Issue with user.js when installing SecBrowser on a Qube DispVM

Hi,

When I start SecBrowser on a DispVM, the file user.js that I modified is not present.

Expected results:

1. Seeing the user.js file in the ~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/ folder of the DispVM
2. … which would lead to seeing the user.js modified prefs in the browser SecBrowser when going to about:config (ultimate goal)

Actual results:

1. The folder “~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/user.js” in the DispVM only contains:

   • bookmarks.html and
   • extensions

   Consequently, the user.js is not imported in the DispVM from secbrowser-dvm (the DisposableVM Template I created)

2. The folder “~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/user.js” in secbrowser-dvm (the DisposableVM Template) contains many files, including the user.js that I modified.
   But, obviously, the goal is not to go on the internet with the SecBrowser of the DisposableVM Template!

Whonix or Qube issue?

I was wondering…

So I touched 3 files in secbrowser-dvm:

• touch qwerty in the ~ folder
• touch qwerty in the ~/.secbrowser folder
• touch qwerty in the ~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/ folder

When I launch an xterm on a DispVM:

• [+] I can see “qwerty” in the ~ folder
• [-] I cannot see “qwerty” in the ~/.secbrowser folder
• [-] I cannot see “qwerty” in the ~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/ folder

It looks like only the changes in the ~/.secbrowser folder (and subfolders) are not inherited from the DisposableVM Template to the DisposableVM!?

So I thought the issue was more related to Whonix’s SecBrowser than to Qubes’ inheritance between a DisposableVM Template and a DispVM!?

Steps to reproduce

1. https ://www.whonix.org/wiki/SecBrowser/Qubes#Install_SecBrowser_.E2.84.A2
2. From there, I modified my user.js
3. Then I turned my AppVM into a DisposableVM Template (called “secbrowser-dvm”)

Main Question

Why is the user.js file (and all of the other files of the profile, actually) not inherited from the ~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/ folder of secbrowser-dvm to the DispVM?

Additionnal Questions

May I ask additonnal clarifying questions on your webpage related to Qubes/SecBrowser? (https ://www.whonix.org/wiki/SecBrowser/Qubes )

1. I’m confused by “secbrowser” and “tb-updater”. From https ://www.whonix.org/wiki/SecBrowser/Qubes#Package_Installation:

   • First: “The first step to install tb-updater is to add the Whonix repository.”
   • Later: “sudo apt-get install --no-install-recommends secbrowser”
   • I wonder:
     • How a command to install “secbrowser” can actually install the “tb-updater”?
     • Why is the purpose of the “–no-install-recommends” switch, in this particular case?
     • Could you describe how (i) tb-updater, (ii) tb-starter and (iii) secbrowser relate one to another?

2. From https ://www.whonix.org/wiki/SecBrowser/Qubes#New_Qubes_TemplateBasedVMs:_Latest_Tor_Browser_Version

   I read this paragraph several times but I still don’t understand it.

   It says (about sudo touch /etc/secbrowser-qubes in the TemplateVM): “When using this setting, when the tb-updater package is updated, download-secbrowser runs automatically.”

   I thought the TemplateVMs updated all the applications from their repository. Consequently, the application SecBrowser (i.e. the Tor browser modified to go on clearnet) would be updated in the TemplateVM!? Why is sudo touch /etc/secbrowser-qubes in the TemplateVM necessary?

I realise this is quite a long post! So, thank you for your attention… and for the time you spend in developping Whonix!

PS: I had to “break” my URLs since I guess first time users are not allowed to post links.

https://github.com/Whonix/tb-updater/blob/master/usr/lib/tb-updater/dispvm

^ does this answer your question?

In short: in DispVM /var/cache/tb-binary is bind mounted to user home folder.

You can post links now.

Package secbrowser Depends: on tb-updater. When installing package secbrowser also all dependencies will be installed.

Documentation might be a bit confusing indeed.

Not sure still needed at this point. Compare difference with and without.

secbrowser is a meta package which Depends: essentially on
, tb-starter.

See GitHub - Kicksecure/tb-starter: Tor Browser Starter. Open Link Confirmation; Qubes integration; Command line --new-tab, --new-window; start menu entry; This package is produced independently of, and carries no guarantee from, The Tor Project. and GitHub - Kicksecure/tb-updater: Tor Browser Downloader - Automates download and verification of Tor Browser from The Tor Project's website. This package is produced independently of, and carries no guarantee from, The Tor Project.

tb-starter contains /usr/bin/torbrowser. Originally only Tor Browser support. But once environment variables are changed it can do other stuff such as SecBrowser.

tb-starter now also contains /usr/bin/secbrowser which sets environment variables to start SecBrowser instead.

tb-updater originally only supported downloading Tor Browser and later support was added for SecBrowser.

Technical limitations. It’s a status file used in in scripts. Not a pretty implementation. Maybe would have been better to check if package secbrowser is installed instead.

It’s all messy because of unfixed root, tons of features, and historic growth. But I also don’t want to loose more time on it due to risks of regressions, the already sunken cost, works stable now and good enough. I wouldn’t recommend a rewrite either but instead fixing the root issues which are these:

• Make a deb of the Torbrowser and add to repository (#5236) · Issues · Legacy / Trac · GitLab
• Get TorBrowser in Debian (#3994) · Issues · Legacy / Trac · GitLab

Hi Patrick,

Thank you for such a quick answer!

Maybe I should have mentionned that I’m close to a Linux noob. To give a better idea of my level:

• A long time ago, I used Linux at work on a very basic level (i.e. I knew what ls meant).
• I’ve started digging into Linux on a Raspi4 on January
• I’ve installed Qubes less than 2 weeks ago (after much head scratching thanks to my Nvidia graphic card )

I’m strongly motivated but I’m afraid many technical stuff is still out of my reach!

Therefore, may I check with you if I correctly understood your explanations?

Main Question

I’ve just googled what “bind mounted” means. If I understand correctly, in a DispVM, ~/.secbrowser is “kind of a hard link to” /var/cache/tb-binary/.secbrowser.

I’ve just launched SecBrowser in a DispVM and looked to confirm this. Both folders look indeed the same. They contains many files and user.js is one of them.

But how can I manage to have SecBrowser use my modified user.js, then? Should it replace the default user.js into /var/cache/tb-binary/ before the link is made with the user home folder? Is it even possible to achieve that without modifying any Whonix scripts?

Thanks!

Additional Questions

I think I understood all your answers, here. Thanks, Patrick!!

john1234 via Whonix Forum:

Should it replace the default user.js into /var/cache/tb-binary/ before the link is made with the user home folder?

That would work but that change would be lost when tb-updater upgrades
SecBrowser during TemplateVM upgrade. Customization is currently not
considered. If you can understand / hack the scripts it’s certainly
possible.

Is it even possible to achieve that without modifying any Whonix scripts?

Yes.

Thanks for your answers & time, Patrick!