Qubes-VM-hardening
Qubes-VM-hardening copied to clipboard
tasket
Anon-Connection-Wizard does not start in sys-whonix (whonix-gw 15)
When sys-whonix is started for the first time Anon-Conection-Wizard is supposed to automaicaly start, and walk users through Tor setup and configuration. However, unlike in previous Whonix versions {13,14} when vm-boot-protect is configured in sys-whonix (whonix-gw-15) this does not happen.
A workaround is to either start Anon-Connecton-Wizare manually or run whonixset up to configure Tor and populate /var/lib/tor (with Tor State). This file is persistent across sys-whonix restarts.
This is not due to Whonix files having been removed from /rw . I should have explained that better here: https://github.com/tasket/Qubes-VM-hardening/issues/18#issuecomment-510007431
Yes, I'm having trouble with it also on whonix 14. I'll have to research this further.
/etc/xdg/autostart/whonix-setup-wizard.desktop starts /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start
What happens when starting /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start manually?
/usr/lib/whonix-setup-wizard/whonixsetup_check_for_start
qubes-whonix package file /usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf defines among others the following folder to be added to bind-dirs
/var/cache/whonix-setup-wizard
Clearing /rw might wipe these files also.
The qubes-whonix package also ships the following files:
ls -la var/cache/whonix-setup-wizard/status-files/
total 8
drwxrwxrwx 2 user user 4096 Jun 30 04:40 .
drwxrwxrwx 3 user user 4096 Sep 30 2015 ..
-rw-r--r-- 1 user user 0 Jun 30 04:40 disclaimer.skip
-rw-r--r-- 1 user user 0 Jun 30 04:40 finish_page.skip
-rw-r--r-- 1 user user 0 Jun 30 04:40 first_use_check.skip
-rw-r--r-- 1 user user 0 Jun 30 04:40 whonix_repository.skip
Wondering if that could be the cause. It wouldn't be hard to move these status skip files to a more appropriate folder which doesn't depend on bind-dirs.
What happens when starting /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start manually?
user@host:~$ sudo /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start
missing_disablenetwork_line
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
INFO: No page needs showing.
Anon-Connection-Wizard starts and Tor connects.
0brand:
What happens when starting /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start manually?
user@host:~$ sudo /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start missing_disablenetwork_line QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root' INFO: No page needs showing.
Anon-Connection-Wizardstarts and Tor connects.
This is at the very first start of the VM? (Or from "simulated first start" (if you reset the private image somehow)?)
If yes, then that's strange. Anon-Connection-Wizard (ACW) does not autostart but when you run /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start it works as intended?
This is at the very first start of the VM? (Or from "simulated first start" (if you reset the private image somehow)?)
That was the simulated start. I confirmed by creating a fresh sys-whonix VM. Then,
[user@dom0 ~] qvm-run sys-whonix xfce4-terminal
Starts a terminal but Anon-Connection-Wizard does not start.
If yes, then that's strange. Anon-Connection-Wizard (ACW) does not auto-start but when you run /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start it works as intended?
Yes, very strange. Just tried again to be sure. Same result. Anon-Connection-Wizard does not auto-start, running simulated start does the trick.
0brand:
This is at the very first start of the VM? (Or from "simulated first start" (if you reset the private image somehow)?)
That was the simulated start.
"simulated first start": I mean with a new private image. Just to make sure we talk about the same thing.
Running /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start manually is also somewhat simulated but let's call that manual start or something to avoid confusion.
I confirmed by creating a fresh
sys-whonixVM. Then,
[user@dom0 ~] qvm-run sys-whonix xfce4-terminalStarts a terminal but
Anon-Connection-Wizarddoes not start.If yes, then that's strange. Anon-Connection-Wizard (ACW) does not auto-start but when you run /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start it works as intended?
Yes, very strange. Just tried again to be sure. Same result. Anon-Connection-Wizard does not auto-start, running simulated start does the trick.
So the first autostarted (if it autostarts hopefully) run of and subsequent manual start of /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start produces different results.
Therefore we need to look "inside" /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start to see what is happening. I've added some output to make debugging easier. In future versions output of /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start will be prefixed with "/usr/lib/whonix-setup-wizard/whonixsetup_check_for_start:" to make searching the logs easier. Version you're having is not having this usability feature yet and outputs only what it is actually noticing.
Luckily output of /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start (when auto started) will be stored in file:
~/.xsession-errors
Could you please have a look at /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start as you currently probably have?
https://github.com/Whonix/whonix-setup-wizard/blob/9a20891f82dc49fc7fb0f18e2522bc7e86421fd1/usr/lib/whonix-setup-wizard/whonixsetup_check_for_start
Check for any line that includes
These are the possible outputs by /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start ending up in ~/.xsession-errors
Alternatively post the whole ~/.xsession-errors here after a start of a new sys-whonix.
Also, does
whonixcheck --verbose
say something interesting?
Maybe some systemd unit is failing in this configuration?
sudo systemctl --failed list-units
(whonixcheck --verbose should cover this.)
