Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qrexec no longer supports non-executable files in /etc/qubes-rpc #5686

Closed
marmarek opened this issue Feb 24, 2020 · 3 comments
Closed

qrexec no longer supports non-executable files in /etc/qubes-rpc #5686

marmarek opened this issue Feb 24, 2020 · 3 comments
Labels
C: doc P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-dom0-cur-test r4.1-fc29-cur-test r4.1-fc30-cur-test r4.1-fc31-cur-test r4.1-stretch-cur-test release notes This issue should be mentioned in the release notes.
Milestone
Release 4.1

Comments

@marmarek
Copy link
Member

For a long time, files in /etc/qubes-rpc could be either a scripts (with executable bit set), or a (non-executable) file with a name of a target script. In practice the later syntax was also interpreted as a script (called with /bin/sh). This indirection costs extra shell load and is undesirable. It is also confusing when one place a script without executable bit set and it works anyway.

Drop this legacy feature and recommend using symlinks instead in case of desired indirection. Or place the script directly in /etc/qubes-rpc and make it executable.

Most qubes-native services have executable bit set for a long time already.

The change is already made in QubesOS/qubes-core-qrexec#24, this issue serve as a tracking for related changes in documentation, release notes and generally to give it more visibility.
@marmarek marmarek added T: enhancement release notes This issue should be mentioned in the release notes. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Feb 24, 2020
@marmarek marmarek added this to the Release 4.1 milestone Feb 24, 2020
marmarek added a commit to marmarek/qubes-gui-agent-linux that referenced this issue Feb 24, 2020
@marmarek
Replace non-executable qubes.SetMonitorLayout file with a symlink
fe262aa 
Qrexec now enforces executable bit on service files. Instead of adding
one here, avoid one indirection by using a symlink instead.

QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-app-linux-split-gpg that referenced this issue Feb 24, 2020
@marmarek
rpm: do not drop executable bit from qubes.GpgImportKey service
145ee4c 
QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-gui-daemon that referenced this issue Feb 24, 2020
@marmarek
Make files in qubes-rpc executable
8faeeee 
QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-gui-daemon that referenced this issue Feb 24, 2020
@marmarek
Make qubes.WindowIconUpdater a proper script
697f679 
QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-app-linux-split-gpg that referenced this issue Feb 24, 2020
@marmarek
Make qubes.GpgImportKey service a proper script
fbdce20 
QubesOS/qubes-issues#5686
marmarek added a commit to QubesOS/qubes-app-linux-input-proxy that referenced this issue Feb 24, 2020
@marmarek
Make files in /etc/qubes-rpc a proper scripts
83428f5 
QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-core-admin-linux that referenced this issue Feb 24, 2020
@marmarek
Replace /etc/qubes-rpc/qubes.ReceiveUpdates with a symlink
e59c6b8 
Avoid pointless indirection with a script

QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Feb 24, 2020
@marmarek
Make /etc/qubes-rpc/qubes.ConnectTCP executable
b874aa1 
QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Feb 24, 2020
@marmarek
Make /etc/qubes-rpc/qubes.ConnectTCP executable
437367b 
QubesOS/qubes-issues#5686
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Feb 24, 2020
@marmarek
Make /etc/qubes-rpc/qubes.ConnectTCP executable
2af2d24 
QubesOS/qubes-issues#5686
This was referenced Feb 25, 2020
Closed
Closed
Closed
Closed
Closed
@92VV3M42d3v8 92VV3M42d3v8 mentioned this issue Feb 26, 2020
Closed
@qubesos-bot qubesos-bot mentioned this issue Mar 1, 2020
Closed
marmarek added a commit to QubesOS/qubes-app-linux-pdf-converter that referenced this issue Mar 1, 2020
@marmarek
Replace /etc/qubes-rpc/qubes.PdfConvert with a symlink
31f1659 
Avoid useless indirection via extra shell script - symlink directly.
This is especially important as new qrexec won't support non-executable
service "scripts" in /etc/qubes-rpc.

QubesOS/qubes-issues#5686
This was referenced Mar 1, 2020
Closed
Closed
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 10, 2020
@marmarek
Make /etc/qubes-rpc/qubes.ConnectTCP executable
27e8d9e 
QubesOS/qubes-issues#5686
This was referenced Mar 15, 2020
Closed
Closed
@qubesos-bot qubesos-bot mentioned this issue Mar 15, 2020
Closed
@qubesos-bot qubesos-bot mentioned this issue Mar 15, 2020
Closed
@qubesos-bot qubesos-bot mentioned this issue Mar 25, 2020
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-qrexec_4.1.4-1 has been pushed to the r4.1 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-qrexec has been pushed to the r4.1 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.1-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-qrexec-4.1.5-1.fc31 has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

marmarek added a commit to QubesOS/qubes-gui-agent-linux that referenced this issue Apr 18, 2020
@marmarek
Replace non-executable qubes.SetMonitorLayout file with a symlink
db11553 
Qrexec now enforces executable bit on service files. Instead of adding
one here, avoid one indirection by using a symlink instead.

QubesOS/qubes-issues#5686

(cherry picked from commit fe262aa)
marmarek added a commit to QubesOS/qubes-core-admin that referenced this issue Apr 18, 2020
@marmarek
Make /etc/qubes-rpc/qubes.ConnectTCP executable
529807d 
QubesOS/qubes-issues#5686

(cherry picked from commit 27e8d9e)
marmarek added a commit to QubesOS/qubes-core-admin that referenced this issue Apr 18, 2020
@marmarek
Make /etc/qubes-rpc/qubes.ConnectTCP executable
18ad0d4 
QubesOS/qubes-issues#5686

(cherry picked from commit 27e8d9e)
This was referenced Apr 18, 2020
Closed
Closed
Closed
marmarek added a commit to marmarek/qubes-gui-daemon that referenced this issue May 17, 2020
@marmarek
Make files in qubes-rpc executable
a14b921 
QubesOS/qubes-issues#5686

(cherry picked from commit 8faeeee)
marmarek added a commit to marmarek/qubes-gui-daemon that referenced this issue May 17, 2020
@marmarek
Make qubes.WindowIconUpdater a proper script
6db5575 
QubesOS/qubes-issues#5686

(cherry picked from commit 697f679)
@qubesos-bot qubesos-bot mentioned this issue May 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: doc P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-dom0-cur-test r4.1-fc29-cur-test r4.1-fc30-cur-test r4.1-fc31-cur-test r4.1-stretch-cur-test release notes This issue should be mentioned in the release notes.
Projects
None yet
Milestone
Release 4.1
Development

No branches or pull requests
3 participants
@marmarek @andrewdavidwong @qubesos-bot