Disk & USB Automount in Kicksecure

I installed debian 10 with netinst and installed without the graphical environment, then I installed kicksecure with xfce with the distro morphing method. I am changing from Linux Mint Debian Edition because I want a more secure host for daily things and to run KVM whonix in.

Sorry if this is really basic but when I plug in my USB or DISK it doesn’t automount, is this a security feature? How can I make my extra disk, USB and external drive automount? Am I missing a package, if so, what debian package would you recommend? Also if automount package creates security problems maybe you can tell me how to just manually mount it as well?

While I am here, I find the session saving annoying and I forgot to uncheck the box the first time I shut down, I always uncheck it now and I deleted the sessions in .cache but it always keeps coming back, how can I make it stop? I think it makes the shutdown very slow, if there is a security reason to keep it though, let me know and I will consider that.

Lastly, I want to say I think Kicksecure is a great idea and I like what I see a lot so far! I will do what I can to report bugs when I see them and will consider contributing later when I have gained more experience as security is an interest of mine. So thanks for making Whonix & Kicksecure, I have used virtualbox whonix for awhile.

EDIT: I dont know if I am mis using the term automount, it does not need to automatically totally mount, it just needs to appear in the file manager so I can click to mount it like it usually does in other distros.

Yes automounting is disabled I think. I’m not sure if we documented how to re-enable on demand

cc/ @Patrick @Algernon

thunar-volman manages mounting and is disabled by default in security-misc security-misc/thunar.xml at master · Kicksecure/security-misc · GitHub

Unfortunately, my other disk, usb and external drive all do not show up even when they are plugged in before the restart.

I enabled all the automount options in thunar-volman settings editor

I tried sudo nano /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

and changed the value to “true”

Restarted, did not work so I then did sudo nano /home/user/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml.dpkg-new
and set it to “true” there too.

Restarted, still do not show up.

Edit:

I checked “file manager settings” > advanced in Thunar and it said missing dependencies: gvfs

So I did apt install gvfs

Restarted and they showed up, is there a downside to using gvfs? Let me know if there is a better way to do this. The drives showed up but I couldn’t mount them by clicking on them because I’m not authorized, so instead I uninstalled gvfs and just did sudo fdisk -l and mounted it with sudo mount /dev/diskname /mnt/disknamefolder and added it to the menu.

If this is more secure maybe there is a way to make that automount? somewhere, either in /media or /mnt

I assume you disabled thunar-volman for a security reason, maybe there is a way to do without it?

Probably already got all packages but just in case:

sudo apt install thunar thunar-volman

Also try this:

Watch systemd log while doing this.

sudo journalctl -f

In another terminal tab, run thunar from command line

thunar

go to:

• thunar → edit → preferences → advanced → check “enable volume management”
• thunar → edit → preferences → advanced → configure → check the two mount removeable → close

Insert USB device.

Hope that it either auto mount

• works as usual or
• that thunar at least shows an error message on command line
• or that journal says something interesting.

Could also be an inssue with pkexec.

https://forums.whonix.org/search?q=pkexec

Or hidepid.

https://forums.whonix.org/search?q=hidepid

Let’s see. If it does not work I have more ideas / suggestions how to modify pkexec / hidepid setting to make this work again.

Did
sudo apt install thunar thunar-volman

up to date and installed already

Next did
sudo journalctl -f

Instantly, it showed some AVC apparmor=“DENIED” stuff relating to security-misc/pam_tally2-info

Next, I opened thunar and nothing new appeared in that window
Then I went into settings and volume management and mount removeable were already enabled, I disabled and renabled them and nothing changed in the log (Note it said I was missing dependency gvfs)

Next, I plugged in the USB, it found it, detected it and attached, but then it said
[sdd] write protect is off
[sdd] write cache: disabled, read cache: enabled, doesn’t support DPO or FUA
[sdd] attached SCSI removable disk

But the USB does not show up in thunar, next I did sudo mount /dev/sdd /mnt/ and it worked but the name changes every time I take the usb out.

Not sure if this is related but it might be, KVM Whonix seems to work fine except that when I put a shared folder and try to boot the workstation I get "Error starting domain: internal error […] cannot initialize fdsev […] failed to open /home/user/shared: permission denied and then systemd log shows red text “unable to read from monitor: connection reset by peer” "internal error qemu unexpectedly closed the monitor […]

When installing the shared folder I followed the instructions in KVM documentation to give the folder permissions, but I did not do the Mandatory Access Control section as I’m unsure whether or not Kicksecure uses it or SELinux

Update: Just incase it uses Mandatory Access Control I tried doing “sudo chmod 777 -R /home/yourusername/shared” But I got the same error

Edit:
Outdated. Disregard.
(hidepid and pkexec wrapper is no longer enabled by default.)

