Setting up anon-base-files shows machine-id prompt followed by "OMINOUS WARNING"

adw · September 7, 2019, 5:57pm

This prompt recently came up when updating Whonix templates. What’s the recommended action here?

Setting up anon-base-files (3:4.4-1) ...

Configuration file '/etc/machine-id'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.

I would think Y or I : install the package maintainer's version would make the most sense for anonymity. This seems to be supported by: Anonymize /etc/machine-id - #7 by Patrick

Immediately afterward, I received this:

*** OMINOUS WARNING ***: /etc/hosts is not linked to either hosts.anondist or hosts.anondist-
orig

No idea what this means. Is any user action required here?

madaidan · September 7, 2019, 6:03pm

Y or I should be selected. It’ll just change the value in /etc/machine-id to the same as /var/lib/dbus/machine-id so all Whonix users will have the same /etc/machine-id.

Patrick · September 9, 2019, 9:40am

Yes.

adw:

Immediately afterward, I received this:
*** OMINOUS WARNING ***: /etc/hosts is not linked to either hosts.anondist or hosts.anondist-
orig
No idea what this means. Is any user action required here?

Only saw this in Qubes-Whonix. Possibly the /etc/qubes/protected-files.d mechanism is broken. I.e. /etc/qubes/protected-files.d/qubes-whonix.conf not being honored. Something removed the symlink.

Patrick · September 9, 2019, 9:41am

Patrick · March 7, 2020, 9:09am

Happening again. In whonix-gw-15 TemplateVM:

cat /etc/hosts.anondist-orig

127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback disp8251
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.1.1 disp8251

disp8251 indicates that Qubes was writing to /etc/hosts at some point.

Any idea why Qubes /etc/qubes/protected-files.d mechanism isn’t working? What’s writing to /etc/hosts?

What’s removing the symlink from /etc/hosts to /etc/hosts.anondist-orig? @marmarek

marmarek · March 7, 2020, 11:49am

I see writing to /etc/hosts here: qubes-core-agent-linux/qubes-core-agent.postinst at master · QubesOS/qubes-core-agent-linux · GitHub
Maybe Whonix’s protected files configs are not installed yet at this time? You can look at the template build log and see package unpack/configure order.
There is also write in qubes-core-agent-linux/qubes-early-vm-config.sh at master · QubesOS/qubes-core-agent-linux · GitHub (guarded by protected file on /etc/hostname), but given the value (most likely build hostname) I doubt that’s the issue.