Disk & USB Automount in Kicksecure

Hmm, then it is strange that the shared folder does not work, maybe the issues are related?

1 Like

Mounting devices needs root AFAICT. Adjusting permissions on shared folders to allow file modification/access would need root too. Have you run chown on the shared dir? what is the output?

Sorry, I have never used chown, what am I suppose to do with this? sudo chmod /home/user/shared does nothing but says to use help for more info. Did you mean chmod as per the wiki because I have used that when setting it up, but I used it again to check the journal but nothing but the command shows up in the log incase that is what you meant. And do you mean I should check the output via sudo journalctl -f again?

I actually had it open and booted the computer with the internet physically unplugged and in the journalctl -f I noticed the following, despite only opening thunar and terminal and nothing relating to the internet

“host tor: New control connection opened”
“host tor: Problem bootstrapping. Stuck at 0% (starting). (Network is unreachable; […]”

Kicksecure is set with tor to receive updates over onion, my first guess is that this is autoupdate checker (which I assume kicksecure does not have?) As people living in dangerous countries may not like their device automatically pinging, or, this is equivalent to whonixcheck for getting the tor time sync, which would make more sense if it was on automatic but still kind of unexpected, this is no problem for me but, I am wondering - if kicksecure does not do either out of the box could this be an attack?

I dont wan’t to pile too much in here and get off topic but maybe this issue is too minor for its own thread: I also notice that clicking the “user” button on the top right and clicking “lock screen” does nothing so this is probably a bug.

59mpci2GJ5xlHhY via Whonix Forum:

I dont wan’t to pile too much in here

Yes. Please don’t. It’s inefficient. 1 issue = 1 forum thread.

See Tor Documentation for Whonix Users

That’s the problem with mixing discussions on auto mounting in Thunar with shared folder.

Thunar auto mounting: that should be possible without root. I don’t know how exactly that works but might be SUID something, pkexec, /etc/sudoers.d (unlikely).

And No: SUID Disabler and Permission Hardener is not yet enabled by default. That forum thread will be updated when this happens. SUID Disabler and Permission Hardener is nowadays enabled by default.

Thunar - ArchWiki says

While Thunar supports automatic mounting and unmounting of removable media (gvfs package is required)

Check if gvfs is installed. To install:

sudo apt install gvfs

Reboot might be required. Please see if that helps.

Quote Debian -- Details of package gvfs in buster

userspace virtual filesystem - GIO module

gvfs is a userspace virtual filesystem where mounts run as separate processes which you talk to via D-Bus. It also contains a gio module that seamlessly adds gvfs support to all applications using the gio API. It also supports exposing the gvfs mounts to non-gio applications using fuse.

This package contains the GIO module that lets applications use gvfs mounts.

From:

apt-cache show thunar

Also any of these packages might be missing:

default-dbus-session-bus
dbus-session-bus
gvfs
policykit-1-gnome
polkit-1-auth-agent
thunar-volman
tumbler
udisks2
xdg-user-dirs
libcairo-gobject2
libpangocairo-1.0-0
libxfce4panel-2.0-4

Replace yourusername with your actual user name.

SELinux is a Mandatory Acess Control (MAC) system. You can’t use MAC or SELinux as SELinux is MAC. Kicksecure uses AppArmor for MAC, not SELinux.

chmod changes file system permissions which are not MAC policies.

1 Like

Was aware of gvfs being a dependency maybe was misunderstood. Redownloaded gvfs, and found tumbler had to be installed, I think policykit-1-gnome and xdg-user-dirs might have also been missing pc shut off unexpectedly due to external factors so I forget if those last two were already installed or not.

Anyhow, tumbler seems to fix the problem that with only gvfs they would show up and not be mountable with a click, error was “not authorized” upon clicking, now it prompts the user sign in and succesfully mounts.

I did, I only pasted it that way here on the thread from the wiki.

Thank you for the clarification

Apologies

Alright I assumed to had to do with whonixcheck, but did not expect it to be included in kicksecure.

Thanks everyone for the help disks now show up automatically in thunar and can be mounted by clicking and logging in.

Shared folders still do not work, therefor the issue must actually not be related and maybe I should make a new thread for that later.

For anyone who reads this and has the issue I had, I will summarize what I think fixed it.

Enable thunar-volman

In terminal: sudo nano /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

Line 15 <property name"misc-volume-management" type=“bool” value=“false”/>

Change from false to true

If still doesnt work try other things in the thread or:

Now we need to figure out which steps are required indeed and then document this.

Editing /etc/skel does nothing for existing user user. File edits are probably not required. GUI should suffice.

Alright, I will update this thread with better steps after I install kicksecure on another device and get this working from a fresh install again, and I try to narrow down the steps.

But I have to get everything I need working on that device before I install on other device, in particular the shared folders with vm, will make a thread about that now.

2 Likes

If encrypted disk, then this might help as per cannot access encrypted USB drive with Thunar in Whonix 15 - #9 by Patrick

sudo apt install libblockdev-crypto2
1 Like

Can we include this in Whonix since anyone who follows best practice would be encrypting their drives?

1 Like

This is done in git master as per cannot access encrypted USB drive with Thunar in Whonix 15 - #9 by Patrick

1 Like

Do we need

?

1 Like

yes

1 Like

Like everything needs udev. It’s what populates /dev.

dmsetup is also likely needed by plenty of stuff.

2 Likes

This issue is considered fully resolved until someone reports again this being an issue.

  • We no longer enable hidepid by default.
  • We no longer change anything related to pkexec.
  • Missing packages are now installed by default.
  • User reported this being resolved.
  • Shared folder issue: if still an issue, please post in a separate thread.

(Since this was brought up here: Ledger Nano-S : No device found - #2 by HulaHoop)

1 Like