Setting minimal Templates for different purposes

qun · November 15, 2021, 4:41pm

Hey,

thanks for the support here!
I’m setting the minimal templates for some special purposes and need some help.

FirewallVM and NetVM work well. But…

Now I want to make an emailVM with just thunderbird within.
So I installed thunderbird, thunderbird-qubes, thunar, qubes-core-agent-thunar, but I can not connect to the email-servers. The same in the BankingVM. I installed the needed java, but I can not connect to the server. The same in the "social"VM, There I can not connect to internet via firefox. So the minimal VMs seem all not to have some internet possibilities.
sys-USB seems to work, but I can not connect to the mounted USB device on the new minimal VMs. I get “not authorized to perform operation”. I suppose it has to do with the passwordless root. I don’t want to install passwordless root, but I think, I MUST do it in the VMs, which should get USB connections (because of the usability), isn’t it?
Is it security advantage NOT to install passwordless root, just to manage the VMs via dom0?

Best regards
qun

oijawyuh · November 15, 2021, 7:49pm

Regarding VMs that are not connecting (email, banking) did you also install qubes-core-agent-networking in the template?

qun · November 15, 2021, 8:09pm

ah, this is just mentioned by the FirewallVM. So every VM, which has connection to the internet, must have qubes-core-agent-networking. Thank you! It works!

So the point 1 is solved!

It’s a great thing with the minimal templates!!

oijawyuh · November 15, 2021, 8:23pm

Indeed I had to go through some trial and error before I figured out how to connect minimal VMs. You can also limit the firewall of the emailVM to use only IMAP and POP for the Internet, to increase (slightly) the security of that VM.

Re point #3 most Qubes experts say there’s not much advantage to passwordless root. It’s been discussed in this forum in several posts. I would recommend you still use it anyway if it’s not a hassle. You just need to remember the command in Dom0 to run xterm as root.

qun · November 15, 2021, 8:55pm

The firewall is almost limited and open just for the email server.
The bankingVM can only connect to the banking server.
VaultVM with password manager and documents without networking.

Several years ago I tried to restrict connections for the "social"VM (facebook and so on), but the usability of it sucks.

I think I don’t really need to sudo in the AppVMs. When everything is installed in the template (via dom0), what is needed in the appVMs. I don’t really need sudo. So I think, it’s not an advantage to have passwordless root in that case.

So the point 2 is also solved!

qun · November 17, 2021, 10:48am

is there any (usable) possibility to get USB mounted without installing passwordless root in the appVMs?

unman · November 20, 2021, 2:55am

You can mount from dom0 or open a terminal as root - possibilities.
Whether you find them “usable” depends on you.

If you do this a lot, you could have a small script in dom0 to run the
mount for you.

Otherwise install something like usbmount to have USB devices
automagically mounted. You will have to build that for yourself, as it’s
not packages for Debian.

qun · November 24, 2021, 10:27am

whats about sound? I made a minimalVM for youtube and get no sound. I also can not see the VM in dom0 audioMixer. What do I need for that?

As it seems pulseaudio is installed. So maby there is no qubes-module for that?

#Edit: oh… sorry… pulseaudio-qubes is the thing that I need, isn’t it?

unman · November 24, 2021, 10:48am

Read this

qun · November 24, 2021, 10:55am

yes sorry, I somehow overlooked it.
Had conflict with pipewire-pulseaudio and had to install pulseaudio-qubes --allowerasing now it works!

unman · November 24, 2021, 12:09pm

Good to know you worked it out.
Thanks for feeding back. We should look at using that in the documentation,
if its an issue. In the meantime, people can find your help here.