On Tue, Feb 28, 2017 at 2:12 AM, Marek Marczykowski-Górecki
<
marm...@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Tue, Feb 28, 2017 at 01:23:24AM +0300, Oleg Artemiev wrote:
>> Hello.
>>
>> From anti-forensic point of view empty dir in some app-VM in
>> QubesIncoming (except dom0) leaking fact of presence a VM some time
>> ago.
>>
>> All we need is add command like "rm /home/user/QubesIncoming/*/* -p
>> --ignore-fail-on-non-empty" into default VM startup script for all
>> linux based template VMs.
>
> This particular command looks dangerous - you probably meant rmdir
> instead.
yep
> And probably one '*' less. Or actually more ('**', after
> enabling 'starglob' shell option).
> Maybe something like this instead:
> find /home/user/QubesIncoming -type d -empty -delete
also good. linux rmdir always ignore non-emty directories and all files.
After reading your reply I changed my opinion - no ''**' - only one
'*' or if made by find - add maxdepth 1 to never touch
sub-dirs below source VM name - user may copy some hierarchy. Though
user usualy has no need to create the 1st level subdir in
QubesIncoming - this is made by file copy utils.
> Anyway, I don't think it should be enabled by default - automatic
> removal (or in any other way altering) user files in home directory is
> not something we'd like to do. If anything, it should be disabled by
> default.
This is not _user_ content, at least from the moment the user has deleted
all content of a sub-directory under the QubesIncoming and it is empty.
This _directory_ artefact is created by OS file handling tools on user
intent to copy a _file_ and is unneeded anymore = is not properly
cleaned. Even more - having these empty dirs is somewhat attention
stealer - a few months later user may probably spend time doing 'ls'
there - to
be sure nothing forgotten there.
> As for anti-forensic - I'd expect that there are much more places like
> this - like file manager cache/history,
oops.. didn't think about this. Isn't those expire? QubesIncoming
sub-dirs aren't ever.
> shell history,
only if data copied in both direction.
> various application's caches etc.
any cache should expire. Directories persist till removal.
> If you want non-persistence (of VM existence
> fact in this case), use DispVMs.
When I copy from some hidden_app_vm to some not-that-hidden-appvm and
want those files be in not-that-hidden-appvm finally - dispVM
as proxy for copying will solve all. Though if that will be cleaned
up w/o my intervention it could be just better.
>> I could provide a simplest pull requiest if this change will be
>> accepted (good if you point me to a repo where it should go). Should
>> I?
intent not accepted. ok