Install Additional Software Safely

From Kicksecure
Revision as of 10:15, 6 December 2021 by Nurmagoz (talk | contribs)
Jump to navigation Jump to search

Easy

Introduction

[[Qubes|Template:Q project name]] users need to install and update persistant softwarearchive.org iconarchive.today icon in the Kicksecure Template(s) (kicksecure-17).

Using APT in the (kicksecure) App Qube will only install software for the current session, with changes being lost when the VM is shut down; see Install Software in an App Qube.

A primary Kicksecure goal is to greatly reduce the risk posed by (additional) software installations that are not exclusively designed to work with Tor.

Users can install any software inside Kicksecure using APT, since it is based on Debian. However, this is not a recommendation for installing additional software. Also, Kicksecure is currently the most secure platform for running Tor-unsafe applications like the former Adobe Flash plugin (now deprecated); see the operating system comparison.

The Kicksecure software page lists:

  • pre-installed Kicksecure applications which are available for different tasks
  • recommended software for different user activities
  • safety advice
  • installation instructions

Install from Debian stable

To install a package from Debian stable, follow the steps below. Replace package-name with the name of the software to be installed.

Install package(s) package-name following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the package-name package(s).

Using apt command line --no-install-recommends optionOnion Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends package-name

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion Logo.

5 Done.

The procedure of installing package(s) package-name is complete.

There are numerous examples of this procedure in the Software chapter and throughout the wiki.

Best Practices

Table: Best Software Installation Practices

Domain Advice
Always Verify Signatures
  • For greater system security, it is strongly recommended to avoid installing unsigned software. Always make sure that signing keys and signatures are correct and/or use mechanisms that heavily simplify and automate this process, like APT upgrades.
  • Note: digital signatures are not a magic bullet. While they increase the certainty that no backdoor was introduced by a third party during transit, this does not mean the software is absolutely "backdoor-free". Learn more about this process and what digital signatures prove.
Avoid Manual Software Installation
  • Generally avoid the manual installation of packages, even trusted ones. In practice that means software should only be installed with apt, unless special circumstances exist. [1]
  • Other risks: foreign packages are often unsigned, and users may forget to regularly update the software.
Avoid Third Party Package Managers
  • There are many third party package managers besides APT, however many lack the security safeguards that are standard in Debian. Popular examples are pip and node.js.
  • The security concern with third party options is they do not verify the code comes from the author. When used, these package managers run processes that pull untrusted code from the Internet and perform operations with root level permissions.
  • If a trusted Workstation VM is required for sensitive use cases such as a Bitcoin wallet, then completely avoid this option. [2] [3]
Prefer APT
  • The safest option is to stick with Debian's official package manager APT. This is referenced throughout the wiki whenever the user runs apt.
  • APT is a secure package manager which passes the TUF threat model, since it features metadata verification and expiration detection. [4] [5]
Prefer Packages from Debian Stable Repository
  • Considering the risks, it is safest to install new software from Debian's stable repository, rather than the testing / unstable or third party repositories -- the Debian FAQarchive.org iconarchive.today icon provides a strong rationale for using the stable repository; see footnote. [6]
  • Only advanced users should attempt to mix packages from Debian testing or Debian unstable. The reason is it can lead to a dependency hell, making it very difficult to resolve the breakage of APT package management.
  • To use newer package versions, see chapter Install Newer Software Versions.

--no-install-recommends

Debian's installation default is --install-recommends. Debian packages have various metadata fields such as:

  • Depends: dependencies or dependency packages
  • Recommends: "recommended" packages
  • Suggests: "suggested" packages

When installing a package using apt, dependencies (Depends:) are always installed. The Debian default is for recommended packages (Recommends:) to also be installed alongside the primary package (unless installed previously). To avoid that outcome, it is possible to use the apt command line parameter --no-install-recommends; this is in most cases optional.

Debian's default for suggested packages (Suggests:) is --no-install-suggests i.e. not to install suggested packages. Users can optionally use --install-suggests, but there are no known cases where this would be useful at the time of writing. A host of other command line optionsarchive.org iconarchive.today icon are also available.

If a package is installed using apt --no-install-recommends install package-name, then re-running apt without any parameters or even with --install-recommends will not result in installation of the recommended packages. To accomplish a "late" installation of recommended packages, the simplest method is first uninstalling the package. Alternatively, the list of Recommends: can be viewed using apt-cache package-name or by checking the package on https://packages.debian.orgarchive.org iconarchive.today icon.

A brief Q&A regarding the potential impacts of the "recommended" field is outlined below.

