is it better to have just standaloneVMs?

[evo]

Hi!

i consider about the VM-strategy for the personal and other areas.
till now i have just AppVms for this purpose.

But isn't it better to have just standalone VMs, because of the
installed software on each VM?

For example i need openoffice on work-VM, but i don't need it on banking
or personal or whatever VM. Thunderbird i just need on my e-mailVM. If I
install everything on the template all software will be on every
AppVM.... so it's less secure.

How do you think about it?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

You can (and probably should) have multiple TemplateVMs. You'll
probably want OpenOffice in more than one AppVM, even if you don't
want it in your banking VM. For this purpose, it would be more
suitable to have multiple TemplateVMs than multiple StandaloneVMs.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYx8byAAoJENtN07w5UDAwf18QAMjoTchqn69Bbt7khOfIoLy7
hsBZ8a9BxWp8PFT3tiqbim8jXJ4e013yaCXudrs9oSTZW9wEDKeKe0ujvhQSmflK
LncsuuGwpU/odZngORwHHxjRPdDgasRfy1mJ5zxkza+NjOkSpsH9Ml8jmT3Bgzoj
iGbmcLz9CvIglM+rh8t2lJeUNSTaOM8TQwljIQZ2BjkYr3HUciDksdoWus90oHuW
rCwqv2+QTc2EAiewf4LlVvZEP4I3bKYFaKJq84k6fwiQi4rTn8zWSZKNANyYmlwI
v34DMmjEIFjfyFWPH/zMYDct+/39jcXkOyAiq40h5ewmyNvw2LwQhn1Wo8s6p487
A1Rpzw/ukoWE0Sg7TYqpUmt4YpjO2g6m/jxLpfxI0GAsfjxWSRvnn0GXGk5aNGH+
thBbz6MOhXMufQEetLhoehxmA7o/PBCVf6qAPCFdMfrOzNsjnnRg8/4zJxbp6vry
4YE+FXVGqR7dwDPSbb3RDfpbTDPE7uIZv0WM5P/KIC6Qp76KODHimbKA3d4armHd
PYSEGHK8WxSvAY+JeM6GHT6Oc5wdm7XEmo6189U8kr1jOJreT7XdjEUwTdGklmBj
syPdb2dltIxO+K0iqNqr/c8XAyNWgAMQtngm+RIyNoJcDupsvGt1bXWMvbYEs2Wj
/09EDOkFOc27Ii7GRHWW
=+x7h
-----END PGP SIGNATURE-----

[Vít Šesták]

How much is a threat installed software you don't use?

* If the package install script is malicious, it is a threat.
* However, if you are concerned just about vulnerabilities, they are often not applicable if you don't use the software.

So, it depends on your threat model.

Regards,
Vít Šesták 'v6ak'

[Grzesiek Chodzicki]

It's less convenient (every StandaloneVM has to be manually updated instead of updating just the template) and it'll eat your drive space much faster.

[evo]

Am 14.03.2017 um 11:33 schrieb Andrew David Wong:
> On 2017-03-14 01:23, evo wrote:
>> Hi!
>
>> i consider about the VM-strategy for the personal and other areas.
>> till now i have just AppVms for this purpose.
>
>> But isn't it better to have just standalone VMs, because of the
>> installed software on each VM?
>
>> For example i need openoffice on work-VM, but i don't need it on
>> banking or personal or whatever VM. Thunderbird i just need on my
>> e-mailVM. If I install everything on the template all software will
>> be on every AppVM.... so it's less secure.
>
>> How do you think about it?
>
>
> You can (and probably should) have multiple TemplateVMs. You'll
> probably want OpenOffice in more than one AppVM, even if you don't
> want it in your banking VM. For this purpose, it would be more
> suitable to have multiple TemplateVMs than multiple StandaloneVMs.
>
>

ah, ok, this sounds better.
so i'll try to manage it this way.
thanks!

[evo]

hmm.. this is also a good point, thanks!
so if i do not use openoffice in my bankingVM, there is no practical
vulnerability in it.

[evo]

i thought about it, also as i thought about HVM... it costs much space,
very much space, if i think about 5-8 VMs. And as i understand it gives
me not so much better security.

[Chris Laprise]

On 03/14/2017 01:55 PM, evo wrote:
> hmm.. this is also a good point, thanks!
> so if i do not use openoffice in my bankingVM, there is no practical
> vulnerability in it.
>

Yes and no. Off the top of my head, there are two things to be concerned
about with the (regular, distro) software you install:

1. Does it cause an additional service to start accepting connections?

2. Does it have a MIMEtype or similar mapping, so that clicking on a
mislabeled file could cause it to open in an unwanted/risky app.
Unfortunately, nautilus doesn't seem to have a setting for always asking
before starting an app. But at least it defaults to double-click instead
of single-click.

