[Help Welcome] KVM Development - staying the course

KVM: Difference between revisions - Whonix

1 Like

Whonix ™ for KVM

Due to

https://www.reddit.com/r/Whonix/comments/lcxl7a/tor_doesnt_work_in_workstation/

which probably won’t get any helpful directions on reddit.

1 Like

Thanks for that. Hard to be everywhere at once to take on more complicated support issues.

1 Like

KVM: Difference between revisions - Whonix

1 Like

Issue creating shared directory between host and guest reminds me… chmod 777 /home/user/shared isn’t a great. Security issue and usability issue.

As per https://chmod-calculator.com/ 777 allow public (i.e. any linux user account including those not having business there on the system) to read, write, execute files from that folder.

Is there some more canonical way to set up shared folders with KVM?

[1] Under which user is KVM attempting to write to shared folders?

[1] Under which group is KVM attempting to write to shared folders?

Perhaps better to create a folder elsewhere owned by that user [1] and group [2]?

I guess libvirt:kvm?

Then user user on the host should be able to read/write files there since Whonix KVM instructions currently include

  • sudo addgroup "$(whoami)" libvirt
  • sudo addgroup "$(whoami)" kvm

anyhow?

Then permissions to that folder could be hardened.

chmod --recursive **o**-rwx

o
others
users who are neither the file’s owner nor members of the file’s group

- remove

rwx - read, write, execute

I.e. remove read, write, execute for others, i.e. no other user account than owner (u) and group (g) can read, write, execute there.

Then perhaps “the ultimate set” of commands could be provided that 100% made sure that all permissions are fine no matter how much the user messed that up.

sudo mkdir -p /shared
sudo chown --recursive libvirt:kvm /shared
sudo chmod --recursive o-rwx /shared
sudo chmod --recursive ug+rw /shared

/shared (violating FHS, maybe the not shown in some file managers) or /mnt/shared?

  • /shared is easier to create and fully control permission wise.
  • /mnt more standard conform but then user might mess up permissions of /mnt folder.

Probably also fixable.

sudo mkdir -p /mnt
sudo chown root:root /mnt
sudo chmod o+r /mnt
sudo chmod o+x /mnt

Untested. Please see if that can be made to work:

Dev/KVM - Whonix

I was desperately getting them to work when I tried the currently documented steps. I never had any motive to improve them. Yes the current permissions are non-ideal, but I don’t know if they could harm security in practice.

I hesitate to experiment with my setup because I use it heavily every day and it would be a major PITA if it breaks down. If any user wants to try them out and report it works I would be willing to consider.

Yeah that was my main reason why I kept it in the user home folder. Didn’t want to risk messing something up on a system wide level.

Does Restrict Hardware Information to Root - Testers Wanted! work in Whonix KVM now in Whonix 15.0.1.7.2?

Are we rolling out new point releases? If so then ill fire up a build VM.

1 Like

Since no issues reported so far and unlikely any blockers will be identified in the next few days it looks like 15.0.1.7.2 will likely become the next point release indeed.

1 Like

Indeed that happened.

I have no idea how moving vs copying is relevant to instruction validity. The steps still work, I know because I apply them every upgrade.

@Patrick the 15.0.1.9.3 images are live but the links are broken because they don’t take the new Intel_AMD naming into account. Can you please adjust the templates to allow for multiple archs?

1 Like

Fixed KVM Testers Only Version - Whonix with:
KVM Testers Only Version: Difference between revisions - Whonix

Also gpg / signify verification instructions will need updating.

1 Like

OK what is the stable version no.? Because in practice the main KVM download page always provided the latest point release.

1 Like

15.0.1.9.3 can be stable whenever you’re comfortable / tested.

This time maybe KVM version will be release before VirtualBox version which is in the making but that’s alright. All packages are in the stable repo already anyhow.

1 Like

15.0.1.9.3, I hereby bless thee stable

1 Like

Lots of users currently failing to install Whonix KVM. Perahps due to changed file names? (Multiple Architecture Documentation (multiarch))


  • What is the default download folder for Firefox, Chromium, Tor Browser nowadays?
  • There needs to be some guidance where downloaded KVM images should be stored. If files are stored in the ~/Download folder, then the extract and move command will fail from the home folder. One would need to cd to the download folder beforehand.

Storing KVM images in the home folder would be easy but it’s

  • messy
  • conflicts with AppArmor

Added complexity is a re-download of a newer KVM version. In that case it would be better to move the existing ~/Download folder out of the way to prevent copying old release files.