Table: --no-install-recommends Impacts

Question Answer
Can using --no-install-recommends lead to security issues? No. [7]
Can using --no-install-recommends lead to missing or broken functionalities? Yes. For example, mmdebstraparchive.org iconarchive.today icon uses Recommends: and Suggests: for various optional dependencies providing various functionalityarchive.org iconarchive.today icon.
Can omitting --no-install-recommends lead to security issues? In corner cases, yes. For example consider a host operating system without a Host Firewall. [8] By omitting --no-install-recommends -- which defaults in using Debian's default --install-recommends -- packages might be installed that open ports, which can significantly increase attack surface.
Should --no-install-recommends be used? The answer depends on the specific package. Advanced users who know exactly which packages are needed can use --no-install-recommends and afterwards manually add any wanted/additional packages [9] to the apt installation command. Otherwise, there might be corner cases of missing optional dependencies or limited functionality.
Should Kicksecure set the default to --no-install-recommends? [10] This is a good question. It is a big change and could lead to a lot of broken functionality for user-installed packages. At the moment, Kicksecure user support is manageable because redirection to the Free Support Principle is possible. If --no-install-recommends was the Kicksecure default, then a lot of functionality might work out of the box in Debian but not in Kicksecure, therefore invalidating the Free Support Principle.

For these reasons, such suggestions should first be raised at Debian's issue tracker after first searching for existing discussions on Debian mailing lists. Search Debian APT issue trackerarchive.org iconarchive.today icon for recommend first to avoid duplicate issues. For this change to be implemented, it would probably require a lot of research, good examples and a very well written feature request. [11]

Kicksecure documentation uses --no-install-recommends whenever appropriate. In general, whether users should use --no-install-recommends for package installation is unspecific to Kicksecure and should be resolved as per Free Support Principle.

More Security

General Advice

Kicksecure users are free to install their favorite software packages, but should be aware that additional software increases the attack surfacearchive.org iconarchive.today icon of the platform. Almost any application can be installed, with a few exceptions for programs that are impossible to torifyarchive.org iconarchive.today icon. In addition, Kicksecure provides:

Users are responsible for trying to prevent any other protocol leaksarchive.org iconarchive.today icon using the "Torify: How-to" guidearchive.org iconarchive.today icon, but most of those are mitigated by Kicksecure.

APT Meta-data

When updating with apt, information will leak about which software packages and versions have been installed, unless Tor onion repositories have been configured. [12] This meta-data cannot be directly linked to any other activity like web browsing, because the Kicksecure apt uwt wrapper forces it to pass through its own circuit. Despite this isolation, it is still possible for updates to be correlated with the same pseudonym. [13] [14]

Recommendations

For greater security when updating:

  • Follow the guidelines below.
  • Be especially careful when adding custom repositories, particularly Personal Package Archives (PPAs).[15] Compared to main distribution repositories, solo developers are more susceptible to influence and theoretically might have malicious intent.
  • Read the protocol leak and fingerprinting protection entry first. It highlights useful information, like the fact that DNS and IP-related leaks do not apply to Kicksecure.
  • Refer to the Tor Project's Torify: How-toarchive.org iconarchive.today icon which discusses various protocol leaksarchive.org iconarchive.today icon and how to mitigate them.
  • Review the Tor Project's Transparent Proxy Leaksarchive.org iconarchive.today icon documentation, which is particularly relevant for Microsoft Windows.

How-to: Install or Update with Utmost Caution

  1. Stop all activities and shutdown any open applications like Tor Browser.
  2. Change the Tor circuit -- this step may not apply if the user is running an onion service. [16]
  3. Update using apt after a random delay. By default, a new Tor circuit is generated after 10 seconds.
  4. Change the Tor circuit again.
  5. Continue user activities after another random period has elapsed.

Kicksecure is Firewalled

Info Note: This section is relevant to server software or other advanced / uncommon applications.

The Kicksecure firewall [17] has several effects upon Kicksecure.

Table: Kicksecure Firewall Effects

Category Notes
Additional Firewall Restrictions The firewall on Kicksecure is very restrictive. It can be made even more restrictive by activating options within the firewall script. [18] It is possible to limit which outgoing ports are redirected to Tor's TransPort. Depending on user intentions, it could also be useful to remove all SocksPorts.
DNS Requests Standard DNS requests on UDP port 53 are redirected to Tor's DnsPort. [19]
Incoming Connections
  • Incoming connections are not supported.
  • If programs make outgoing connections, then incoming connections are accepted for web browsing, IRC, or other relevant applications.
  • Server ports ("open ports") are blocked.
  • Unless explicitly configured, the Ident Protocol / web server listening port is not reachable.
IPv6 Tor only partially supports IPv6archive.org iconarchive.today icon, although full implementation is likely in the near term. [20] This is not a Kicksecure-specific issue. [21]
Server Services Onion Services and/or Location Hidden Services can be hosted.
Tor Routing Refer to the footnotes for further information.
UDP Tor does not support UDP. This is not a Kicksecure-specific issue.

