How do I customise Tor Browser in a Whonix TemplateBased DVM in Qubes-Whonix

Patrick · August 24, 2018, 8:16am

tatertot:

Patrick:

ought is a strong word here.
If nothing special is done, Tor Browser does not come preinstalled

I may have incorrectly assumed the torbrowser downloader installs into the home folder, where the final torbrowser resides.

I meant with “If nothing special is done, Tor Browser does not come
preinstalled” - if nothing special is done - tb-updater / tb-starter
doesn’t exists which are just hacks around a missing TBB deb package.

Patrick:

So there would be complaints / feature requests to update it twice: In
TemplateVM and in (each) DVM Template.

To be clear, you mean there would be dueling feature requests?
(1) feature request to be able to update torbrowser in the TemplateVM just like other software
(2) feature requests like mine to be able to update it in the DVM template

There are indeed.

(1) is understandable to make it “deb like”

(2) is quite geeky

Patrick:

There is certainly room to improve the current popups

I just mention the pop-up to assuage concerns about server-detectable customizations reducing anonymity to pseudonymity.

We currently only have these for Tor Browser.

Patrick · August 24, 2018, 8:26am

tatertot:

Based on the final resting place of ~/.tb in home, one would expect the TemplateBasedVM / DVM template to be the place to customize it, like the rest of the home folder.

I see.

I think it is a little surprising/unnatural that ~/.tb in home (the purview of the TemplateBasedVM / DVM Template) came from /var/cache/tb-binary (the purview of the TemplateVM), and he has to go to the latter VM to customize it.

It will always be messy in the absence of a TBB deb one way or another.

Without it coming from /var/cache/tb-binary:
Imagine a first time user trying to run a Whonix based DispVM without
any DVM Template customizations beforehand. Result: Tor Browser not
installed.

tatertot · August 24, 2018, 4:07pm

Since a premade DVM template is provided by whonix, it can include a copy of torbrowser pre-downloaded to the home folder.

Patrick · August 24, 2018, 4:25pm

Would just need to remove that code:

if echo "$qubes_vm_name" | grep -q "\-dvm" ; then
   exit 0
fi

From here:

github.com

Whonix/tb-updater/blob/master/usr/lib/tb-updater/first-boot-home-population#L23




if [ -e "$done_file" ]; then
exit 0
fi


if command -v qubesdb-read >/dev/null 2>&1 ; then
qubes_vm_type="$(qubesdb-read /qubes-vm-type)"
qubes_vm_name="$(qubesdb-read /name)"
fi


## Avoid running in Qubes DVM Template.
## https://phabricator.whonix.org/T726
if echo "$qubes_vm_name" | grep -q "\-dvm" ; then
exit 0
fi


if [ "$qubes_vm_type" = "TemplateVM" ]; then
exit 0
fi


if [ ! -d "$home_dir" ]; then

tatertot · August 24, 2018, 6:09pm

I think most people who start the DVM Template will run TorBrowser or a terminal, so it seems like a warning in those 2 locations would be seen.

Unless you separate out the user files from the application files of torbrowser, I think making it more “deb like” is a lost cause?

Is (2) customizing DVM templates really very geeky? Having lots of customized DVM templates is a natural consequence of Qubes 4.0’s new support for multiple DVM templates.

Outside of whonix, one might already have:

DVM template with no network for opening PDFs
another DVM template for clearnet web browsing with various adblockers preconfigured to block certain resources on certain sites
another DVM template preconfigured with an IRC login, etc…

Even inside of Whonix, it’s natural to have multiple whonix DVM templates, corresponding to various tradeoffs between signature, speed, and security.

factory DVM template
DVM template whose torbrowser has javascript disabled to make it safer, at the expense of sticking out more
DVM template whose torbrowser has addons to block 3rd party resources; to make it faster, at the expense of sticking out more. For non-security critical general browsing, where the adversary is merely advertising and tracking companies. DispVM enforces wiping history / cookies / browser state.

Even if a user only wants one whonix DVM template, they may find it surprising that their method of customizing non-whonix DVM templates doesn’t work in whonix.

And if they actually want multiple whonix DVM templates, it would be very easy to set up if DispVMs inherited their TorBrowser from the DVM template: open TorBrowser in each DVM Template and customize it. All done via GUI.

Edit: more cohesive.

Patrick · August 24, 2018, 6:29pm

For sure. Having Tor Browser not installed by default (early Qubes-Whonix version…), needing to repeat the installation process per VM, different updater procedures, having to run the updater in more than one VM (let alone more than on the host [dom0]) were among the biggest usability hassles that were identified by usability designer @bnvk when he was working with Qubes.

Would be good if Tor Browser had an environment variable to increase the security slider level. Could you please submit a feature request against Tor Project?
If we had that, there could be a qvm-service which I would develop which would then set that environment variable so Tor Browser does no longer need that modification on the (file level / start change setting level).

Patrick · August 24, 2018, 6:50pm

tatertot · August 24, 2018, 11:13pm

The user.js solution, i.e. creating /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.prefs containing

user_pref("extensions.torbutton.security_slider", 1);

before the first run of TorBrowser, is not acceptable?

Patrick · August 25, 2018, 7:16am

TBB folder structure changed several times over the years.

There might already be a ticket for an env var actually could you check
please?

tatertot · August 25, 2018, 4:49pm

Found it! https://trac.torproject.org/projects/tor/ticket/25391

awokd · September 13, 2018, 6:45am

By using a standard Salt created whonix-ws-14-dvm, I was able to abbreviate this process. Basically, I skipped steps 1-6, then did:

7. Spawn a Tor Browser dispvm from the new [stock] whonix-dvm
8. Add all other setting ( bookmarks, HTTPSEverywhere rules etc) to the Tor Browser dispvm
9. Copy all pertinent files from Dispvm: /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default to the same location in the whonix-ws-dvm

I noticed several cache related files listed under profile.default. Is there any impact to uniqueness by using a copy of the profile like this (beyond having non-default settings), instead of starting from a fresh one every time? It does seem to have resolved an issue I was having with TB freezing for ~30 seconds on startup; I’m guessing as it was creating profile files.