If someone speaking python... Do you see something in function tor_status that could throw a python exception in this configuration?
https://github.com/Whonix/anon-connection-wizard/blob/master/usr/lib/python3/dist-packages/anon_connection_wizard/tor_status.py
This is at the very first start of the VM? (Or from "simulated first start" (if you reset the private image somehow)?)
That was the simulated start. "simulated first start": I mean with a new private image. Just to make sure we talk about the same thing.
Yes I use a new private image for every test.
Running /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start manually is also somewhat simulated but let's call that manual start or something to avoid confusion.
OK manual start it is ;)
Could you please have a look at /usr/lib/whonix-setup-wizard/whonixsetup_check_for_start as you currently probably have? https://github.com/Whonix/whonix-setup-wizard/blob/9a20891f82dc49fc7fb0f18e2522bc7e86421fd1/usr/lib/whonix-setup-wizard/whonixsetup_check_for_start Check for any line that includes print
Nothing there with "print"
Alternatively post the whole ~/.xsession-errors here after a start of a new sys-whonix.
Maybe a systemd error? (warning: error sending to systemd:)
user@host:~$ cat ~/.xsession-errors
X.Org X Server 1.20.4
X Protocol Version 11, Revision 0
Build Operating System: Linux 4.9.0-8-amd64 x86_64 Debian
Current Operating System: Linux host 4.14.119-2.pvops.qubes.x86_64 #1 SMP Wed May 15 06:43:11 UTC 2019 x86_64
Kernel command line: root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 nopat
Build Date: 05 March 2019 08:11:12PM
xorg-server 2:1.20.4-1 (https://www.debian.org/support)
Current version of pixman: 0.36.0
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/home/user/.local/share/xorg/Xorg.0.log", Time: Tue Jul 16 16:41:25 2019
(++) Using config file: "/etc/X11/xorg-qubes.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
Xsession: X session started for user at Tue 16 Jul 2019 04:41:26 PM UTC
localuser:user being added to access control list
Warning: Key <OUTP> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <KITG> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <KIDN> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <KIUP> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <RO> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <I192> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <I193> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <I194> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <I195> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: Key <I196> not found in evdev+aliases(qwerty) keycodes
Symbols ignored
Warning: No symbols defined for <AB11> (keycode 97)
Warning: No symbols defined for <JPCM> (keycode 103)
Warning: No symbols defined for <I120> (keycode 120)
Warning: No symbols defined for <AE13> (keycode 132)
Warning: No symbols defined for <I149> (keycode 149)
Warning: No symbols defined for <I154> (keycode 154)
Warning: No symbols defined for <I168> (keycode 168)
Warning: No symbols defined for <I178> (keycode 178)
Warning: No symbols defined for <I183> (keycode 183)
Warning: No symbols defined for <I184> (keycode 184)
Warning: No symbols defined for <FK19> (keycode 197)
Warning: No symbols defined for <FK24> (keycode 202)
Warning: No symbols defined for <I217> (keycode 217)
Warning: No symbols defined for <I219> (keycode 219)
Warning: No symbols defined for <I221> (keycode 221)
Warning: No symbols defined for <I222> (keycode 222)
Warning: No symbols defined for <I230> (keycode 230)
Warning: No symbols defined for <I247> (keycode 247)
Warning: No symbols defined for <I248> (keycode 248)
Warning: No symbols defined for <I249> (keycode 249)
Warning: No symbols defined for <I250> (keycode 250)
Warning: No symbols defined for <I251> (keycode 251)
Warning: No symbols defined for <I252> (keycode 252)
Warning: No symbols defined for <I253> (keycode 253)
dbus-update-activation-environment: setting USER=user
dbus-update-activation-environment: setting XDG_SESSION_TYPE=x11
dbus-update-activation-environment: setting BROWSER=/usr/lib/open_link_confirmation
dbus-update-activation-environment: setting HOME=/home/user
dbus-update-activation-environment: setting TOR_HIDE_BROWSER_LOGO=1
dbus-update-activation-environment: setting DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-TnYai9vpCS,guid=c4c3cb62cf987b684878cd625d2dfe36
dbus-update-activation-environment: setting LOGNAME=user
dbus-update-activation-environment: setting XDG_SESSION_CLASS=user
dbus-update-activation-environment: setting GNOME_DESKTOP_SESSION_ID=c3
dbus-update-activation-environment: setting QT_X11_NO_MITSHM=1
dbus-update-activation-environment: setting WINDOWPATH=7
dbus-update-activation-environment: setting PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dbus-update-activation-environment: setting XDG_RUNTIME_DIR=/run/user/1000
dbus-update-activation-environment: setting DISPLAY=:0
dbus-update-activation-environment: setting LANG=en_US.UTF-8
dbus-update-activation-environment: setting SHELL=/bin/bash
dbus-update-activation-environment: setting GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1
dbus-update-activation-environment: setting PWD=/home/user
dbus-update-activation-environment: setting XDG_CONFIG_DIRS=/usr/share/security-misc/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg
dbus-update-activation-environment: setting XDG_DATA_DIRS=/usr/share/anon-apps-config/share/:/usr/local/share/:/usr/share/
dbus-update-activation-environment: setting WHONIX=1
dbus-update-activation-environment: setting TORSOCKS_LOG_LEVEL=1
dbus-update-activation-environment: warning: error sending to systemd: org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
syntax error: line 1 of stdin
last scanned symbol is: include
Errors encountered in stdin; not compiled.
missing_disablenetwork_line
sudo: a password is required
executed QUBESRPC qubes.VMShell dom0 pid 1099
Also, does whonixcheck --verbose say something interesting?
