Google Groupes

Re: [qubes-users] handling of /home in TemplateVM vs TemplateBasedVM

Patrick Schleizer 3 juil. 2015 00:34
Envoyé au groupe : qubes-users
cprise:
> On 07/02/2015 06:05 PM, Marek Marczykowski-Górecki wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Thu, Jul 02, 2015 at 07:49:17PM +0000, Patrick Schleizer wrote:
>>> Hi,
>>>
>>> as far I observed until now, anything in a TemplateVM's home folder is
>>> copied to a TemplateBasedVM home folder at creation time of the
>>> TemplateBasedVM.
>>>
>>>  From then, any modification in TemplateVM's home folder won't effect
>>> existing TemplateBasedVM based on that TemplateVM. New TemplateBasedVM's
>>> created based on that TemplateVM would get these changes, though.
>>>
>>> If my understanding is correct and this is currently undocumented, I
>>> would like to add this to documentation. What would be an appropriate
>>> place?
>>>
>>> https://www.qubes-os.org/doc/GettingStarted/#appvms-domains-and-templatevms
>>>
>>> ?
>>
>> Yes, probably somewhere there.
>>
>> But, we're actually thinking about removing that feature, so new
>> template-based VM would get clean home regardless when it was created.
>> This would mean that one can no longer preconfigure user settings in the
>> template to have them propagated to new VMs, but overall I think this
>> would be more consistent. If one want to have something configured the
>> same way on every VM (based on this particular template), it can be done
>> in /etc.
>>
>> What do you think?
>>
>> - --
>
> I currently rely on that feature to maintain a consistent environment
> (templates are carefully configured with certain presets in the CLI, UI
> options, browser, etc). I create appvms fairly regularly, sometimes with
> the intention of keeping them only for a few hours or days. Having to
> manually reconfigure them each time would be a significant burden.
>
> If it is to be changed at all, it would be better to have this as an
> option in the VM creation dialogue window. Even then, I would default it
> to the current behavior.
>
> A note on the nature of user presets in templates: These currently are
> necessary to improve general security of the VMs. Think of the thumbnail
> preview setting in Nautilus, or any number of options/extensions in
> Firefox, TBird, etc.
>
> So... Emphatic 'No'.
>
>

I agree with cprise on this.

The current way it's handled is also crucial for Whonix because we must
write some stuff into home.*

Cheers,
Patrick

* Surely it would be great if we would not need to, but this would
require significant help by upstreams, and that's not available.