I’ve been wondering for a while, how, if at all, it would be possible to create a “guest” login session — that is, a session within a qube running on an alternate virtual terminal, without any privileges or access to dom0. Note that this is distinct from what is put forward in Multi-user Qubes or Qubes OS for unprivileged users, as this use case does not require access to the functionality of Qubes OS’ compartmentalization and dom0, and instead explicitly avoids it.
Use cases:
Demonstration or sharing of media on a personal device, without exposing the entire system
Use as a “duress system” that looks and functions normally, without exposing use of Qubes with a cursory check
Any advice or help in achieving this would be greatly appreciated.
I would have to think about how to do this at all, but using it as a duress system would take extra thought. What happens when someone shuts down the qube, for instance? Would that expose the underlying Qubes install?
(it’s Hungarian, but your browser can translate it nowadays)
Where I have setup a completely new X11 session without any DE, or even a window manager. This way you can login to that pre-defined custom session, with the defined user, and only the pre-defined application would be running in full screen.
If you shut down that application, then the x session is over, and you are back to the login screen.
but ofc it was not a Qubes machine, but a regular Ubuntu.
Also not sure if you can make it work in Qubes, but if you manage to start a HVM in full screen as an xsession - that would look like any normal desktop - until it’s stopped.
Using this as a duress system would not hold up to any thorough inspection, given the clear traces left by Qubes, and the small disk capacity. The hope is that the “guest” desktop would work through the use of a separate virtual terminal hosting the guest qube’s desktop in a full-screen X window, and thus no access to the underlying system would be gained.
Thank you for your suggestion. Unfortunately, it appears as though you use a “Kiosk mode” feature supplied by the flight simulator in your article, rather than a process which I can reproduce with other applications.
sys-gui basically does this via a VNC in dom0 to the GUIVM. IDK what would be necessary in order to use it like you want though, and more importantly, you are technically in dom0, with all the security asterisks that this implies.
That just an additional ‘safeguard’ - to not reconfigure the simulator itself. It is nothing to do with the way how the application is actually runnig.
So it is completely depends on - and enforced by - the custom xsession I described in my blog post.
