist folder. Only users who donât update for a for a long time would run into above issue.
Option A and B could in theory also be combined but not sure thatâs good.
yes, but it wonât be read⌠because ZDOTDIR wonât be ~/ anymore, it is /etc/zsh/dist.
touch ~/.zshrc
Just touch the file without modification.
possibly forgot touch.
ZROOTDIR=/etc/zsh â Set by build
ZDOTDIR=/etc/zsh/dist â Set by us.
About option B, no opinion.
Yes, this would only hide the question and show the zsh standard configuration (without colors, command completion, exit codes and whatnot). Itâs not a perfect solution. Just avoiding the worst usability issue.
Indeed. Edited my above post.
I donât understand. But also mistake in my previous post. Should have written âZDOTDIRâ. Will edit. I didnât want to suggest editing ZROOTDIR.
(Maybe thatâs required. If yes, please mention. But form my side was just a typo for now.)
all good now. no issues.
1 Like