Hi,
I notice that in Whonix Workstation 17 directory /var/cache/tb-binary and its subdirs all have 775 permission (not 755).
What is the reason for not having them 755?
What problem may one face if one sets them to 755?
1 Like
True.
[workstation user ~]% stat -c '%a' /var
755
[workstation user ~]% stat -c '%a' /var/cache
755
[workstation user ~]% stat -c '%a' /var/cache/tb-binary
775
tb-updater/usr/libexec/tb-updater/tb-permission-fix at master · Kicksecure/tb-updater · GitHub
Folder /var/cache/tb-binary is owned by:
- user:
user - group:
user
Giving the group the same permission as the user seems correct.
related:
I am not sure there would be any issues except perhaps when attempting to copy Tor Browser as a different user user2 member of group user or other complex cases. (That folder is mounted in DispVM to user home folder, then doing this as a user other than user user.)
It’s part of a complex technical challenges, not caused by Whonix, documented here:
Tor Browser Update: Technical Details
So unless there’s any actual issue, not worth touching.
1 Like
Giving the group the same permission as the user seems correct.
Correct in relation to what?
And why would it be incorrect to have it the traditional (755) way?
Why does the group “user” (which has only one user, named “user”) need write permission?
That folder is mounted in DispVM to user home folder, then doing this as a user other than user
user.
I don’t see it in /proc/mounts.
What I do see is that /var/cache/tb-binary/* (its content) is copied to $HOME when running torbrowser.
It’s part of a complex technical challenges, not caused by Whonix, documented here:
Tor Browser Update: Technical Details
I don’t see anything related to permissions on this link. Could you explain shortly what you mean?
1 Like
In relation to have both user and group having the same rights.
Consistent with UPGs (UserPrivateGroups - Debian Wiki). One could create user user2 and add it to group user. Not sure that is useful in this specific case but generally seems to be the correct choice as per UPGs.
mount | grep --fixed-strings ".tb"
In App Qubes, yes.
In DispVM, no. Then it’s mounted because that’s faster.
(Based on a suggestion by Marek in some ticket I don’t have handy after some users reported a bug that startup of Tor Browser in DispVMs takes too long.)
- There’s no Debian package for Tor Browser (TB). Which if there was, all of that complexity would not exist.
- Upstream supposed TB being installed in user home folder.
- In Qubes, TB should not be in home folder. One reason for that is, home folder won’t be inherited by App Qube, Disposable. Also TB should not be run in Template and there would be networking issues. Neither supports command-line based updates through TB internal updater.
- Getting up-to-date TB in new App Qubes, Disposables is therefore challenging. TB needs to be in the root image (
/var/cache/tb-binary) so it can be made available to App Qube or Disposable private image (/home/user/.tb).
While handling all of this, permissions need to be sorted out as well.
1 Like
Consistent with UPGs (UserPrivateGroups - Debian Wiki). One could create user
user2and add it to groupuser. Not sure that is useful in this specific case but generally seems to be the correct choice as per UPGs.
OK. Then the question is - considering there are no UPGs in Qubes OS, why do we need to have permissions as if there are?
- … 4.
How g+w dir permission helps that process?
BTW, this thread might be interesting in the context of 1-4.
1 Like
UPGs is a Debian (and maybe other Linux distributions) design which is inherited by and unmodified in Qubes Debian.
It is the correct implementation the Debian way (UPGs). And as I said:
So unless there’s any actual issue, not worth touching.
- create a volume in some pool (e.g. pool00 or other)
Way to complex for this. Would require doing something in dom0 (or storage domain). Not needed here.
1 Like
A post was split to a new topic: use symlink for Tor Browser User Profile Data Folder instead of Copying the Whole Tor Browser Folder