Related topics:

Advanced

Install Newer Software Versions

Info Prerequisite knowledge: refer to the Frozen Packages entry in the Operating System Software and Updates chapter.

It is sometimes possible to install newer versions of software applications, either via available backports or by manual installation. When intending to use newer versions of certain applications like Electrum or Monero it is best to approach the process as an application installation, rather than an application update.

In oversimplified terms, a Debian package is just a vehicle to place files into a location. For example, the binaries-freedom Debian packagearchive.org iconarchive.today icon in Kicksecure ships Electrum. It comes with the appimage file (/usr/share/binaries-freedom/electrum-appimage/electrum-4.0.7-x86_64.AppImage) and a start menu entry (/usr/share/applications/electrum-appimage.desktop). The presence of these files does not impose limitations; it is still possible to customize the system and install newer software versions.

These files can also be ignored; for example it is not necessary to use the electrum-appimage start menu entry. The binaries-freedom package is intended to improve usability and it was never designed to limit customization, nor does it have that side effect. As per Kicksecure policy there are No Intentional User Freedom Restrictions. [22]

As an illustration, a newer version of Electrum would require:

  1. uninstalling binaries-freedom (electrum appimage)
  2. installing Electrum appimage

To install other custom software, it is suggested to follow recommendations throughout this chapter for better security. Specific instructions for custom software installations will vary for each application. This process is mostly unspecific to Kicksecure and therefore the Free Support Principle applies to installation steps. The same is true for Template:Q project name users -- first consider how this process would be achieved in a Debian-based Qubes template.

Enable Debian Backports Repository

Operating System Specific Notes:

  • File:Logo box.png Kicksecure VM users: Should skip this step! Debian APT backports repository is already default in Kicksecure version 16 and above.
  • Debian: The following instructions are for Debian host operating system or Debian VM users.

1. Boot the virtual machine. (Qubes: debian-12 Template).

2. Add the current Debian stable backports codename bookworm-backports to Debian apt sources.

Notes:

  • This applies to Debian 17. Later Debian versions will use a codename different to bookworm.
  • Advanced users note: Instructions for torification of the fasttrack clearnet repository or fasttrack onion repository can be found in the following footnote.

Run. [23]

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb https://deb.debian.org/debian bookworm-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Done.

The procedure of enabling Debian backports repository has been completed.

4. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian bookworm to trixie. [24] To proceed, run.

Click = Copy Copied to clipboard! sudo rm /etc/apt/sources.list.d/backports.list

Enable Debian Fasttrack Repository

Operating System Specific Notes:

  • File:Logo box.png Kicksecure VM users: Should skip this step! Debian APT fasttrack repository is already default in Kicksecure version 16 and above.
  • Debian: The following instructions are for Debian host operating system or Debian VM users.

1. Boot the Debian VM. (Qubes: debian-12) Template.

2. Install the fasttrack-archive-keyring package.

Install package(s) fasttrack-archive-keyring following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the fasttrack-archive-keyring package(s).

Using apt command line --no-install-recommends optionOnion Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends fasttrack-archive-keyring

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion Logo.

5 Done.

The procedure of installing package(s) fasttrack-archive-keyring is complete.

3. Add the current Debian fasttrack APT repository.

Notes:

  • This applies to Debian 17. Later Debian versions will use a codename different to bookworm.
  • Advanced users note: Instructions for torification of the fasttrack clearnet repository or fasttrack onion repository can be found in the following footnote.

Run. [25]

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb https://fasttrack.debian.net/debian/ bookworm-fasttrack main contrib non-free' > /etc/apt/sources.list.d/fasttrack.list"

4. Done.

The procedure of enabling Debian fasttrack repository has been completed.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian bookworm to trixie. [26] To proceed, run.

Click = Copy Copied to clipboard! sudo rm /etc/apt/sources.list.d/fasttrack.list

Backports

Debian Backportsarchive.org iconarchive.today icon:

Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable.

This is a far safer alternative than the Debian testing or unstable repositories. However, Debian backports should be used conservatively.

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

Info Replace package-name below with the package you actually want to install.

package-name can be installed from Debian backports. This is non-ideal, see footnote. [27]

1. Boot Kicksecure (kicksecure-17) Template.

2. Add the current Debian stable backports codename bookworm-backports to Debian apt sources.

Note: this applies to Kicksecure 17.2.8.5. Later Kicksecure versions may use a codename different to bookworm.

In Kicksecure (kicksecure-17) Template, run.

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb tor+https://deb.debian.org/debian bookworm-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

Click = Copy Copied to clipboard! sudo apt update

4. Install the select software.

Click = Copy Copied to clipboard! sudo apt -t bookworm-backports install package-name

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian bookworm to trixie. [28] To proceed, run.

Click = Copy Copied to clipboard! sudo rm /etc/apt/sources.list.d/backports.list

Fasttrack

Debian Fasttrackarchive.org iconarchive.today icon:

Debian Fast Track is a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way.