What you can also try:

sudo systemctl mask proc-hidepid.service
sudo unlink /usr/bin/pkexec
sudo cp /usr/bin/pkexec.security-misc-orig /usr/bin/pkexec

Reboot required.

59mpci2GJ5xlHhY via Whonix Forum:

Instantly, it showed some AVC apparmor=“DENIED” stuff relating to security-misc/pam_tally2-info

Since instant - it is not from auto mounting. Unrelated either way.

Tried it, still nothing shows up. Also the shared folder still prevents the workstation from launching, this is an even bigger issue, does Kicksecure use SELinux? Having to run a command every time a file is put into the shared folder could be quite annoying.

59mpci2GJ5xlHhY via Whonix Forum:

does Kicksecure use SELinux?

No.

Hmm, then it is strange that the shared folder does not work, maybe the issues are related?

Mounting devices needs root AFAICT. Adjusting permissions on shared folders to allow file modification/access would need root too. Have you run chown on the shared dir? what is the output?

Sorry, I have never used chown, what am I suppose to do with this? sudo chmod /home/user/shared does nothing but says to use help for more info. Did you mean chmod as per the wiki because I have used that when setting it up, but I used it again to check the journal but nothing but the command shows up in the log incase that is what you meant. And do you mean I should check the output via sudo journalctl -f again?

I actually had it open and booted the computer with the internet physically unplugged and in the journalctl -f I noticed the following, despite only opening thunar and terminal and nothing relating to the internet

“host tor: New control connection opened”
“host tor: Problem bootstrapping. Stuck at 0% (starting). (Network is unreachable; […]”

Kicksecure is set with tor to receive updates over onion, my first guess is that this is autoupdate checker (which I assume kicksecure does not have?) As people living in dangerous countries may not like their device automatically pinging, or, this is equivalent to whonixcheck for getting the tor time sync, which would make more sense if it was on automatic but still kind of unexpected, this is no problem for me but, I am wondering - if kicksecure does not do either out of the box could this be an attack?

I dont wan’t to pile too much in here and get off topic but maybe this issue is too minor for its own thread: I also notice that clicking the “user” button on the top right and clicking “lock screen” does nothing so this is probably a bug.

59mpci2GJ5xlHhY via Whonix Forum:

I dont wan’t to pile too much in here

Yes. Please don’t. It’s inefficient. 1 issue = 1 forum thread.

See Tor Documentation for Whonix Users

That’s the problem with mixing discussions on auto mounting in Thunar with shared folder.

Thunar auto mounting: that should be possible without root. I don’t know how exactly that works but might be SUID something, pkexec, /etc/sudoers.d (unlikely).

And No: SUID Disabler and Permission Hardener is not yet enabled by default. That forum thread will be updated when this happens. SUID Disabler and Permission Hardener is nowadays enabled by default.

Thunar - ArchWiki says

While Thunar supports automatic mounting and unmounting of removable media (gvfs package is required)

Check if gvfs is installed. To install:

sudo apt install gvfs

Reboot might be required. Please see if that helps.

Quote Debian -- Details of package gvfs in buster

userspace virtual filesystem - GIO module

gvfs is a userspace virtual filesystem where mounts run as separate processes which you talk to via D-Bus. It also contains a gio module that seamlessly adds gvfs support to all applications using the gio API. It also supports exposing the gvfs mounts to non-gio applications using fuse.

This package contains the GIO module that lets applications use gvfs mounts.

From:

apt-cache show thunar

Also any of these packages might be missing:

default-dbus-session-bus
dbus-session-bus
gvfs
policykit-1-gnome
polkit-1-auth-agent
thunar-volman
tumbler
udisks2
xdg-user-dirs
libcairo-gobject2
libpangocairo-1.0-0
libxfce4panel-2.0-4

Replace yourusername with your actual user name.

SELinux is a Mandatory Acess Control (MAC) system. You can’t use MAC or SELinux as SELinux is MAC. Kicksecure uses AppArmor for MAC, not SELinux.

chmod changes file system permissions which are not MAC policies.

Was aware of gvfs being a dependency maybe was misunderstood. Redownloaded gvfs, and found tumbler had to be installed, I think policykit-1-gnome and xdg-user-dirs might have also been missing pc shut off unexpectedly due to external factors so I forget if those last two were already installed or not.

Anyhow, tumbler seems to fix the problem that with only gvfs they would show up and not be mountable with a click, error was “not authorized” upon clicking, now it prompts the user sign in and succesfully mounts.

I did, I only pasted it that way here on the thread from the wiki.

Thank you for the clarification

Apologies

Alright I assumed to had to do with whonixcheck, but did not expect it to be included in kicksecure.

Thanks everyone for the help disks now show up automatically in thunar and can be mounted by clicking and logging in.

Shared folders still do not work, therefor the issue must actually not be related and maybe I should make a new thread for that later.