TemplateVM "NetVM for DispVM" option easily confused with setting DispVM Template's NetVM #2379
Comments
|
@qbs100 |
andrewdavidwong
changed the title
|
@unman, the issue concerns the "NetVM for DispVM" setting on the
Agreed? |
|
@andrewdavidwong I don't think you're right. |
|
@unman: My correction of your description of the "NetVM for DispVM" setting on the TemplateVM's Advanced tab still stands. It governs what happens when a DispVM is launched from that TemplateVM, not what happens when a DispVM is launched from another DispVM. If you still think this is wrong, please state exactly why.
The (mis)understanding can go in both directions. If someone understands how the "NetVM for DispVM" setting works, they won't mistakenly think that setting it on |
|
@andrewdavidwong Let's not argue. Yours is correct and can be generalised to any VM, not just a Template. Mine is correct and addressed the actual problem raised:setting the netvm for DispVMs. If you check, I specifically refer to the settings tabs for the saved dvm, because that addresses the issue that op raised. |
|
@unman: No problem. My intention was not to argue for argument's sake, but rather to determine whether our apparent difference in perception was due to some deeper issue here, which might have gone otherwise unnoticed. :) |
|
If I understand correctly this issue is not perceived as urgent. For what its worth, I think it is. I was just about to report to issues: The first about this setting having no effect. Even if I change it for the DispVM's TempVM and TempVM-dvm and run Both are due to my misunderstanding the UX. But I believe the second one is potentially compromising. Say I want to open an e-mail attachment in a DispVM using sys-whonix as its NetVM to prevent my IP address from becoming know to an adversary. But I have saved the file in a AppVM that uses sys-net as its NetVM. If I then run |
|
@ubestemt I'm not clear on what you're saying, but then I dont see an issue here. It reads to me as if you still misunderstand the GUI. If the problem is that you want a disposableVM to be spawned sometimes torified and sometimes not, then you can either define a keyboard shortcut to change the I'm sorry if I've misunderstood- perhaps you could make it clearer what you think the issue is, and (since this issue hasn't been touched for some time) what you think a resolution would look like. |
|
@unman The issue is that it is not clear that a VM's "NetVM for DispVM" setting applies (only) to DispVMs spawned from that VM, and the setting is somewhat hidden in the GUI. A user could reasonably expect all DispVMs to use the same NetVM regardless of the VM they are spawned from. Thus the following could happen: Say I want to open an e-mail attachment in a DispVM that uses sys-whonix as its NetVM to prevent my IP address from becoming know to an adversary. But I have saved the file (the attachment) in a VM that uses sys-net as its NetVM. If I then run qvm-open-in-dvm in that VM, the file is opened in a DispVM that is not torified. If one understands the GUI, this can easily be avoided, but as it is now it is easy to misunderstand. The resolution would be to make it clear
Also, the "NetVM for DispVM" setting for the DispVM's $TemplateVM and $TemplateVM-dvm has no direct effect on the default NetVM for the DispVM, only for any DispVM spawned directly from those VMs. (A TempVM's setting is of course still inherited by new AppVMs.) |
|
Both of the things you refer to are explicitly covered in the docs - https://www.qubes-os.org/doc/dispvm/
What change can we make to make it clearer? If you want to set the default netVM for disposableVMs you set the netvm for the $TemplateVM-dvm. |
Attempt to describe more clearly what determines which NetVM a DispVM uses; see QubesOS/qubes-issues#2379 Also edited the first paragraph a bit.
|
It's been a long time since I last read that document. And I guess we are allowed to expect new users to read the docs. I have tried to improve the relevant paragraphs: QubesOS/qubes-doc#374 To make it clearer in Whonix VM Manager I would propose to add a red * (asterisk) behind the setting as has been done for the "Name & Label" and "Template" settings in the "Basic" tab. Then the footnote would say something like: "Sets NetVM (only) for DispVMs started from this VM. Does not affect DispVMs launched from the Start Menu." If someone points me to the code for the "Basic" and "Advanced" tabs I will attempt to implement this change -- assuming we reach an agreement on the implementation and the phrasing. |
Another good candidate for #2211. |
|
I think an explicit warning (e.g. a footnote) would be appropriate because of possible security implications of the option is misunderstood. This warning could be given as a footnote to the NetVM option (in the "Basic" tab; not in the "Advanced" tab as I proposed above). Then a tooltip for the option in the "Advanced" tab would be enough. |
|
In R4, it's made - I hope - much simpler, because there's no longer 'NetVM for DispVM' setting in the Advanced tab. Now the user can just change the DispVM to be used by a given VM. I'm going to add tooltips in R3.2 and close this one. |
Added an explanatory tooltip for NetVM for DispVM field in Settings GUI. fixes QubesOS/qubes-issues#2379
|
Automated announcement from builder-github The package |
|
Automated announcement from builder-github The package Or update dom0 via Qubes Manager. |
Qubes OS version (e.g.,
R3.1):3.2
Affected TemplateVMs (e.g.,
fedora-23, if applicable):fedora-23
Expected behavior:
Starting disposable VM should use the NetVM I specified in the "Advanced" tab of of the fedora-23 templateVM.
Actual behavior:
Starting disposable VM uses sys-firewall NetVM ignoring the "advanced" tab setting of the templateVM.
Steps to reproduce the behavior:
General notes:
This issue persists after rebooting.
Related issues:
The text was updated successfully, but these errors were encountered: