[qubes-users] Q: Installing additional software

Hi!

I have a question about installing additional software (e.g. GIMP in debian-10):
The options I see are:
1) Install it in some AppVM based on debian-10
2) Clone debian-10 template and install software there. Create some AppVM based on that template

I'd guess 1) needs less space, but for 2) I'm not sure what happens when updates are applied to both, the template and the AppVM.

Regards,
Ulrich

1. needs less space, but at the expense of security, since all AppVMs
based on that template will have a large number of
applications/libraries which may be ripe for exploit.

I'm not altogether clear on what you mean here. You then have two
templates which will need updating - unless you are using a caching
proxy instead of the standard tinyproxy, this is going to take time and
suck up bandwidth.
You can, naturally, update the AppVM separately from the template, as
usual, but updates will be lost on reboot. (I do this sometimes when I am
checking on updates/installs or configuration changes: one of the great
things about Qubes.)

at the expense of security, since all AppVMs based on that template
will have a large number of applications/libraries which may be ripe
for exploit.

Could you please elaborate? I am not sure I understand.

I'm not altogether clear on what you mean here.

I understood

1) AppVM based on debian-10 and install gimp in AmpVM. The OP might or might not be aware of binds/persistence.

2) New template cloned from debian-10 which gimp is then installed into.
AppVM is based on that new template.

/Sven

> at the expense of security, since all AppVMs based on that template
> will have a large number of applications/libraries which may be ripe
> for exploit.

Could you please elaborate? I am not sure I understand.

Many attacks rely on chaining exploits and loopholes in an assortment of
applications and libraries.
You see this very often in "capture the flag" contests, and in real
world attacks.
If you use a single template and load it with software (and therefore
associated libraries) you have significantly broadened the attack
surface: this is particularly so if you install "recommended and
suggested" packages.
By contrast, if you use a minimal template and install a single
application, the attack surface is smaller.
If you have a template loaded with file viewers, office applications and
drawing software, it will undoubtedly be extremely useful. But the
attack surface is large. If you use that template as the basis for your
mail reader, for example, then there is scope for an attack using a crafted
email attachment.
But if you use a minimal template with a good mail reader like mutt,
and open all the attachments in an offline disposable VM based on that
extensive template, the risk to your mail reader, and by extension
your Qubes system, is reduced. (Note, reduced but nor removed.)

In my system, almost *all* my working qubes are based on adapted minimal
templates, and most of them, including my mail qubes, are offline.
This may be why I have an unholy number of templates.
File storage qubes are exactly that - they store files. If I want to
view, or edit, I do it in an offline qube: I *have* to do it in another
qube, because the storage qubes don't have the capacity for anything
except plain text editing (and imagemagick, and some python and....).
Are there risks? Of course.

> I'm not altogether clear on what you mean here.

I understood

1) AppVM based on debian-10 and install gimp in AmpVM. The OP might or might
not be aware of binds/persistence.

I didnt hear this in what OP wrote.

If you use a single template and load it with software[...] By contrast, if you use a minimal template and install a single application, the attack surface is smaller.

Now I see.

In my system, almost*all* my working qubes are based on adapted minimal templates, and most of them, including my mail qubes, are offline.

I do the same.

This may be why I have an unholy number of templates.

Which is no issue thanks to apt-cacher-ng

If I want to view, or edit, I do it in an offline qube: I*have* to
do it in another qube,

Absolutely. Now it's clear. Thank you!

/Sven

...

Many attacks rely on chaining exploits and loopholes in an assortment of
applications and libraries.
You see this very often in "capture the flag" contests, and in real
world attacks.

...

Are there risks? Of course.

Sorry for stealing this thread and jumping to a related topic:

If someone is going to attack my digital life I would like to
know about it.

What do you think about HIDS (host-based intrusion detection systems)?

For example Samhain Labs | samhain is such a
system. While your point about broadening the attack surface will
certainly also apply to such additional software it might on the other
hand help to get hints that you or more specific a certain qube of yours
is currently being attacked.

Best regards (oder in Deutsch: Liebe Grüße), Peter Funk

Hi!

I have a question about installing additional software (e.g. GIMP in
debian-10):
The options I see are:
1) Install it in some AppVM based on debian-10
2) Clone debian-10 template and install software there. Create some AppVM
based on that template

I'd guess 1) needs less space, but for 2) I'm not sure what happens when
updates are applied to both, the template and the AppVM.

Regards,
Ulrich

1. needs less space, but at the expense of security, since all AppVMs
based on that template will have a large number of
applications/libraries which may be ripe for exploit.

I'm not altogether clear on what you mean here. You then have two

Sorry for the late response: I mean if I install e.g. GIMP in an AppVM based on debian 10, what happens if I update the AppVM first (updating some parts of debian 10 and GIMP) and later I update the debian10 template: Couldn't there be conflicts between the updates in the AppVM and the template? If not, wouldn't that waste space by keeping some updates more than once?

templates which will need updating - unless you are using a caching
proxy instead of the standard tinyproxy, this is going to take time and
suck up bandwidth.
You can, naturally, update the AppVM separately from the template, as
usual, but updates will be lost on reboot. (I do this sometimes when I am
checking on updates/installs or configuration changes: one of the great
things about Qubes.)

If the AppVM is not a disposable one, the updates are still lost? Wouldn't that mean any (e.g.) update for GIMP would be lost as well?

Regards,
Ulrich

at the expense of security, since all AppVMs based on that template
will have a large number of applications/libraries which may be ripe
for exploit.

Could you please elaborate? I am not sure I understand.

Many attacks rely on chaining exploits and loopholes in an assortment of
applications and libraries.
You see this very often in "capture the flag" contests, and in real
world attacks.
If you use a single template and load it with software (and therefore
associated libraries) you have significantly broadened the attack
surface: this is particularly so if you install "recommended and
suggested" packages.
By contrast, if you use a minimal template and install a single
application, the attack surface is smaller.
If you have a template loaded with file viewers, office applications and
drawing software, it will undoubtedly be extremely useful. But the
attack surface is large. If you use that template as the basis for your
mail reader, for example, then there is scope for an attack using a crafted
email attachment.
But if you use a minimal template with a good mail reader like mutt,
and open all the attachments in an offline disposable VM based on that
extensive template, the risk to your mail reader, and by extension
your Qubes system, is reduced. (Note, reduced but nor removed.)

In my system, almost *all* my working qubes are based on adapted minimal
templates, and most of them, including my mail qubes, are offline.
This may be why I have an unholy number of templates.

So you don't base AppVMs on the minimal template, but have multiple "adjusted" almost-minimal templates? And you make AppVMs from those or disposable VMs?
I guess you have a special update cache also, as otherwise you spend hours with updating.
Can you explain a bit more?

So you don't base AppVMs on the minimal template, but have multiple "adjusted" almost-minimal templates?

Unman is the actual maintainer of the debian templates
(Team | Qubes OS)

My understanding of what he wrote is that he bases "almost *all*" of his
"working qubes" on "adapted minimal templates". Meaning on
debian-minimal plus specific packets for the specific purpose.

He might have also other qubes based on other distributions (e.g. kali,
parrot etc).

I guess you have a special update cache also, as otherwise you spend hours with updating. Can you explain a bit more?

You might find his notes on apt-cacher-ng helpful:

I am sure unman will answer himself, but thought I might already give you a little preview as far as I can.

/Sven

Hi Ulrich,

I think all your questions get answered here:

/Sven