[Whonix-devel] [qubes-users] Guide: Monero wallet/daemon isolation w/qubes+whonix
Patrick Schleizer
patrick-mailinglists at whonix.org
Thu Aug 16 07:05:00 CEST 2018
https://getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html
is missing how to actually use it.
I guess it is simply: run `monero-wallet-cli` or monero gui in
monero-wallet-ws."
0xB44EFD8751077F97:
> Patrick Schleizer:
>> I didn't notice this thread until now.
>>
>> Interesting!
>>
>> Now reference here:
>> https://www.whonix.org/wiki/Monero
>>
>>
>> I am wondering how to save users from as many manual steps as possible.
>>
>>
>> To save users from having to edit /rw/config/rc.local...
>>
>>> socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
>> monerod-ws user.monerod"
>>
>> Could maybe replaced by file:
>>
>> /etc/anon-ws-disable-stacked-tor.d/40_monero.conf
>>
>> content:
>>
>> $pre_command socat TCP-LISTEN:18081,fork,bind=127.0.0.1
>> EXEC:"qrexec-client-vm monerod-ws user.monerod"
>>
>> Should work after reboot (or after "sudo systemctl restart
>> anon-ws-disable-stacked-tor").
>>
>> Untested.
>>
>> Reference:
>> https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf
>>
> 
> Tested, works on Whonix 14/Qubes 4.0.
> 
> Would you consider shipping this as a default Whonix file, or maybe part
> of a package?
In package https://github.com/Whonix/qubes-whonix when using socket
activation, yes.
Similar to:
-
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.socket
-
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.service
File name should not contain "anon-ws-disable-stacked-tor" / "autogen".
File names...?
/lib/systemd/system/qubes-whonix-monerod.socket
/lib/systemd/system/qubes-whonix-monerod.service
Replace "ExecStart=/lib/systemd/systemd-socket-proxyd 10.152.152.10:9050"
with:
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
monerod-ws user.monerod"
Untested. Does that work?
Would this break monerod for users not using this Monero wallet/daemon
isolation? I mean, does monerod use local port 18081 by default? In that
case we'd need to change that port.
> If not, the user will have to put this on the TemplateVM
> or config bind-dirs; which are both additional steps.
>>
>>
>> /etc/qubes-rpc/policy/user.monerod could maybe become:
>> /etc/qubes-rpc/policy/whonix.monerod
>>
>> To have users from manually creating it, could be dropped here:
>>
>> https://github.com/QubesOS/qubes-core-admin-addon-whonix/tree/master/qubes-rpc-policy
>>
>> If you like, create a pull request and see what Marek thinks.
>>
> 
> This would be useful. It's on my radar.
> 
>>
>>
>> /home/user/monerod.service would be better in /rw so only root can write
>> to it. Even better perhaps systemd user services?
>>
>> https://www.brendanlong.com/systemd-user-services-are-amazing.html
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820111
>>
>>
> 
> Interesting, I didn't know about this. I don't see how moving the file
> from /home/user/ to /home/user/.config/systemd/user is more secure,
> though.
> I think moving it to /rw may be slightly better, but
> passwordless sudo kind of negates that.
Indeed only useful for users of these:
- https://www.qubes-os.org/doc/vm-sudo/
- https://github.com/tasket/Qubes-VM-hardening
Qubes-VM-hardening will be easily available one day probably.
https://github.com/QubesOS/qubes-issues/issues/2748
I guess password protected sudo will get more and more easy in Qubes so
very much worth going for proper access rights.
> The best would be to put it on the TemplateVM in /lib/systemd/system/,
> but, again, this is more steps for the user.
> 
> In regards to monero being in stretch-backports now, I think it might be
> an equal number of steps or more than there is now, and more confusing
> for the user, to add stretch-backports to the TemplateVM's sources and
> install via apt. If it were in stretch this would be no question.
> 
And only monerod is in Debian. monero gui is not.
More information about the Whonix-devel
mailing list