diff files across appvms

33 views
Skip to first unread message

john.e...@gmail.com

unread,
Jan 22, 2019, 4:23:54 PM1/22/19
to qubes-users
Is it possible to compare (diff) files across appvms. Or (and), is it possible to pass arguments to an appvm through a dom0 terminal.

Basically, I want to check if a Keepassxc file in my vault is different than a Keepassxc file in my appvm.

Thanks for any ideas.

John

unman

unread,
Jan 22, 2019, 8:18:48 PM1/22/19
to qubes-users
You can do this using qvm-run-vm or by using qvm-run in dom0.
Look at the policy file in /etc/qubes-rpc/policy/qubes.VMShell and the
warning.

If all you want to do is see if the files differ, then you can just
generate hashes: from vault -
qvm-run-vm appvm 'md5sum db.kdbx'
Compare that with local hash.

I dont think you can diff the files themselves.

john.e...@gmail.com

unread,
Jan 23, 2019, 8:38:43 AM1/23/19
to qubes-users
On Tuesday, January 22, 2019 at 8:18:48 PM UTC-5, unman wrote:

unman, I don't have qvm-run (perhaps that's for 3.2?), and running hash command example you gave (modified to point to a file that exists in the appvm) produced no output. Specifically:

$ qvm-run vault 'md5sum file.kdbx'
Running 'md5sum file.kdbx' on vault

But no output. Any ideas?

Thanks.
John

unman

unread,
Jan 23, 2019, 9:54:50 AM1/23/19
to qubes-users
In qubes, you should have qvm-run-vm tool. In dom0, qvm-run. The
capabilities (and controls) are different.

You are trying to run in dom0 - to get output there you need to use;:
qvm-run -p vault 'md5sum file.kdbx'
The '-p' allows for stdio from the running program to be passed to dom0
- be aware of the potential risks. Otherwise the command is run (and
stdio kept) in the target qube.

In qubes, you use qvm-run-vm - you must have considered
/etc/qubes-rpc/policy/qubes.VMShell
So, from vault run "qvm-run-vm appvm 'md5sum file.kdbx'", and the output
of that command run on appvm will appear in vault, and you will be able
to make the comparison.

john.e...@gmail.com

unread,
Jan 23, 2019, 10:19:14 AM1/23/19
to qubes-users

unman, thank you for this. I understand the difference now, and using qvm-run -p in dom0 works fine. I cannot get qvm-run-vm to work, because I'm presented with "Request refused". I don't understand the significance of /etc/qubes-rpc/policy/qubes.VMShell, but I don't actually have a directory called policy, so that file path is /etc/qubes-rpc/qubes.VMShell.

I can make this work using dom0, but I suspect (but don't know for sure) that that is unwise.

John

unman

unread,
Jan 23, 2019, 11:04:40 AM1/23/19
to qubes-users
It's not ideal because you are parsing the output of an (unknown) command
run in a qube in dom0.

You are getting the "request refused" because you have not set a policy
rule allowing vault to run commands in appvm.
I dont have /etc/qubes-rpc/qubes.VMShell, and I do have
/etc/qubes-rpc/policy.
I've just checked this on a number of boxes, including a clean 4.0 image
and they all have the same.
It occurs to me that you are looking in the qube, and not in dom0 - can
you check this? You need to set the policy in dom0, and it will be
applied in individual qubes.


john.e...@gmail.com

unread,
Jan 23, 2019, 11:15:54 AM1/23/19
to qubes-users

unman, thank you for being so generous with your time. I appreciate the education. Yes, I was looking in appvms. I'm starting to understand better what needs to be done. I'll see how far I get.

John

unman

unread,
Jan 24, 2019, 6:56:08 AM1/24/19
to qubes-users
On Wed, Jan 23, 2019 at 08:15:53AM -0800, john.e...@gmail.com wrote:
>
> unman, thank you for being so generous with your time. I appreciate the education. Yes, I was looking in appvms. I'm starting to understand better what needs to be done. I'll see how far I get.
>
> John
>
No problem. Remember that at the monment all management is done in dom0,
so it is there that policy decisions are set.
If you hit any more problems dont hesitate to come back.

unman

John Goold

unread,
Jan 30, 2019, 11:06:19 AM1/30/19
to qubes-users

Would it not be simpler, and safer, to create the hash in your vault VM and then copy it to the global clipboard. Then switch to your appVM, open gedit (or editor of your choice) and paste the hash there.

Finally create the hash in your appVM and compare the two.

That is the basic method I have been using to compare things across VMs. In particular, generate whatever you need in the more secure VM and pass the result to the less secure VM for the comparison step.

I avoid doing anything except VM management in dom0. I think that is the way one is supposed to use Qubes.

john.e...@gmail.com

unread,
Jan 30, 2019, 12:13:31 PM1/30/19
to qubes-users
On Wednesday, January 30, 2019 at 11:06:19 AM UTC-5, John Goold wrote:
> On Tuesday, January 22, 2019 at 3:23:54 PM UTC-6, john.e...@gmail.com wrote:
> > Is it possible to compare (diff) files across appvms. Or (and), is it possible to pass arguments to an appvm through a dom0 terminal.
> >
> > Basically, I want to check if a Keepassxc file in my vault is different than a Keepassxc file in my appvm.
> >
> > Thanks for any ideas.
> >
> > John
>
> Would it not be simpler, and safer, to create the hash in your vault VM and then copy it to the global clipboard. Then switch to your appVM, open gedit (or editor of your choice) and paste the hash there.
>
> Finally create the hash in your appVM and compare the two.
>
> That is the basic method I have been using to compare things across VMs. In particular, generate whatever you need in the more secure VM and pass the result to the less secure VM for the comparison step.

Good advice, John. Thanks.

Reply all
Reply to author
Forward
0 new messages