This is a far safer alternative than the Debian testing or unstable repositories. However, Debian fasttrack should be used conservatively similarly to Backports.

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

Info Replace package-name below with the package you actually want to install.

package-name can be installed from Debian fasttrack. This is non-ideal.

1. Update the package lists.

Click = Copy Copied to clipboard! sudo apt update

2. Install the select software.

Click = Copy Copied to clipboard! sudo apt -t bookworm-fasttrack install package-name

3. Done.

The procedure of installing the package from fasttrack is now complete.

Install from Debian Testing

Warnings

Info Mixing packages from Debian stable with those from a later release like testing can destabilize the system due to associated software dependencies required for full functionality.

Before completing steps in this section, first read Prefer Packages from Debian Stable Repository. Carefully check how packages will change before proceeding -- a host of upgrades is usually safe, but no Kicksecure packages should be removed as part of the process; see Kicksecure Debian Packages. Be aware that problems are still possible; see herearchive.org iconarchive.today icon for an example.

It is recommended to complete this process in a separate Kicksecure (kicksecure-17-debian-testing-mix) due to the risks. Ask for advice in the forums on a case-by-case basis.

Procedure

1. Boot the Kicksecure (kicksecure-17-debian-testing-mix) Template.

2. Add the current Debian testing codename trixie to sources.list

Note: this applies to Kicksecure 16. Later Kicksecure versions may use a codename different to trixie.

In the Kicksecure (kicksecure-17-debian-testing-mix) Template, run.

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb http://http.debian.net/debian trixie main' > /etc/apt/sources.list.d/testing.list"

Or alternatively use the .onion mirror.

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie main' > /etc/apt/sources.list.d/testing.list"

3. Update the package lists.

Click = Copy Copied to clipboard! sudo apt update

4. Install the select software.

Click = Copy Copied to clipboard! sudo apt -t trixie install packagename

  • Replace packagename with the package you actually want to install.

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian bookworm to trixie. [29] To proceed, run.

Click = Copy Copied to clipboard! sudo rm /etc/apt/sources.list.d/testing.list

Install from Debian Unstable

Warnings

Managing security updates for the "stable" distribution remains the highest priority for the Debian security team. This means security fixes for Debian "unstable" are managed by the contributors themselves and not by the Debian security team. Therefore, "unstable" does not receive security updates in a timely manner. [30] [31]

Before completing steps in this section, first read Prefer Packages from Debian Stable Repository.

Mixing packages from Debian stable with those from a later release like unstable can destabilize the system due to associated software dependencies required for full functionality. First carefully check how packages will change before proceeding. [32]

A host of upgrades is usually safe, but no Kicksecure packages should be removed as part of the process; see Kicksecure Debian Packages. It is recommended to complete this process in a separate Kicksecure (kicksecure-17-debian-unstable-mix) due to the risk. Ask for advice in the forums on a case-by-case basis.

Procedure

Prior to installing package-namearchive.org iconarchive.today icon from Debian unstable read Install software from Debian unstable to understand the risks involved and circumvention options. Mixing packages from Debian stable with later release packages like Debian unstable can lead to instability. [33]

1. Open a terminal.

If you are using Kicksecure inside Qubes, complete the following steps.

Qubes App Launcher (blue/grey "Q")Kicksecure App Qube (commonly named kicksecure)Xfce Terminal

If you are using a graphical Kicksecure with Xfce, run.

Start MenuXfce Terminal

2. In Kicksecure (kicksecure-17 Kicksecure inside Qubes) konsole, add Debian stable codename bookworm to the apt-conf default-release.

Click = Copy Copied to clipboard! sudo su -c "echo -e 'APT::Default-Release bookworm;' > /etc/apt/apt.conf.d/70defaultrelease"

3. Add the current Debian unstable codename sid to sources.list.d.

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb https://deb.debian.net/debian sid main' > /etc/apt/sources.list.d/unstable.list"

Or alternatively use the .onion mirror.

Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian sid main' > /etc/apt/sources.list.d/unstable.list"

4. Update the package lists.

Click = Copy Copied to clipboard! sudo apt update

5. Install package-name from the current Debian unstable codename sid repository.

Click = Copy Copied to clipboard! sudo apt install -t sid package-name

6. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian bookworm to trixie. [34] To proceed, run.

Delete Debian testing repository list.

Click = Copy Copied to clipboard! sudo rm /etc/apt/sources.list.d/unstable.list

Delete apt Default-Release configuration.

Click = Copy Copied to clipboard! sudo rm /etc/apt/apt.conf.d/70defaultrelease

Package Reinstallation

As per the free support principle, package reinstallation utilizes normal Debian processes.

The example below shows how the thunderbird package would be reinstalled. It is possible to substitute thunderbird with many other packages, so long as they do not have too many dependencies. These instructions are not suitable for any packages needed for connectivity such as tor, because the reinstallation would be very difficult and is currently unsupported.

Even in the thunderbird package example, dependency complications emerge. In the example below the qubes-whonix-workstation-packages-recommended package also depends on thunderbird. Further, the qubes-whonix-workstation package depends on qubes-whonix-workstation-packages-recommended.

1. Update the package lists and upgrade.

See Updates for instructions.

2. Purge the package you want to reinstall.

Click = Copy Copied to clipboard! sudo apt purge thunderbird

The output will show something like the following. 

The following packages will be REMOVED:
  qubes-thunderbird* qubes-whonix-workstation*
  qubes-whonix-workstation-packages-recommended* thunderbird*
0 upgraded, 0 newly installed, 4 to remove and 0 not upgraded.
After this operation, 192 MB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 64719 files and directories currently installed.)
Removing qubes-whonix-workstation (3:21.5-1) ...
Removing qubes-whonix-workstation-packages-recommended (1:16.5-1) ...
Removing qubes-thunderbird (2.0.6-1+deb10u1) ...
Removing thunderbird (1:78.14.0-1~deb10u1) ...
Processing triggers for mime-support (3.62) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for qubes-core-agent (4.0.62-1+deb10u1) ...
Processing triggers for desktop-file-utils (0.23-4) ...
(Reading database ... 64597 files and directories currently installed.)
Purging configuration files for thunderbird (1:78.14.0-1~deb10u1) ...

The packages qubes-whonix-workstation-packages-recommended and qubes-whonix-workstation have been inadvertently uninstalled due to technical limitations. [35] These packages are reinstalled at a later step.

3. Delete the user configuration folder if that is desired.

In this thunderbird example, the user configuration folder is specified below (it changes depending on the package).

Click = Copy Copied to clipboard! rm -r ~/.thunderbird

4. Reinstall the thunderbird package and the additional packages that were purged.

The --no-install-recommends parameter below is optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends thunderbird qubes-whonix-workstation-packages-recommended qubes-whonix-workstation

Related to: Kicksecure Debian Packages.

Install Software in an App Qube

Info [[Qubes|Template:Q project name]] only! Custom scripting is recommended, which is beyond the scope of this entry. Use a search engine to locate free articles and instructions on this process.

There is no reason to avoid installing software in App Qubesarchive.org iconarchive.today icon, although installed software will not persist across reboots. A custom script can be used to automate this process, which minimizes the time spent re-installing packages.

Advantages

This software installation method means a single VMarchive.org iconarchive.today icon assumes many of the positive characteristics found in both App Qubes and Standalonesarchive.org iconarchive.today icon.

  • Centralized Updates: App Qubesarchive.org iconarchive.today icon are based on a Templatearchive.org iconarchive.today icon. This means the App Qube's root filesystem is based on the corresponding template's root filesystem. Any updates to the Template will be reflected in the App Qube's root filesystem upon restart. [36]
  • Minimal Disk Usage: App Qubes require much less disk space than Standalones, since the App Qube's root filesystem is based on the corresponding template. The App Qube only needs enough disk space to hold user files in the /home directory.
  • Semi-persistent Storage: User data stored in /home , /rw and /usr/local survives reboot. Many applications like Signalarchive.org iconarchive.today icon and Wirearchive.org iconarchive.today icon store user data in the /home folder. Since the custom script installs the software seamlessly with little or no user interaction, the App Qube has "quasi-full persistence", not unlike a Standalone's full persistence.

App Qube Preparation

1. Create an App Qube based on kicksecure-17.

2. Pre-install any necessary dependencies.

Dependencies are available from packages.debian.orgarchive.org iconarchive.today icon and can be pre-installed in the Template to speed up the repetitive software installation process. This means only packages or software missing from packages.debian.orgarchive.org iconarchive.today icon will be repeatedly installed in the App Qube.

3. Create a custom script that runs at VM boot.

The purpose of this script is to automate software installation that would otherwise require manual user steps. Note that script functionality is variable, dependent on the software packages being installed and the experience of the user.

Scripting is useful for common tasks like:

  • adding specific software repositories
  • importing verified signing keys
  • updating the package list with apt update, after the repository and signing key are imported
  • finally running apt install to install the relevant software package(s)

App Qube Use

The App Qube's root filesystem does not provide a strong non-persistent security featurearchive.org iconarchive.today icon. The persistence of the /home, /rw, and /usr/local filesystem means malware can be specifically written to target Qubes-based App Qubes, inserting hooks inside these directory's files. [37] [38]

Once user preparation is complete and the App Qube has started, it will automatically start the script to begin installing software. When the process finishes, the App Qube can be used like any other. However when the App Qube is shutdown, all data outside of the persistent /home folder will be lost, including the newly installed software packages. Following reboot, the VM will again install the software packages automatically.

