Whonixcheck keeps complaining about timezone after Debian update

digitalcourage · November 4, 2015, 10:03am

I am an experienced Linux developer with some familiarity with Tor. I have tried an older version of Whonix in the past, but I am new to Qubes OS. Last week I installed Qubes OS 3.0 with Whonix templates. Things worked well until I installed security updates in all template VMs.

First whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck. Bug report: This whonixcheck advice was not Qubes-aware, so it wrongly told me to remove these packages from the AppVM dom0 → Start Menu → ‘whonix’ → Konsole instead of the TemplateVMs whonix-ws and whonix-gw.

In order to avoid pulling in undesired packages, it might be wise to modify the [tt]apt[/tt] configuration as recommended by Zwiebelfreunde for Tor Exit servers <[url=https://www.torservers.net/wiki/setup/server]https://www.torservers.net/wiki/setup/server[/url]>:

# disable debian default that pulls in recommended packages:
cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends

At the same time, whonixcheck complained about an unexpected timezone setting, and I am unable to correct it. Even after changing the contents of /etc/timezone from UTC to Etc/UTC in both template VMs, the old value is back after a reboot, and whonixcheck complains again.

Then I noticed that TorBrowser was gone. Whonix offered to re-install it using its TorBrowser-Updater. That was denied by AppArmor, so I disabled it. Now I can use TorBrowser, but whonixcheck keeps complaining about the timezone even after reboots.

It is possible that AppArmor plays a role in this mess. I had enabled it two days ago, and it generated DENIED entries in the kernel.log of whonix-gw for [tt]/usr/sbin/cpfpd[/tt] not being allowed to read from “/rw/usrlocal/lib/python2.7/dist-packages/”. I would paste the exact warning here, but copy & paste does not work (yes, I tried the three-step dance ctrl-shift-c ctrl-shift-v ctrl-v but the destination clipboard still contained an old value).

These are my package sources:

user@host~$ egrep -rv '^#|^$' /etc/apt/sources.list.d/
/etc/apt/sources.list.d/debian.list:deb http://security.debian.org jessie/updates main contrib non-free
/etc/apt/sources.list.d/debian.list:deb http://ftp.us.debian.org/debian jessie main contrib non-free
/etc/apt/sources.list.d/whonix.list:deb http://mirror.whonix.de/whonixdevelopermetafiles/internal/ testers main
/etc/apt/sources.list.d/torproject.list:deb http://deb.torproject.org/torproject.org jessie main
/etc/apt/sources.list.d/qubes-r3.list:deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm jessie main

digitalcourage · November 4, 2015, 10:59am

PS: Tor-Browser was not really gone, but the menu (I am using XFCE) was looking in the wrong place: [tt]/home/user/.tb/[/tt]

After allowing Tor-Browser-Updater to do its work, I have three Tor-Browsers lying around: [tt]/usr/bin/torbrowser[/tt], [tt]/home/user/tor-browser_en-US/[/tt] and [tt]/home/user/.tb/tor-browser_en-US/[/tt]. Not ideal.

Patrick · November 4, 2015, 1:08pm

PS: Tor-Browser was not really gone, but the menu (I am using XFCE) was looking in the wrong place: [tt]/home/user/.tb/[/tt]

Not the wrong place. It's the new place. (https://phabricator.whonix.org/T338)

After allowing Tor-Browser-Updater to do its work, I have three Tor-Browsers lying around: [tt]/usr/bin/torbrowser[/tt], [tt]/home/user/tor-browser_en-US/[/tt] and [tt]/home/user/.tb/tor-browser_en-US/[/tt]. Not ideal.

/usr/bin/torbrowser is a wrapper to start /home/user/.tb/... You can delete /home/user/tor-browser_en-US if applicable or move to /home/user/.tb/tor-browser_en-US.

Patrick · November 4, 2015, 1:17pm

[quote=“digitalcourage, post:1, topic:1572”]I am an experienced Linux developer with some familiarity with Tor. I have tried an older version of Whonix in the past, but I am new to Qubes OS. Last week I installed Qubes OS 3.0 with Whonix templates. Things worked well until I installed security updates in all template VMs.

First whonixcheck alerted me to the fact that unwanted packages had been pulled in by the updates, namely [tt]ntpdate[/tt] and [tt]chrony[/tt]. So I purged them as recommended by whonixcheck. Bug report: This whonixcheck advice was not Qubes-aware, so it wrongly told me to remove these packages from the AppVM dom0 → Start Menu → ‘whonix’ → Konsole instead of the TemplateVMs whonix-ws and whonix-gw.

