[Whonix-devel] [qubes-users] Guide: Monero wallet/daemon isolation w/qubes+whonix

Thu Aug 16 07:05:00 CEST 2018

https://getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html
is missing how to actually use it.

I guess it is simply: run `monero-wallet-cli` or monero gui in
monero-wallet-ws."

0xB44EFD8751077F97:
> Patrick Schleizer:
>> I didn't notice this thread until now.
>>
>> Interesting!
>>
>> Now reference here:
>> https://www.whonix.org/wiki/Monero
>>
>>
>> I am wondering how to save users from as many manual steps as possible.
>>
>>
>> To save users from having to edit /rw/config/rc.local...
>>
>>> socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
>> monerod-ws user.monerod"
>>
>> Could maybe replaced by file:
>>
>> /etc/anon-ws-disable-stacked-tor.d/40_monero.conf
>>
>> content:
>>
>> $pre_command socat TCP-LISTEN:18081,fork,bind=127.0.0.1
>> EXEC:"qrexec-client-vm monerod-ws user.monerod"
>>
>> Should work after reboot (or after "sudo systemctl restart
>> anon-ws-disable-stacked-tor").
>>
>> Untested.
>>
>> Reference:
>> https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf
>>
> 
> Tested, works on Whonix 14/Qubes 4.0.
> 
> Would you consider shipping this as a default Whonix file, or maybe part
> of a package?

In package https://github.com/Whonix/qubes-whonix when using socket
activation, yes.

Similar to:

-
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.socket

-
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.service

File name should not contain "anon-ws-disable-stacked-tor" / "autogen".

File names...?

/lib/systemd/system/qubes-whonix-monerod.socket
/lib/systemd/system/qubes-whonix-monerod.service

Replace "ExecStart=/lib/systemd/systemd-socket-proxyd 10.152.152.10:9050"

with:

socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
monerod-ws user.monerod"

Untested. Does that work?

Would this break monerod for users not using this Monero wallet/daemon
isolation? I mean, does monerod use local port 18081 by default? In that
case we'd need to change that port.

> If not, the user will have to put this on the TemplateVM
> or config bind-dirs; which are both additional steps.
>>
>>
>> /etc/qubes-rpc/policy/user.monerod could maybe become:
>> /etc/qubes-rpc/policy/whonix.monerod
>>
>> To have users from manually creating it, could be dropped here:
>>
>> https://github.com/QubesOS/qubes-core-admin-addon-whonix/tree/master/qubes-rpc-policy
>>
>> If you like, create a pull request and see what Marek thinks.
>>
> 
> This would be useful. It's on my radar.
> 
>>
>>
>> /home/user/monerod.service would be better in /rw so only root can write
>> to it. Even better perhaps systemd user services?
>>
>> https://www.brendanlong.com/systemd-user-services-are-amazing.html
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820111
>>
>>
> 
> Interesting, I didn't know about this. I don't see how moving the file
> from /home/user/ to /home/user/.config/systemd/user is more secure,
> though.

> I think moving it to /rw may be slightly better, but
> passwordless sudo kind of negates that.

Indeed only useful for users of these:

- https://www.qubes-os.org/doc/vm-sudo/
- https://github.com/tasket/Qubes-VM-hardening

Qubes-VM-hardening will be easily available one day probably.

https://github.com/QubesOS/qubes-issues/issues/2748

I guess password protected sudo will get more and more easy in Qubes so
very much worth going for proper access rights.

> The best would be to put it on the TemplateVM in /lib/systemd/system/,
> but, again, this is more steps for the user.
> 
> In regards to monero being in stretch-backports now, I think it might be
> an equal number of steps or more than there is now, and more confusing
> for the user, to add stretch-backports to the TemplateVM's sources and
> install via apt. If it were in stretch this would be no question.
> 

And only monerod is in Debian. monero gui is not.