Using bind-dirs Selective Persistence

Using selective bind-dirsarchive.org iconarchive.today icon persistence is currently a difficult problem and undocumented. Further research is required to ascertain which files require persistence across VM reboots.

Add Application Launcher to Start Menu

1. Create folder ~/.local/share/applications.

Click = Copy Copied to clipboard! mkdir -p ~/.local/share/applications

2. Create a new file ~/.local/share/applications/program-name.desktop using an editor.

Click = Copy Copied to clipboard! mousepad ~/.local/share/applications/program-name.desktop

3. Paste the following contents.

Click = Copy Copied to clipboard! [Desktop Entry] Type=Application Exec=/path/to/program Name=program-name Categories=Other

4. Save the file.

5. Done.

The procedure is now complete.

6. Start using the launcher.

The launcher can be found here:

Start MenuOtherprogram-name

snap

General forum discussion about snap: Snap Store / snaps / snapd / snapcraft.io - a new software source?archive.org iconarchive.today icon

[[Kicksecure-Qubes|Template:Q project name]] issues:

Flatpak

Introduction

Flatpakarchive.org iconarchive.today icon is: [40]

...a utility for software deployment and package management for Linux. It is advertised as offering a sandbox environment in which users can run application software in isolation from the rest of the system. ...

Applications using Flatpak need permissions to have access to resources such as Bluetooth, sound (with PulseAudio), network, and files. These permissions are defined by the maintainer of the Flatpak and can be added or removed by users on their system.

Another key feature of Flatpak is that it allows application developers to directly provide updates to users without going through distributions, and without having to package and test the application separately for each distribution.

There are several advantages of utilizing Flatpak: [41] [42] [43]

  • Packages are easily added via Flathub, which is a repository located at flathub.org; for a Kicksecure example, see here.
  • Numerous Linux distributions are either supported out-of-the-box or after the flatpak package is installed; Debian is a supported platform (which Kicksecure is based upon).
  • Desktop applications are sandboxed and have limited access to the host environment. [44]
  • Flatpak bundles are a single-file format which contains the application or runtime. [45]
  • Any Flatpak breakage will not lead to destabilization of the host OS.
  • Elevated privileges (root) are not required to install Flatpak packages.
  • Only changed files are downloaded for updates.
  • Libraries and files used by multiple applications are de-duplicated to save space.

For further information, refer to the Flatpak FAQarchive.org iconarchive.today icon and Flatpak documentationarchive.org iconarchive.today icon.

Flatpak Package Manager Security

This entry compares Flatpak security features (such as signed metadata) against Debian's APT package manager. [46] With one caveat, Flatpak package manager security is comparable to Debian's APT package manager: Flatpak currently does not defend against indefinite freeze attacksarchive.org iconarchive.today icon.

A definition of indefinite freeze attacks is provided by TUF (The Update Framework) Threat Modelarchive.org iconarchive.today icon:

An attacker continues to present files to a software update system files that the client has already seen. As a result, the client is kept unaware of new files.

For many adversaries this attack is difficult because it requires breaking TLS. While Flatpak package version information is not protected by a valid-until fieldarchive.org iconarchive.today icon, it is fetched over TLS. Adversaries capable of breaking TLS face an obstacle when dealing with torified connections (like those in Whonix®) -- an indefinite freeze attack cannot target a specific user, but will affect all Tor users. This increases the chances of being caught unless they also have the ability to break Tor. Even then the attack chain would be very complex:

  • Break TorTarget specific user(s)Break TLSMount an indefinite freeze attackExploit a vulnerability caused by an outdated software version.

To safeguard against this possibility, it is recommended to perform manual checks of version numbers for Flatpak-installed applications -- they should match those available from the flathub repository. Every flathub application has a corresponding website page with an Additional information section that lists Updated and Version information. For example, at the time of writing for Chromium:

Researching version information on the flathub website with a browser is equally vulnerable to indefinite freeze attacks because it also relies upon TLS. It is therefore recommended to use Whonix® or Tor Browser for this purpose. [47]

Sometimes APT software versions are quite old, which can lead to less functionality or even exposure to known vulnerabilities that are being exploited in the wild (see footnote). [48] Conversely, Flatpak usually offers more recent software versions and/or deploys security fixes in a more timely manner.

In summary, Flatpak advantages are considered to outweigh the potential risks of an indefinite freeze attack because the attack chain is complex. Also, Flatpak is sometimes the only trustworthy, easy-to-use software source that provides newer versions than available in Debian stable (with Frozen Packages) (or newer).

Forum discussion:

Flatpak Sandbox Security

Flatpak's sandbox is imperfect. Despite Flatpak sandbox issues, it is safe to use in the software installation context. By comparison, Debian's default package manager APT does not attempt to sandbox applications it is running at all.

