On Fri, Jan 15, 2021 at 06:35:13PM -0600, Sven Semmler wrote:
> On 1/15/21 6:10 PM, unman wrote:
> > at the expense of security, since all AppVMs based on that template
> > will have a large number of applications/libraries which may be ripe
> > for exploit.
>
> Could you please elaborate? I am not sure I understand.
Many attacks rely on chaining exploits and loopholes in an assortment of
applications and libraries.
You see this very often in "capture the flag" contests, and in real
world attacks.
If you use a single template and load it with software (and therefore
associated libraries) you have significantly broadened the attack
surface: this is particularly so if you install "recommended and
suggested" packages.
By contrast, if you use a minimal template and install a single
application, the attack surface is smaller.
If you have a template loaded with file viewers, office applications and
drawing software, it will undoubtedly be extremely useful. But the
attack surface is large. If you use that template as the basis for your
mail reader, for example, then there is scope for an attack using a crafted
email attachment.
But if you use a minimal template with a good mail reader like mutt,
and open all the attachments in an offline disposable VM based on that
extensive template, the risk to your mail reader, and by extension
your Qubes system, is reduced. (Note, reduced but nor removed.)
In my system, almost *all* my working qubes are based on adapted minimal
templates, and most of them, including my mail qubes, are offline.
This may be why I have an unholy number of templates.
File storage qubes are exactly that - they store files. If I want to
view, or edit, I do it in an offline qube: I *have* to do it in another
qube, because the storage qubes don't have the capacity for anything
except plain text editing (and imagemagick, and some python and....).
Are there risks? Of course.
>
> > I'm not altogether clear on what you mean here.
>
> I understood
>
> 1) AppVM based on debian-10 and install gimp in AmpVM. The OP might or might
> not be aware of binds/persistence.
I didnt hear this in what OP wrote.