Yes it is a problem in dom0. Qrexec is disabled through all of Qubes. No VM seems to have qrexec enabled:
sudo systemctl status qubes-qrexec.service
‘qubes-qrexec.service’ could not be found.
This goes for all VM terminals, same response…
Why do you think it should be qubes-qrexec.service?
It should be this one:
systemctl status qubes-qrexec-agent.service
1 Like
Try to install new template using Qubes Template Manager and check if qrexec will work there.
Run this command in dom0 terminal to show you logs in runtime:
sudo journalctl -f
And then try to use any qrexec that is not working for you. Maybe you’ll see some errors related to it.
Nope this did not work unfortunately.
Then it’s something you’ve changed in dom0.
Try to check the logs in dom0 for qrexec errors.
“qrexec.exc.ExecutionFailed: qrexec-client failed: [‘/usr/lib/qubes/qrexec-client’ .”
This is basically what it says everywhere i look (Not everywhere, I meant when I see an error - it is this one), when it comes to errors, but I also do get a lot of:
“dom0 qrexec [xxxxx] qubes.windowiconupdater+: Bitcoin_Node → @adminvm: allowed to dom0.”
Another " dom0 qrexec [xxxxx] qubes.windowiconupdater+: Sys-whonix → @adminvm: allowed to dom0." Which shows how qrexec is working.
It’s almost like my qrexec agent files are just tumbled around? Like “systemctl status qubes-qrexec-agent.service” is not working because the files are in different paths? What do you think?
Because I think qrexec is working. I have not had any issues directly to qrexec, I have just been talking to chatgpt about it since I was paranoid setting up certain things because it maybe would not go my way because I thought my qrexec was disabled. Maybe it is not. This is what ChatGPT has to say about the journal logs:
"Yes, definitely! Despite encountering some qrexec.exc.ExecutionFailed errors, the fact that you see successful entries indicating interactions between VMs (like window icon updates and inter-VM communication permissions) suggests that qrexec is still functional for certain operations within your Qubes OS environment.
The presence of errors doesn’t necessarily mean that qrexec as a whole is completely dysfunctional. It might encounter occasional issues due to various reasons such as misconfigured permissions, command syntax errors, or other factors specific to the executed commands or actions."
What do you think? Can I / should I address these errors or just try doing the setups that require qrexec first and then see if anything goes wrong from there?
I think that’s the most important part of your issue here. What exactly have you done and who are these “experts”?
I guess disable qrexec. I have tried looking around for the guide, it was here on qubes on how to strengthen security by disabling qrexec or something similar. I was a beginner though. I have only been on this for about 3 weeks, and this I think I did kind of mindlessly in the first days because I did stuff to improve security. So somehow using commands (that I remember) in dom0, I tried or have disabled qrexec in some way. But it could still be working technically considering it does allow some communication between vm’s where i look in the journals. If I type the journals here are you experienced enough to check them out? I would really seriously appreciate it. But what I said before is basically all I could see, so maybe its not so effective.
There is absolutely no need to disable qrexec. Qubes is already secure and configured out of the box, there is nothing more you can do other than optional hardening in templates. You need to at least check your dom0 history file (bash_history) or find the thread you followed to undo what you did.
I have looked in the history (grep “qrexec” ~/.bash_history) & (grep “sudo qrexec” ~/.bash_history) and just history in general.
And I have not found any commands whatsoever that have disabled qrexec or similar. Very interesting. For qubes-rpc.service which also looks like its disabled on my Qubes, I found nothing.
Will try to do something manual to see if qrexec works between vms.
Hey I did copy a file over from one VM to another now. Wow. Qrexec has been active this whole time I suppose. I do not know why it is showing those weird errors though, like service not found. I can still do basic things that only should be possible with qrexec??
What exactly is not found?
systemctl status qubes-qrexec-agent.service
For example. That gives me “Error: Unit qubes-qrexec-agent.service not found”
You know what I mean? But still it is supposedly working?
qubes-qrexec-agent runs in all qubes except dom0 (that’s the point of the agent). dom0 only has qubes-qrexec-policy-daemon.service.
If you run sudo ps aux | grep qrexec inside dom0, you should see a lot of qrexec-daemon and qrexec-client. If that’s the case, qrexec is working as expected.
Did you run it in template or in dom0 terminal?
If you shutdown all your qubes with blockchain nodes will you still see these errors?
In dom0. Maybe I should have done it in both? Why? I’ll do it once I use the qubes computer tomorrow again.
I have not checked. I don’t think so necessarily since the blockchain qube for example was running (I was installing bitcoin core) and it was allowed Qrexec access then and there. Why? I can check that as well.