Flatpak is a victim of imperfect marketing. Since the Flatpak sandbox is a built-in feature, any reported security issues reflect negatively on Flatpak's reputation. Frequently, non-technical users are unable to properly contextualize or assert its impact through threat modeling. Building a "perfect" sandbox is a much harder task -- containing arbitrary, ever-changing applications running on an ever-changing operating system -- than creating a package manager. The latter is essentially a file delivery mechanism and is therefore comparatively simpler to develop.

Flatpak sandboxing abilities are irrelevant so long as the sandboxing is not worse than software that is manually installed. Whatever Flatpak's sandbox is doing, it should not break an application’s own sandboxing. [49]

Flatpak's own sandboxing capabilities interfere with other sandboxing initiatives like Sandboxed Application Launcher and Firejail: [50]

Is Flatpak compatible with other desktop isolation frameworks? In general unprivileged container systems can’t stack, because anything running inside the sandbox does not have the necessary privileges to set up a sandbox, nor does it have the ability to raise its privileges in any way. For instance, Firejail can never work inside Flatpak, because it is setuid. That being said, using multiple sandboxing frameworks at once does not really make anything more secure, so there is little point in trying to nest things like that.

In the case of Sandboxed Application Launcher it is not used much at the time of writing anyhow, but that is not a reason against using it. Flatpak's own sandboxing and Sandboxed Application Launcher can be co-installed without issues, but the latter will be unable to sandbox applications installed through Flatpak. [51]

Qubes OS Specific

At the time of writing, applications installed using Flatpak do not present in the Qubes start menu. [52]
Workaround: navigate to Qube settingsapplications tabpress "Refresh Applications".

Foreign Sources

For most use cases the extensive software range available from the official Debian repositories should be sufficient. A selection of nearly 60,000 programs [53] can be installed within a couple of steps. These packages are constantly maintained for bug/security fixes and are tightly integrated to provide a stable distribution.

To guarantee stability, no new versions are uploaded to Debian stable archives to avoid breaking the system. This makes Debian stable a dependable distribution and an excellent base for downstream distributions. However, the Linux software scene is very dynamic and sometimes users will want software that is not yet packaged in Debian. In this case it may be necessary to install software from separate sources; either from third party repositories, as a stand-alone precompiled .deb binary, or directly compiled source packages. [54]

Risks

Foreign sources should be used infrequently because it can cause problems. Note this is simply a warning about the worst case scenario and not a predetermined outcome of installing third party software.

Security Issues

Foreign sources pose important security implications for the affected system. Installing software is tantamount to granting root privileges to the developers. Software originating from dubious sources could replace important system components with malicious versions that allow backdoors or Trojan horsesarchive.org iconarchive.today icon to be installed on the system.

In general, the installation of software is a matter of trust. The fact is every installed software source must be trusted. This trust is two-fold: firstly that the developers have integrity, and secondly that the community will notice any suspicious code, which might indicate compromise of the developers' machines. [55]

Dependency Hell

Manually installed packages can contain library versions that are unavailable in the standard repositories. This causes problems with dependency resolution when installing additional software from the official repository. Individual applications are less critical in this context, but when important system libraries in the third-party software are considered, complications are inevitable.

Depending on the severity of the complications, upgrades to the next version of the operating system might fail, or the system may become unbootable or generally unstable.

Mitigation

To reduce security risks and eliminate the risk of making the workstation unusable, utilize Multiple Kicksecure.

Template:Q project name users: For installation inside Qubes templates, the risk can only be minimized by using [[Multiple Qubes-Whonix TemplateVMs|Multiple Template:Q project name Templates]].

GUI Applications with Root Rights

Moved to Safely Use Root Commands: Graphical Applications with Root Rights.

Footnotes

  1. Such as desirable software versions that are not yet bundled in the official repositories.
  2. https://web.archive.org/web/20170919173146/https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/archive.org icon
  3. The pip developers refused to implement any kind of proper GPG signature verification, opting to support server HTTPS insteadarchive.org iconarchive.today icon which is a lot weaker. While the TUF secure updater project has implemented a safe version of piparchive.org iconarchive.today icon, it is not clear how widely it has been adopted and whether it will become popular.
  4. https://github.com/theupdateframework/tuf/blob/develop/SECURITY.mdarchive.org iconarchive.today icon http://www.webcitation.org/6F7Io2ncNarchive.org iconarchive.today icon
  5. https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.htmlarchive.org iconarchive.today icon

  6. If security or stability are at all important for you: install stable. period. This is the most preferred way.

    ... Since there is typically over 1 year between releases you might find that stable contains old versions of packages. However, they have been tested in and out. One can confidently say that the packages do not have any known severe bugs, security holes etc., in them. The packages in stable integrate seamlessly with other stable packages. These characteristics are very important for production servers which have to work 24 hours a day, 7 days a week. ... Stable is rock solid. It does not break and has full security support. But it might not have support for the latest hardware.

