Cannot restore backup due to weird files in /var/tmp, am I pwned?

I am trying to test restoring a backup file I’ve just created. Because of [the same] errors I had trying to do this earlier, I have fully shut down my laptop, then started it again. After this shutdown, I started my laptop at approximately 20:25 on Jan 2 local time (this may be relevant, see screenshot).

After starting up, I created a new backup file on a USB drive attached to my Vault VM. Then, I tried [again] to test restoring this backup file, and have hit the same strange error, which saying something like:

unable to read the qubes backup file… Fatal error: Copying file vm4/private.img.405.enc: Error reading (error type: Input/output error)… Partially restored files left in /var/tmp/restore_*, investigate them

So I have investigated /var/tmp and cannot find any files in a /var/tmp/restore_* directory. However, there are several strange directories (almost all seemingly created right after I started by laptop). There are several /var/tmp/systemd-private-* directories, freshly created on dom0 (each time I start up my laptop!). They are also created in all of my AppVMs, including my Vault VM! These directories are also in this dispVM I am using exclusively to create this post. I have a persistent AppVM named private, but have not even started that VM after booting my laptop. All of these directories seem to be empty. For example, /var/tmp/systemd-private-...-rtkit-daemon.service-trTUr8/tmp is empty. Still, this seems very fishy. I’m beginning to get very concerned, as though my machine is compromised.

Incidentally, there is also a directory called /var/tmp/dnf-user-*, which only exists on dom0 as far as I can tell. This is also empty.

What steps should I take next? Can I start by safely deleting these directories from dom0 and trying all over?

Please see my screenshot, it has virtually all the above information:

1 Like

Would somebody at least be willing to share with me the contents of their /var/tmp directory? This might help me validate what I’m seeing…

Do you have /var/tmp/systemd-private-* directories in all VMs (i.e., dom0 and other AppVMs)? Also, do you happen to have an AppVM named private, as I do? Perhaps this is coincidental in my case

1 Like

Can I get help from anybody here? Some validation on the systemd jobs observed in dom0 and random AppVMs could help me a lot.

FWIW, I’ve confirmed that restoring all my AppVMs except for private does work successfully. So obviously I should need to rebuild my private AppVM. But I’m still concerned about a potential compromise.

1 Like

Just for information, I have /var/tmp/systemd-private-* directories even on vanilla fedora outside of Qubes. It is completely normal in fedora, at least. It does not seem probable that it causes a problem with backup/restore.
“Input/output error” during restore sounds more like a problem with the file on your USB drive. Maybe there is a hardware problem.
You could try backup/restore directly on a file in a VM - even a disposable. If that works, then try copying the file elsewhere…

1 Like

Thank you for the sanity check! Indeed, the problem was with my USB drive. This backup/restore works fine on another SSD drive.

2 Likes