Hi,
on installing the 4.1 rc I have the choice to make sys-net disposable. What is the benefit / downside of this feature?
Hi,
on installing the 4.1 rc I have the choice to make sys-net disposable. What is the benefit / downside of this feature?
The benefit, as when using any disposable sys-vm, is that if the vm was compromised, a simple restart should solve the issue, and if you happen to restart often, then any hypothetical compromise should be short lived.
The only downside Iâve seen for sys-net, is that network config wonât persist, this may not be an issue if youâre using ethernet only, but for wifi it can be troublesome, so you will need to persist wifi details in /rw
and restore the config using rc.local
/ bind-dirs
As I get it âtruly disposableâ VM always uses defaults and has no persistence even on private volume?
Youâre right @arkenoi, /rw
will get wiped on restart as well so youâd need to make a custom disposable vm template just for sys-net (as you donât want wifi credentials being readable by other sys-vms) and add your wifi info there.
elaborate?
there still some trace, it might not noticeable since most of there are log but there still some data left
Basically, the network configuration isnât stored when sys-net
is shut down.
sys-net
, your wifi antenna doesnât scream SSIDs (and potentially passwords) youâve previously connected to, which, depending on your circumstances, can be beneficial. (If someone is listening, they wonât hear âSTARBUCKS WIFI? STARBUCKS WIFI? WHERE ARE YOU? ITâS ME! MAC ADDRESS XX:XX:XX:XX:XX:XX! REMEMBER ME? IâM BACK!â)sys-net
, itâs gone with a simple reboot of sys-net
(at least, thatâs the plan).sys-net
. Some people consider this an inconvenience.ssh
into a completely different machine with the same IP address as one youâve connected to before [listed in ~/.ssh/known_hosts
], itâs similar to thatâŚ), causing the access point to potentially refuse to talk to you. (Unlikely, thoughâŚ)Your choice whether you think this will benefit you. It all depends on your circumstances
sorry, i mistake think it appvm and not dispvm
If Im not mistaken I can switch the sys-net being disposable or not in the sys-net settings / advanced / other â disposable temple [x].
Or do I have to keep the choice I made during the installtion?
Thatâs possibly sufficient for most of us. In theory though, the something can still persist by reflashing any firmware on the network cards attached to sys-net
, and making the VM disposable does not help with a thread of that level of sophistication.
Thatâs not a theory. Thatâs exactly how onboard device firmware upgrades work.
Definitely a valid point, @yann, and needs to be taken into consideration. Know your machine!
You can do this after you installed a Qubes system. If you installed Qubes with sys-net âfrom fedora-xx-templateâ you just have to do some commands in the dom0 terminal to change your current sys-net from templateVM to disposableVM.
I did this today and it worked fine, but note the conns, some people have written above.
And yes! You always can switch back to the old state, if you run into problems IF you donât delete the old sys-net, which become a âcopyâ in your Qubes list in the Qubes Manager.
for those using minimal VMs (advanced users) it is possible to put passwords for the most frequent wi-fi APs in the disposableVM template.
I think that reduces the annoyance that is to enter password each time for every reebot.
But you need the one template just for that, otherwise you introduce security riscs. (I think)
Not possible even for minimal templates, as equbes wrote:
So if youâre an advanced user, you can try to persist the passwords in the mentioned files.
Would you mind sharing the commands?
I like to be able to switch back in case I change my mind.
I cannot enter only my home WIFI password into the disposable sys-net template so I get the best of both worlds, no persistence after reboot but it does remember the one or two most frequently used networks? Or would that defeat the purpose?
Commands are as follows and can be read here.
Cons for using a sys-net from a disp template:
Cons for using sys-usb from a disp template:
I have two questions about sys-net disposable. And excuse my lack of knowledge. The answer could have been already in this thread, but I need to verify.
I currently have wifi set to âdisableâ on boot (via a command in /rw/config/rc.local). How can I replicate that when I have a disposable? I mostly use ethernet connection.
I currently have MAC address randomization in sys-net. How is that implemented in a disposable sys-nte?
Thanks in advance for your answers and time.
You can do this the same way as you did - on the /rw/config/rc.local in the disposable, but you donât need this anymore in a disposable VM. Whenever sys-net will start, it forgot the Wifi passwort/key and so you always need to insert it again (and again on every new bootup). So without insert of the passwort the wifi canât connect to any wifi network.
Same with the MAC randomisation - you always have to setup it new on every new bootup (sys-net start) or enable the switch under /rw/config/rc.localâŚ
I have my Wifi password in my vault and when I need my WLAN I just copy it. Itâs not a big bother for me.