Just DisableNetwork 0 because anon-connection-wizard did not start.
user@host:~$ whonixcheck --verbose
[INFO] [whonixcheck] sys-whonix-hard-5 | Whonix-Gateway | whonix-gw-15-vm-harden TemplateBased ProxyVM | Tue 16 Jul 2019 04:53:48 PM UTC
[INFO] [whonixcheck] Input Detection: INPUT_AUTO=true CLI=true GUI=false
stdin connected to terminal. Using cli output. Not using gui output.
Alternatively, if want to run from command line, but still use the graphical user interface for input, you could add to command line: --gui
[INFO] [whonixcheck] Root Check Result: Ok, not running as root.
[INFO] [whonixcheck] Pin torproject.org certificate: disabled.
[INFO] [whonixcheck] whonix_build_version: 3:3.4-1
[INFO] [whonixcheck] whonix-gateway-packages-dependencies-cli: 11.9-1
[INFO] [whonixcheck] /etc/whonix_version: 15
[INFO] [whonixcheck] Spectre Meltdown Test: skipping since spectre_meltdown_check=false, ok.
If you wish to enable this test, run:
sudo spectre_meltdown_check=true whonixcheck
[INFO] [whonixcheck] Whonix firewall systemd unit check Result: Ok.
[WARNING] [whonixcheck] systemd journal check Result:
warnings:
########################################
Jul 16 16:41:25 host tor[873]: Jul 16 16:41:25.574 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 16 16:41:25 host tor[898]: Jul 16 16:41:25.627 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 16 16:41:25 host Tor[898]: Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 16 16:41:26 host sdwdate[968]: 2019-07-16 16:41:26 - sdwdate - WARNING - Tor is disabled. Please enable Tor using whonixsetup.
Jul 16 16:41:26 host qubes.VMShell-dom0[1116]: (xfce4-terminal:1120): dbind-WARNING **: 16:41:26.709: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files
########################################
errors:
########################################
Jul 16 16:42:20 host kernel: RAS: Correctable Errors collector initialized.
Jul 16 16:42:21 host kernel: Error: Driver 'pcspkr' is already registered, aborting...
Jul 16 16:42:27 host apparmor.systemd[457]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Jul 16 16:42:28 host xl[539]: libxl: error: libxl_utils.c:818:libxl_cpu_bitmap_alloc: failed to retrieve the maximum number of cpus
Jul 16 16:41:26 host qubes.VMShell-dom0[1116]: (xfce4-terminal:1120): dbind-WARNING **: 16:41:26.709: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files
########################################
denied:
########################################
########################################
ordering cycle:
########################################
########################################
To see this for yourself...
1. Open a terminal. (dom0 -> Start Menu -> ServiceVM: sys-whonix-hard-5 -> Terminal)
2. Run. sudo /bin/journalctl | grep -i warn
3. Run. sudo /bin/journalctl | grep -i error
4. Run. sudo /bin/journalctl | grep -i denied
5. Run. sudo /bin/journalctl | grep -i "ordering cycle"
If you know what you are doing, feel free to disable this check.
Create a file /etc/whonix.d/50_whonixcheck_user.conf and add:
whonixcheck_skip_functions+=" check_journal "
[INFO] [whonixcheck] Qubes qubes-db Test Result: Connection to local qubes-db daemon succeeded, ok.
[INFO] [whonixcheck] Qubes Settings Test Result: Ok. (GATEWAY_IP: 127.0.0.1)
[INFO] [whonixcheck] Qubes Settings Test Result: Ok, qubes_vm_type is ProxyVM.
[INFO] [whonixcheck] Check Kernel Messages Test Result: Found nothing remarkable, ok.
[INFO] [whonixcheck] check network interfaces Result: Ok.
[INFO] [whonixcheck] Check whonixsetup Result: done, ok.
[INFO] [whonixcheck] Check Package Manager Running Result: None running, ok.
[WARNING] [whonixcheck] Tor Check Result:
Tor is disabled. Therefore you most likely can not connect to the internet.
(Debugging information: Could not find DisableNetwork 0 in Tor config.)
Please close this window and enable Tor using Anon Connection Wizard!
dom0 -> Start Menu -> ServiceVM: sys-whonix-hard-5 -> Anon Connection Wizard
or in Terminal: sudo whonixsetup
or manually (If you know about the public Tor network!) and open /usr/local/etc/torrc.d/50_user.conf with root rights
(dom0 -> Start Menu -> ServiceVM: sys-whonix-hard-5 -> Tor User Config) and set:
DisableNetwork 0
Then run whonixcheck again.