In order to avoid pulling in undesired packages, it might be wise to modify the [tt]apt[/tt] configuration as recommended by Zwiebelfreunde for Tor Exit servers <[url=https://www.torservers.net/wiki/setup/server]https://www.torservers.net/wiki/setup/server[/url]>:

# disable debian default that pulls in recommended packages:
cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends

At the same time, whonixcheck complained about an unexpected timezone setting, and I am unable to correct it. Even after changing the contents of /etc/timezone from UTC to Etc/UTC in both template VMs, the old value is back after a reboot, and whonixcheck complains again.

Then I noticed that TorBrowser was gone. Whonix offered to re-install it using its TorBrowser-Updater. That was denied by AppArmor, so I disabled it. Now I can use TorBrowser, but whonixcheck keeps complaining about the timezone even after reboots.

It is possible that AppArmor plays a role in this mess. I had enabled it two days ago, and it generated DENIED entries in the kernel.log of whonix-gw for [tt]/usr/sbin/cpfpd[/tt] not being allowed to read from “/rw/usrlocal/lib/python2.7/dist-packages/”. I would paste the exact warning here, but copy & paste does not work (yes, I tried the three-step dance ctrl-shift-c ctrl-shift-v ctrl-v but the destination clipboard still contained an old value).

These are my package sources:

user@host~$ egrep -rv '^#|^$' /etc/apt/sources.list.d/ /etc/apt/sources.list.d/debian.list:deb http://security.debian.org jessie/updates main contrib non-free /etc/apt/sources.list.d/debian.list:deb http://ftp.us.debian.org/debian jessie main contrib non-free /etc/apt/sources.list.d/whonix.list:deb http://mirror.whonix.de/whonixdevelopermetafiles/internal/ testers main /etc/apt/sources.list.d/torproject.list:deb http://deb.torproject.org/torproject.org jessie main /etc/apt/sources.list.d/qubes-r3.list:deb [arch=amd64] http://deb.qubes-os.org/r3.0/vm jessie main[/quote]
Thanks!

A lot issues come from the testers repository. I just now updated that repository. Good you’re using http://mirror.whonix.de/whonixdevelopermetafiles/internal/ which is updated a bit faster. (More explanation: Whonix ™ APT Repository)

Please update your TemplateVMs, restart the VM, and see what still applies. In case it hasn’t been addressed yet, in that case just copy and paste what you wrote before.

Patrick · November 4, 2015, 1:18pm

[quote=“digitalcourage, post:1, topic:1572”]In order to avoid pulling in undesired packages, it might be wise to modify the [tt]apt[/tt] configuration as recommended by Zwiebelfreunde for Tor Exit servers <[url=https://www.torservers.net/wiki/setup/server]https://www.torservers.net/wiki/setup/server[/url]>:

[code]

disable debian default that pulls in recommended packages:

cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends
[/code][/quote]
This should be a separate discussion in the development forum:
Whonix Forum

qubenix · November 7, 2015, 4:14pm

I’m having this same time issue on testers/xfce, Qubes 3.0. Every time I do whonixcheck I get this:

ERROR: Check Timezone Result: 
/etc/timezone settings different from Whonix defaults. 
timezone_file_expected_content: Etc/UTC 
timezone_file_actual_content: UTC 
ERROR: Check Timezone Result: 
Settings different from Whonix defaults. (See above!) 
You could try to fix this. 
dom0 -> Start Menu -> ServiceVM: whonix-WS-testers -> Konsole
sudo su 
echo "Etc/UTC" > /etc/timezone 
cp "/usr/share/zoneinfo/Etc/UTC" "/etc/localtime"
It is generally recommended to keep the default as per Whonix Design. [1] If you did not change timezone related settings, please report this Whonix bug. 
If you know what you are doing, feel free to disable this check. Create a file /etc/whonix.d/50_whonixcheck_user and add: 
whonixcheck_skip_functions+=" check_timezone "

As digitalcourage wrote, following these steps doesn’t help and the problem persists after reboots.

Freshly updated packages as of posting.

I should also mention that I opted to not use AppArmor so we can rule that out.

Patrick · November 8, 2015, 2:17pm

Yes, whonixcheck is wrong. This has to be done in the TemplateVM.

[hr]

qu฿enix, did you apply this in your TemplateVM?

[hr]

Since when did this happen? What are the steps to reproduce this issue? Get Whonix 11 + update from testers repository?

[hr]

The contents of /etc/timezone really is UTC, not /etc/UTC?

cat /etc/timezone

[hr]

Please check the contents of /var/lib/dpkg/info/qubes-whonix.postinst by running the following command.

cat /var/lib/dpkg/info/qubes-whonix.postinst | grep -i utc

It should return nothing. I.e. qubes-whonix.postinst should no longer modify that file.