Patrick · September 13, 2018, 10:35am

No actual issue known but discouraged as precaution under https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Running_Tor_Browser_in_Qubes_TemplateVM please see To understand why, please press on Expand on the right.

9jnc7 · September 22, 2018, 2:55am

Good idea, but it isn’t sustainable. 14-DVM wants to install a fresh TBB through whonix-ws when updates are released.

I don’t want to complain but I do hope to find a way to painlessly carry over DVM customizations. The combined effect of Whonix 14 and TBB 8.0 completely destroyed what I had. (TBB 8.0 upgrade erased custom rulesets.) Repeating my work so often would be a complete waste of time.

Patrick · September 22, 2018, 10:44am

What do you mean by “wants”?

https://github.com/Whonix/tb-updater/blob/master/usr/lib/tb-updater/first-boot-home-population won’t be touching /home/user/.tb/tor-browser if /home/user/.tb/tor-browser already exists.

github.com

Whonix/tb-updater/blob/master/usr/lib/tb-updater/first-boot-home-population#L45


fi


if [ -d /var/cache/tb-binary ]; then
chown --recursive "$user_name:$user_name" /var/cache/tb-binary
fi


shopt -s dotglob
shopt -s nullglob


for folder_name in /var/cache/tb-binary/*; do
sudo --non-interactive -u "$user_name" cp --verbose --recursive --no-clobber "$folder_name" "$home_dir"
done


mkdir -p "$cache_folder"
touch "$done_file"
chown --recursive "$user_name:$user_name" "$cache_folder"

That’s because it’s using

--no-clobber

Won’t be running in DVM Template anyhow…

github.com

Whonix/tb-updater/blob/master/usr/lib/tb-updater/first-boot-home-population#L23




if [ -e "$done_file" ]; then
exit 0
fi


if command -v qubesdb-read >/dev/null 2>&1 ; then
qubes_vm_type="$(qubesdb-read /qubes-vm-type)"
qubes_vm_name="$(qubesdb-read /name)"
fi


## Avoid running in Qubes DVM Template.
## https://phabricator.whonix.org/T726
if echo "$qubes_vm_name" | grep -q "\-dvm" ; then
exit 0
fi


if [ "$qubes_vm_type" = "TemplateVM" ]; then
exit 0
fi


if [ ! -d "$home_dir" ]; then

I don’t see how Whonix gets into the way here. tb-updater is maximum configurable. You can even overrule each shell function with custom code.

https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#DVM_Template_Customization documents (Option 1 - /etc/torbrowser.d/ settings method) how to start torbrowser / update-torbrowser in DVM Template. first-boot-home-population won’t be touching /home/user/.tb/tor-browser. So I don’t see what’s missing here.

Aside from doing it all by yourself (not relying on Whonix code doing anything wrt Tor Browser / DVM / DispVM)…

What about file based modification and a hook that runs after tb-updater which copies over your file?

tatertot · September 26, 2018, 2:09am

@9jnc7:

What method did you use to customize the torbrowser in 14-DVM?

I think the cleanest way is to just create a new DVM template whose name does not end in *-dvm, let’s call it whonix-ws-dvm2. Then it behaves like a traditional qubes DVM template (i.e. all of home persists, torbrowser isn’t recreated on startup every time). Then for updates and customization, you do them from within torbrowser in whonix-ws-dvm2 (and torbrowser’s internal updater preserves customizations!).

The result is 2 DVM templates:
a) the original whonix-ws-dvm. dispvms based on it have the default experience, good for troubleshooting, minimal fingerprintability
b) whonix-ws-dvm2. dispvms based on it have a more comfortable, customized experience.

Patrick · September 25, 2018, 6:48am

tatertot:

I think the cleanest way is to just create a new DVM template whose name does not end in *-dvm, let’s call it whonix-ws-dvm2.

Please don’t. This will break in near future. There are other already
documented options to reach the same goal.

9jnc7 · September 28, 2018, 12:49am

I thought that’s how it worked. This wiki entry explains my reasoning:

So, if Whonix works like I think it does (I guess it doesn’t) than tb-updater would overwrite any customizations I make when a new TBB version comes out.

I’m not proficient enough for that. I wouldn’t know where to start.

@tatertot: Was carrying over from pre-Whonix 14. Please forgive me, If the problem is only me I’d rather not use more of everyone’s time.

Patrick · September 28, 2018, 3:47am

Apply instructions from (click expand button) https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#DVM_Template_Customization and “there will be no Whonix doing something”, i.e. tb-updater won’t overwrite anything. All that Whonix does by design is configurable and can be disabled.

9jnc7 · October 2, 2018, 6:47pm

Thank you.

xuy · April 26, 2020, 5:57pm

sorry for necroposting

I want to share a quite simple way to make a whonix friendly minimal changes to the tor browser config. It will allow you to update the browser to a fresh version with update-torbrowser (in whonix-15 template).
You can use >> for save the default effect of security-slider-highest.js file.

In whonix-dvm (template_for_dispvms):

user@host:~$ tail -n 2 /rw/config/rc.local 
sed -i 's/#tb_security_slider_safest=true/tb_security_slider_safest=true/' /etc/torbrowser.d/30_default.conf
echo 'user_pref("browser.ctrlTab.recentlyUsedOrder", false);' > /usr/share/torbrowser/security-slider-highest.js