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett

[Unman]

3. Installing some programs, like libre/openoffice, brings with it numerous
libraries and attendant programs which may widen the attack surface of
your qube considerably.

[evo]

so its better to have such VMs as banking or email in standalone-mode.
The thing is... as i understood, stanalone-machines (if they are not
HVM) have all software from the template they use. So the only way is,
to install new iso on HVM, isn't it?

in that case, i don't really understand the sense of standalone AppVMs.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-03-15 01:14, evo wrote:
> Am 15.03.2017 um 01:17 schrieb Unman:
>> On Tue, Mar 14, 2017 at 08:02:58PM -0400, Chris Laprise wrote:
>>> On 03/14/2017 01:55 PM, evo wrote:
>>>> hmm.. this is also a good point, thanks! so if i do not use
>>>> openoffice in my bankingVM, there is no practical
>>>> vulnerability in it.
>>>>
>>>
>>> Yes and no. Off the top of my head, there are two things to be
>>> concerned about with the (regular, distro) software you
>>> install:
>>>
>>> 1. Does it cause an additional service to start accepting
>>> connections?
>>>
>>> 2. Does it have a MIMEtype or similar mapping, so that clicking
>>> on a mislabeled file could cause it to open in an
>>> unwanted/risky app. Unfortunately, nautilus doesn't seem to
>>> have a setting for always asking before starting an app. But
>>> at least it defaults to double-click instead of single-click.
>>>
>>
>> 3. Installing some programs, like libre/openoffice, brings with
>> it numerous libraries and attendant programs which may widen the
>> attack surface of your qube considerably.
>>
>
> so its better to have such VMs as banking or email in
> standalone-mode.

No, that doesn't follow. See my previous message about having multiple
TemplateVMs.

> The thing is... as i understood, stanalone-machines (if they are
> not HVM) have all software from the template they use. So the only
> way is, to install new iso on HVM, isn't it?
>

This doesn't follow either. StandaloneVMs and HVMs are completely
independent of one another. It's possible that there is terminological
confusion here. Please consult the glossary:

https://www.qubes-os.org/doc/glossary/

> in that case, i don't really understand the sense of standalone
> AppVMs.
>

StandaloneVMs can be useful for many different things, but not every
user will have a need for them. For example, if you have a piece of
software that installs parts of itself in both the root fs and user dirs
(and you don't want to work around this with bind-dirs), and you need
the software in only one VM, then a StandaloneVM is probably a perfect
solution.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYycPeAAoJENtN07w5UDAwZD0P/3LtjWYp5sB0p/jKM/bOXYea
shPiimxeaRgaEF/e714aamWiWCWN9a8OgaWnHbMPd2cajTSHgEc2zY8E4gPJN62B
uvs1Y4958KxrNIdmT7p6ECivlwA7ZsaynzFICSM1d9QTviRCmkj7SY1+qPt6XjqO
OTQ7IRGh1WBssaxWS1Dc320MJth25n9+ipNhhL7XpJA9vgOEZm6lUgeIhit3DiJg
n1cjnKCoXhD8+i9bhVRcT9uurZdFdXJ3zNV13+m3l4nZKvgqXWOLkxE0/BtLQSks
NyNpB4onqKA7PoQZpBLnp5sRE0axnay5Ny1uST492gFUy77B0FYdEePPtjeBoMtZ
t+Y2Wav3ORW7/aXjAssHWQkZC8pgYO9inZ08PrGDa4p1ud93YoswjXj8MlM2OUOp
IWZFKW8eDdjWte7vJ3lMabPJJawteTxYUS4eMsxSmcFq7JKnQwIEau0GHXerAnQn
g3zwh9cyDyz6B0j51oyq8qMb1u+f6+d91hdAjpS9edjX1FAx6GGNXtaPXNxTVYDg
RZQdbd5vlbq9OXLs/duEb3Dlgm7DSNmHl6Gig0Y+aBfujoq6+xY+g5CkwkPHJ8zK
P+G+t82TFKKPN0QSS0J8dHLM0Z7ln4YX+gmPZTzJszEU/CX8slL311P2KlCcJ2sB
fGGn+tSmARuHCbd+Lx7Y
=meYj
-----END PGP SIGNATURE-----

[evo]

so is it better to have more template-VMs?
But why not standalone as a copy of the existing template-VM?
After that i can delete all software i dont need on it and have rather
clean VM with just the software i need.

the other thing is, on standalone-vm i can see existing updates just in
time... VM that works on general template dont show updates, for this
case i must start the template vm. So if i do not start template for a
long time, i will have insecure appvms. Or do i understand something wrong?