[hr]

What are the contents of /etc/qubes/protected-files.d/qubes-whonix.conf?

cat /etc/qubes/protected-files.d/qubes-whonix.conf

Should be:

github.com

Whonix/qubes-whonix/blob/master/etc/qubes/protected-files.d/qubes-whonix.conf

## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

#### meta start
#### project Whonix
#### category networking and time
#### qubes_whonix_only yes
#### description
## Configure Qubes to not modify files shipped by Whonix:
##
## * <code>/etc/hostname</code>
## * <code>/etc/hosts</code>
## * <code>/etc/localtime</code>
## * <code>/etc/timezone</code>
## * <code>/etc/resolv.conf</code>
#### meta end

## Not calling this file simply qubes-whonix to avoid conflicts with the in
## earlier versions auto generated file with the same name. Also one day we
## might wish to only parse config files ending with '.conf'.

This file has been truncated. show original

## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Not calling this file simply qubes-whonix to avoid conflicts with the in
## earlier versions auto generated file with the same name. Also one day we
## might wish to only parse config files ending with '.conf'.

## anon-(gw|ws)-dns-conf
/etc/resolv.conf

## anon-base-files
/etc/hostname
/etc/hosts

## timezone-utc
/etc/localtime
/etc/timezone

qubenix · November 8, 2015, 4:13pm

Fixed after applying to TemplateVM. facepalm

For informational purposes here are the outputs you asked for:

user@host:~$ cat /etc/timezone
UTC
user@host:~$ cat /var/lib/dpkg/info/qubes-whonix.postinst | grep -i utc
user@host:~$ cat /etc/qubes/protected-files.d/qubes-whonix.conf
## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Not calling this file simply qubes-whonix to avoid conflicts with the in
## earlier versions auto generated file with the same name. Also one day we
## might wish to only parse config files ending with '.conf'.

## anon-(gw|ws)-dns-conf
/etc/resolv.conf

## anon-base-files
/etc/hostname
/etc/hosts

## timezone-utc
/etc/localtime
/etc/timezone
user@host:~$ sudo su
root@host:/home/user# echo "Etc/UTC" > /etc/timezone
root@host:/home/user# cp "/usr/share/zoneinfo/Etc/UTC" "/etc/localtime"
cp: overwrite ‘/etc/localtime’? y
root@host:/home/user# cat /etc/timezone /etc/localtime
Etc/UTC
TZif2UTCTZif2UTC
UTC0
root@host:/home/user# cat /usr/share/zoneinfo/Etc/UTC 
TZif2UTCTZif2UTC
UTC0
root@host:/home/user# exit
exit
user@host:~$ whonixcheck
[INFO] [whonixcheck] whonix-ws-testers-TEMPLATE | Whonix-Workstation | TemplateVM | Sun Nov  8 15:49:36 UTC 2015
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] SocksPort Test: Testing Tor's SocksPort...
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: 209.133.66.214
[INFO] [whonixcheck] TransPort Test: Testing Tor's TransPort...
[INFO] [whonixcheck] TransPort Test Result: Connected to Tor. IP: 77.247.181.163
[INFO] [whonixcheck] Stream Isolation Test Result: Functional.
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updates...
x whonix_feature_blog.txt
x whonix_gateway_1.9-1_deb_news
x whonix_gateway_valid_build_versions
x whonix_gateway_valid_deb_versions
x whonix_important_blog.txt
x whonix_workstation_1.9-1_deb_news
x whonix_workstation_valid_build_versions
x whonix_workstation_valid_deb_versions
[INFO] [whonixcheck] Whonix News Result:
√ Up to date: whonix-workstation-packages-dependencies 2.8-1
√ Up to date: Whonix Build Version: 11.0.0.3.0
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get... ( Documentation: https://www.whonix.org/wiki/Update )
[INFO] [whonixcheck] Debian Package Update Check Result: No updates found via apt-get.
[INFO] [whonixcheck] Whonix APT Repository: Enabled.
When the Whonix team releases TESTERS updates,
they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
along with updated packages from the Debian team. Please
read https://www.whonix.org/wiki/Trust to understand the risk.
If you want to change this, use:
    sudo whonix_repository
user@host:~$

Started about 5 days ago.

To reproduce I believe you can just install 11, set testers repo, upgrade, and run whonixcheck.

Patrick · November 8, 2015, 7:18pm

Thanks!

fixed output with advice in Qubes when incorrect timezone is being set

https://github.com/Whonix/whonixcheck/commit/26713b4737cb7d9fe87ffe39f741ebada7f352e9

Fix will come in whonixcheck 3.8.