How do I customise Tor Browser in a Whonix TemplateBased DVM in Qubes-Whonix

tatertot · September 22, 2018, 5:49pm

What method did you use to customize the torbrowser in 14-DVM?

I think the cleanest way is to just create a new DVM template whose name does not end in *-dvm, let’s call it whonix-ws-dvm2. Then it behaves like a traditional qubes DVM template (i.e. all of home persists, torbrowser isn’t recreated on startup every time). Then for updates and customization, you do them from within torbrowser in whonix-ws-dvm2 (and torbrowser’s internal updater preserves customizations!).

The result is 2 DVM templates:
a) the original whonix-ws-dvm. dispvms based on it have the default experience, good for troubleshooting, minimal fingerprintability
b) whonix-ws-dvm2. dispvms based on it have a more comfortable, customized experience.

Patrick · September 25, 2018, 6:48am

tatertot:

I think the cleanest way is to just create a new DVM template whose name does not end in *-dvm, let’s call it whonix-ws-dvm2.

Please don’t. This will break in near future. There are other already
documented options to reach the same goal.

9jnc7 · September 28, 2018, 12:37am

I thought that’s how it worked. This wiki entry explains my reasoning:

So, if Whonix works like I think it does (I guess it doesn’t) than tb-updater would overwrite any customizations I make when a new TBB version comes out.

I’m not proficient enough for that. I wouldn’t know where to start.

@tatertot: Was carrying over from pre-Whonix 14. Please forgive me, If the problem is only me I’d rather not use more of everyone’s time.

Patrick · September 28, 2018, 3:47am

Apply instructions from (click expand button) Tor Browser Advanced Topics and “there will be no Whonix doing something”, i.e. tb-updater won’t overwrite anything. All that Whonix does by design is configurable and can be disabled.

9jnc7 · October 2, 2018, 6:47pm

Thank you.

xuy · April 26, 2020, 5:54pm

sorry for necroposting

I want to share a quite simple way to make a whonix friendly minimal changes to the tor browser config. It will allow you to update the browser to a fresh version with update-torbrowser (in whonix-15 template).
You can use >> for save the default effect of security-slider-highest.js file.

In whonix-dvm (template_for_dispvms):

user@host:~$ tail -n 2 /rw/config/rc.local 
sed -i 's/#tb_security_slider_safest=true/tb_security_slider_safest=true/' /etc/torbrowser.d/30_default.conf
echo 'user_pref("browser.ctrlTab.recentlyUsedOrder", false);' > /usr/share/torbrowser/security-slider-highest.js

Patrick · April 26, 2020, 9:56pm

Does nothing.
(tb_security_slider_safest=true = tb_security_slider_safest=true.)

You can use any of these folders depending on where you want the setting to apply. As per usual Qubes persistence.

/etc/torbrowser.d - TemplateVM, inherited by all templated based AppVMs, DVM Template and DispVMs
/usr/local/etc/torbrowser.d - persists in AppVM, DVM Template → DispVM (i.e. if you want to have settings per AppVM and for all VMs based on TemplateVM)

deeplow · September 6, 2020, 11:32am

Thanks for the pointer, this helped me solve the issue. Any way to change HTTPsEverywhere’s settings in a file like this? (blocking non-https pages by default)

Patrick · September 7, 2020, 6:43am

figure out how to do this with Tor Browser Bundle on plain, non-Whonix Debian as per Self Support First Policy for Whonix
only then start considering DispVM

deeplow · September 7, 2020, 8:05am

Thanks! Will do

deeplow · September 11, 2020, 12:23pm

Linking here a related discussion on the Qubes forum:

https://qubes-os.discourse.group/t/how-to-securely-customize-tor-browser-in-whonix-with-add-ons-and-about-config-entries/506

Patrick · September 11, 2020, 5:59pm

Whonix has No Intentional User Freedom Restrictions. I.e. no intentional customization restrictions which wouldn’t be easy to overcome when following documentation.

Quote Tor Browser DVM Template Customization

Customization is discouraged! To start Tor Browser from the command line or in debugging mode in a Qubes DVM Template, please press Expand on the right.

There you’ll find:

Option 1: /etc/torbrowser.d/ Settings Method
Option 2: cd /var/cache/tb-binary/.tb/tor-browser/Browser Method

Improved a bit just now.

With the latter method its described in detail and don’t see how customization is limited at all by using Whonix.

And also added another option just now.

Option 3: Manual Method

Which should allow for all-encompassing customization.

Happy customization.

This is cumbersome due to unresolved upstream issues of which none is introduced by Whonix. In summary, unavailability of a standard compliant Debian package of Tor Browser and mixing binaries and user data into the same folder. See Tor Browser Update: Technical Details.

deeplow · September 12, 2020, 8:49am

Thank your @Patrick spending time documenting that, I think this will be very useful for Qubes folks! (I’ll link it back on the Qubes forum thread).

Noted! Thanks for the clarification!

Thank you!

deeplow · September 12, 2020, 10:08am

Just two small notes on documented solution:

Permission denied / Can’t run Tor Browser as root
Since /var/cache/tb-binary/.tb/tor-browser/Browser in the (TemplateVM) are owned by root, then (1) tor browser can’t be run with ./start-tor-browser (as stated in the docs – permission denied) and with sudo ./start-tor-browser it says “Can’t run Tor Browser as root”.

So my solution was to:

cd /var/cache/tb-binary/.tb/tor-browser/Browser
sudo chown -R user:user . to make the browser run under user
customize Tor Browser
sudo chown -R root:root: . (to change it back to being owned by root)

Isn’t option 2 the continuation of option 1
It seems like option 1) an 2) go together, so it would make sense for them to be to be under a single option 1) instead.

Should I add these changes to the wiki?

torjunkie · September 12, 2020, 1:16pm

Please do - we need more wiki input from technically minded Qubes users like yourself.

I’d love to see @adw make a comeback too for ideas & input.

Patrick · September 12, 2020, 2:12pm

I need a few minutes to think about this and experiment.

deeplow · September 12, 2020, 2:13pm

I’ve added the “chown” part, but about the other part I’ve noticed that my comment isn’t correct.

The first option show the users how to enable running Tor Browser in the DVM template, but not then does nothing with it. Does that option also allow a user to run it in the TemplateVM? (if so, then it makes sense but needs renaming (DVM->TemplateVM). If not, then this option should be removed as it no longer works.

deeplow · September 12, 2020, 2:13pm

Sorry @Patrick. I just implemented the change. Feel free to revert it.

Patrick · September 12, 2020, 3:42pm

Thanks for fixing the permission error. Kept the edit and improved. Since that whole wiki page is for advanced users, I removed the click to expand button.

That was indeed a bit weird and intermingled.

We have now this:

DVM Template Customization

Please check if that now makes more sense. Let me know what you think.

deeplow · September 12, 2020, 6:55pm

Yes, it’s much more clear now. And the new naming makes lots of sense!

I was able to reproduce both methods. Here is just a little note on a part I found confusing:

Note

I’m a bit confused on the step 5 and 6 of option 1 regarding where the command should be run.

In Whonix-Workstation ™ DVM Template whonix-ws-15-dvm:
Create folder /usr/local/etc/torbrowser.d.
[…]
Open file /usr/local/etc/torbrowser.d/50_user.conf in an editor with root rights. (Qubes-Whonix ™: In TemplateVM)

I think you mean both of these steps should be done on the DVM Template, right?

But overall this change is pretty helpful. Thanks again @Patrick. Keep up the good work!