If I want to copy a file from dom0 to every template, I can:
qvm-copy-to-vm debian-10 /home/user/qubes_syslog.conf
qvm-run debian-10 “sudo mv /home/user/QubesIncoming/dom0/qubes_syslog.conf /etc/rsyslog.d/”
qvm-copy-to-vm debian-11 /home/user/qubes_syslog.conf
qvm-run debian-11 “sudo mv /home/user/QubesIncoming/dom0/qubes_syslog.conf /etc/rsyslog.d/”
(then fedora-32 and on doing it for each template, iterating through all the templates).
However, if the file is in a qube instead of dom0, I was wondering if there was a equally convenient way to copy it from one qube to all templates without copying it to dom0.
I read this thread and I still don’t know if it’s possible to automate copying file from one Qube to another.
Is there a way to run a series of commands in Dom0 to copy files and folders from one Qube to another without user intervention, and without copying files to Dom0?
Running qvm-copy in the source Qube requires inputting the destination Qube manually. Can this be fully automated and the destination pre-determined?
Unlikely as that would essentially make the qrexec policy redundant.
I generally pipe from a VM to dom0 and then to another VM from there using the “always allow execution from dom0” qrexec policy. That has the security risk of bugs in Linux pipes in dom0.
Modifying the policy has the risk of forgetting to turn it back or the VM misusing its new rights during the time of modification.
Of course.
qvm-copy-to-vm is indeed deprecated, but you can replace it’s
functionality in this case using a policy: qubes.Filecopy * SOURCE @anyvm allow target=TARGET
This policy will mean that any instance of qvm-copy will be allowed
and the files transferred to TARGET without user intervention.
Armed with that, you can then run qvm-run SOURCE 'cp DIRECTORY' from
dom0.
Remove the policy when done.
The risk here is that while this policy is in place any files may be
transferred from SOURCE - you should probably prune QubesIncoming/SOURCE
to make sure that nothing untoward has been transferred.
Alternatives are to use a shared folder - noted here - or a utility like
syncthing - packaged for Qubes here
Either of these will allow for transfers over qrexec, controlled by a
Qubes policy file, and are callable from dom0.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
I created /etc/qubes-rpc/policy/qubes.Filecopy
The content of the file qubes.Filecopy is one line:
untrusted @anyvm allow target=debian-11
Then I ran the following - not cp but qvm-copy - in Dom0 terminal:
qvm-run untrusted 'qvm-copy file'
And it worked!
Also:
qvm-run untrusted 'qvm-copy folder'
Both file and folder were copied to debian-11. Now after I run this script in Dom0 terminal, I presume I just need to run the following in Dom0 terminal to delete the policy. Right?
I am having confusion about this topic as well. I want to be able to copy files from my dotfiles qube to all other qubes without qubesos asking for confirmation. I also want this to be “script-able”, meaning, no GUI-popup should occur during this process. Ideally, I should be able to use qvm-copy-to-vm media ~/.dotfiles.org command from inside dotfiles qube. But I see that qvm-copy-to-vm is symlink’ed to qvm-copy command, which greets me with an absolutely annoying pop-up asking me for the destination qube for copy command.
What am I to do? I want to be able to copy a file from one qube to the other with no questions asked. How do I set this up with rpc stuff (which itself is another can of confusing worms, with its policy files spread around multiple locations under /etc/qubes* directories in dom0)
You can write a script in dom0 that takes the dotfiles data from the qube to the requester destination, basically (the following command is simplified, not working) this would look like
You can open 30-user file there as well, or create a new file. Just make sure that the file name is staring with number lower than 90 so it’ll have higher priority than the default qubes.Filecopy policy in the 90-default.policy file.