[Franz]

Evo, let me oversimplify it

so is it better to have more template-VMs?

yes

But why not standalone as a copy of the existing template-VM?

you do not need standalone VMs. StandaloneVMs are only for special cases/software, but since you do not mention any special case forget them as well as HVMs.
 

After that i can delete all software i dont need on it and have rather
clean VM with just the software i need.

you can do the same with templates

the other thing is, on standalone-vm i can see existing updates just in
time... VM that works on general template dont show updates, for this
case i must start the template vm. So if i do not start template for a
long time, i will have insecure appvms. Or do i understand something wrong?

Evo, just start the templates every time Qubes-manager show than an update is available, with the green downward arrow, that is every few days. Then reboot your computer. Updating only a couple of templates you'll automatically update and somehow clean all of yours VMs, that in my case are 38. You'll probably have only a few of them, but with time you'll learn how convenient it is to create template depending light VMs for special purposes. But imagine having a lot of standaloneVMs each one needing an independent update.

best

Fran

[Vít Šesták]

Sure, “not using the app” is somehow tricky condition. OTOH, there is usually some user cooperation. For educated users, it should be a potential way. But the line is not clear: For example, I used to have Adobe Flash on a separate VM, because I was not sure if I can manage to disable it by default in all cases.

On managing VM Templates: Actually, there is a mechanism that runs update checks and adds some notification to Qubes Manager. Well, it is not perfect in many ways. But you can always perform update checks from TemplateBasedVMs.

Well, you can even perform updates from TemplateBasedVMs, but the updates will be lost after reboot. Performing updates from TemplateBasedVMs can be useful if you don't want to reboot the VMs.

I don't see any significant disadvantage of TemplateVMs over StandaloneVMs. The signigicant advantage of TemplateVMs is manageability: You update all VMs at once. Those that are not running are updated immediately, those that are running are updated when rebooted. If you want o update some running VM immediately, you can. Maybe the description of update is a bit more complex for TemplateBasedVMs, but the execution is definitely easier. If you have dozens of VMs, some of which you run rarely, you would either have to take care of updates of those rarely-run VMs or you would get some VMs outdated (i.e. lacking of security updates), which is not good for security.

I have a rather clear line between VM templates and StandaloneVMs: Do I need to reuse it?

a. If yes, I create a TemplateVM.
b. If no, create a StandaloneVM.
c. If not sure, try to guess. ☺

Regards,
Vít Šesták 'v6ak'

[evo]

hmmm, ok
you won :)

i just thought, its crude to create 3 different template-VMs for vault,
e-mail and banking.

after using Qubes for some time, i understand the possibility to have 38 VMs

so the appVM (based on template) will show me also the green arrow of
update? i thought, it is just visible, if you start the template-VM.

[Franz]

No, because the appVM does not need an update. Only the template does need it.

i thought, it is just visible, if you start the template-VM.

No, the green arrow is visible on the side of the template even if the template is kept always closed

[evo]

Am 17.03.2017 um 21:55 schrieb Franz:
>
>
> On Fri, Mar 17, 2017 at 4:46 PM, evo <evol...@aliaks.de
> <mailto:evol...@aliaks.de>> wrote:
>
>
>
> Am 17.03.2017 um 20:12 schrieb Franz:

> >
> >
> > On Fri, Mar 17, 2017 at 5:07 AM, evo <evol...@aliaks.de <mailto:evol...@aliaks.de>
> > <mailto:evol...@aliaks.de <mailto:evol...@aliaks.de>>> wrote:
> >
> >
> >
> > Am 17.03.2017 um 01:19 schrieb Franz:
> > >
> > >
> > > On Thu, Mar 16, 2017 at 6:01 AM, evo <evol...@aliaks.de <mailto:evol...@aliaks.de>

> <mailto:evol...@aliaks.de <mailto:evol...@aliaks.de>>
> > > <mailto:evol...@aliaks.de <mailto:evol...@aliaks.de>

> > <https://www.qubes-os.org/doc/glossary/
> <https://www.qubes-os.org/doc/glossary/>>
> > > <https://www.qubes-os.org/doc/glossary/
> <https://www.qubes-os.org/doc/glossary/>

> ok... so if its closed, i see the green arrow then in menu, or where?
>
>
> in Qubes manager under column "state"
>
> Do not reply only to me, reply to everybody

i know that, but i can see something in "state" just im the VM is
running. I will see nothing, if the VM is not running.
So i must run template-Vm everytime on startup, isnt it?