Page MenuHomePhabricator

qubes-whonix handling of /etc/timezone and /etc/localtime
Closed, ResolvedPublic

Description

https://github.com/nrgaway/qubes-whonix/commit/51ec5194008e71bcfdd9b8e82aa9f76dc2077dc3

# Set timezone to UTC and make files immutable
timezone='UTC'
cp -p /usr/share/zoneinfo/${timezone} /etc/localtime
cp -p /usr/share/zoneinfo/${timezone} /etc/localtime.anondist
echo "${timezone}" > /etc/timezone
echo "${timezone}" > /etc/timezone.anondist
chattr +i /etc/localtime
chattr +i /etc/timezone

What's the good for? Anything wrong with the timezone-utc package?

Issues:

  • chattr +i is problematic, because in a later upgrade, echo "${timezone}" > /etc/timezone will fail and the postinst script will abort.
  • There is no file /etc/timezone.anondist.
  • It robs the user's ability to choose custom setting. Would be re-applied on upgrade of the qubes-whonix package.
  • Doesn't belong in that package?

Details

Impact
Needs Triage

Event Timeline

Patrick created this task.Feb 15 2015, 11:02 AM
Patrick updated the task description. (Show Details)
Patrick raised the priority of this task from to Normal.
Patrick added a project: Qubes.
Patrick added subscribers: Patrick, nrgaway, WhonixQubes.

Qubes resets the timezone on start and syncs it to dom0.
https://github.com/nrgaway/core-agent-linux/blob/master/vm-systemd/qubes-sysinit.sh#L78

timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
if [ -n "$timezone" ]; then
cp -p /usr/share/zoneinfo/$timezone /etc/localtime
if [ -e /etc/debian_version ]; then
    echo "$timezone" > /etc/timezone
else
    echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
    echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi

The chattr +i is to prevent timezone from being changed as that is part of the over all security. An update to the Qubes package could trigger a timezone change.

The /etc/timezone.anondist is created in the post init script. An update could handle the error by either testing for chattr first, disabling it or trapping the error alla || true. The init scripts also make sure its properly in place as well.

We could always add a utility to change the behaviour in an update.

Can you think of another way to secure the timezone, as I don't believe it should just be left as-is.

I just went to add 'chattr -i' and noticed I already had that in place: https://github.com/nrgaway/qubes-whonix/blob/9.6-1/debian/qubes-whonix.postinst#L209. I wonder if you need to pull changes?

Currently both my master and 9.6-1 branch should be in sync

I have a simpler solution in mind.

feature request against core-agent-linux that basically says:
"If setting Y is set in X (.d style folder preferred), then omit syncing vm timezone to dom0, because ... anonymity distributions ..."

What do you think?

In long term, implement that feature. In short term, add a comment that references that ticket.

Yes, it would be best handled in Qubes. In the mean time we keep it as is, since I do have the code to prevent failure to write on an update and I would assume anything else writing to a configuration file that is not its own would have a graceful way of failing.

nrgaway claimed this task.Feb 22 2015, 10:01 PM
nrgaway lowered the priority of this task from Normal to Low.Jun 6 2015, 6:19 PM
Patrick set Impact to Needs Triage.

Actually there is a very elegant solution to this that requires no changes in Qubes.

/etc/qubes/protected-files.d/30_qubes-whonix:

/etc/timezone
/etc/localtime
/etc/hostname
/etc/hosts
/etc/resolv.conf

I am just wondering in which package it fits best anon-base-files, anon-gw-dns-conf and anon-ws-dns-conf or just to qubes-whonix 12. Ideally, the qubes-whonix 12 package could be made obsolete one day? Or be reduced to a bare minimum? It's a code style question. Having all the Qubes specific tweaks for various things within one package (
(qubes-whonix 12) versus having those added in "upstream packages".

Patrick claimed this task.Aug 14 2015, 9:10 PM
Patrick raised the priority of this task from Low to Normal.Aug 14 2015, 9:39 PM

State of /usr/lib/qubes-whonix/init/qubes-whonix-sysinit at time of writing:
https://github.com/Whonix/qubes-whonix/blob/df04392a60c6c0c9edc0fe0909610f9711b31d4c/usr/lib/qubes-whonix/init/qubes-whonix-sysinit

Currently you are creating the protected files list dynamically. I think this can be avoided as commented above by dropping config files into /etc/qubes/protected-files.d/.

Now,

  • since we are no longer using chattr +i
  • since the qubes-whonix package is installed in chroot during build, therefore no Qubes services are started that could modify any of the protected files
  • since the /etc/qubes/protected-files.d/ mechanism prevents qubes-core-agent from modifying the protected files...

I think the whole code block could be removed. Marked here:
https://github.com/Whonix/qubes-whonix/blob/df04392a60c6c0c9edc0fe0909610f9711b31d4c/usr/lib/qubes-whonix/init/qubes-whonix-sysinit#L27-L48

Also the following could be removed:
https://github.com/Whonix/qubes-whonix/blob/df04392a60c6c0c9edc0fe0909610f9711b31d4c/usr/lib/qubes-whonix/init/qubes-whonix-sysinit#L62-L63

I am planning to do this.

Does anything speak against this? @nrgaway

Go nuts at it ;)

Now you can do actual testing, changes like this are acceptable to me.

I think you should be housing the master qubes-whonix and template-whonix now also so you are better able to integrate into Whonix code base.

Alright! :)

abolished hack to write to /etc/localtime and /etc/timezone because now using Qubes protected files mechanism:
https://github.com/Whonix/qubes-whonix/commit/d11e42836f027c00e321c2660e332bbd47bd2670

Patrick closed this task as Resolved.Sep 8 2015, 5:53 PM
In T162#1975, @Patrick wrote:

I have a simpler solution in mind.

feature request against core-agent-linux that basically says:
"If setting Y is set in X (.d style folder preferred), then omit syncing vm timezone to dom0, because ... anonymity distributions ..."

This is now implemented by the Qubes protected files mechanism:
https://github.com/marmarek/qubes-core-agent-linux/blob/master/vm-systemd/qubes-sysinit.sh