    On the other hand, packages in testing or unstable can have hidden bugs, security holes etc. Moreover, some packages in testing and unstable might not be working as intended.
  7. There are no known examples at the time of writing.
  8. Most people nowadays are behind a NAT router which blocks unsolicited incoming connections by default. While that protects from outside Internet-based attacks, it does not protect against attacks launched from inside the local area network (LAN) (devices that use the same router). This is specifically dangerous when using shared WiFi hotspots.
  9. Perhaps including some recommended packages.
  10. See: set apt --no-install-recommends by defaultarchive.org iconarchive.today icon
  11. This wiki chapter has been authored so it may be a useful resource in the future.
  12. See software updatersarchive.org iconarchive.today icon for more information on this topic.
  13. Consider the following example. A user announces online that software X is being utilized, and another specific application set x, y, and z is installed. If this information becomes available to an adversary and the circuit-isolated apt passes through any Tor exit relays, mirrors or ISPs under their control, then they may guess it is associated with the same pseudonym. In that case, the adversary has a list of the user's installed packages, and can attempt a stale mirror attack (if the user has a custom Ubuntu build), or try other attacks against apt.
  14. As per the previous footnote, this threat equally applies to users who run an onion service with a specific set of server software, for example apache, mediawiki, phpbb, and others.
  15. Using PPA in Ubuntu Linux (Complete Guide)archive.org iconarchive.today icon:

    PPA stands for Personal Package Archive. The PPA allows application developers and Linux users to create their own repositories to distribute software. With PPA, you can easily get newer software version or software that are not available via the official Ubuntu repositories.
  16. One option is using Arm: Navigate to Kicksecure ([[Kicksecure-Qubes|Template:Q project name]]: kicksecure)Select Arm - Tor ControllerPress "n" for a New Identity.
    Alternatively: Press "m" for the menuScroll down to "New Identity"Press "Enter".
  17. The firewall is found on Kicksecure: /usr/bin/kicksecure_firewall 
  18.          ## Optionally restrict TransPort.
         ## Replace above rule with a more restrictive one, e.g.:
         #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
  19. If the DNS server is changed in Kicksecure /etc/resolv.conf, this will likely have no effect. The reason is the firewall on Kicksecure will redirect all those requests to Tor's DnsPort. The working exception to this rule is when users tunnel / encrypt DNS requests (DNSCrypt, httpsdnsd), as per the secondary DNS resolver instructions.
  20. The only missing elements at the time of writing were automatic client connections and inter-relay connections via IPv6. Bridges are fully supported. See also: IPv6 roadmaparchive.org iconarchive.today icon.
  21. https://phabricator.whonix.org/T509archive.org iconarchive.today icon
  22. In simple terms, Kicksecure modifications can be ignored.
  23. Alternatively, users who like torify over clearnet can add tor+. Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb tor+https://deb.debian.org/debian bookworm-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list" Alternatively, users who like Onionizing Repositories can use the onion instead. Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
  24. Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  25. Alternatively, users who like torify the clearnet repository can add tor+. Click = Copy Copied to clipboard! sudo su -c "echo -e 'deb tor+https://fasttrack.debian.net/debian/ bookworm-fasttrack main contrib non-free' > /etc/apt/sources.list.d/fasttrack.list" It is not yet possible to set an .onion mirror for fastrack.archive.org iconarchive.today icon
  26. Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  27. Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk,
  28. Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  29. Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see Follow Kicksecure Developments).
  30. https://www.debian.org/releases/sid/archive.org iconarchive.today icon
  31. https://www.debian.org/security/faq#unstablearchive.org iconarchive.today icon
  32. See: https://wiki.debian.org/DebianUnstable#What_are_some_best_practices_for_testing.2Fsid_users.3Farchive.org iconarchive.today icon
  33. It is recommended to create Multiple Kicksecure to install the package due to these risks.
  34. Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see stay tuned).
  35. Debian_Packages#Technical_Information
  36. How to install softwarearchive.org iconarchive.today icon
  37. https://www.qubes-os.org/doc/templates/#note-on-treating-app-qubes-root-filesystem-non-persistence-as-a-security-featurearchive.org iconarchive.today icon
  38. Obvious hook targets include .bashrc, the Firefox profile directory (which contains extensions), or PDF or DOC documents that are likely to be opened by the user.
  39. APT works because of Qubes' qrexec-based updates proxy.
  40. https://en.wikipedia.org/wiki/Flatpakarchive.org iconarchive.today icon
  41. https://en.wikipedia.org/wiki/Flatpak#Featuresarchive.org iconarchive.today icon
  42. https://en.wikipedia.org/wiki/Flatpak#Supportarchive.org iconarchive.today icon
  43. https://docs.flatpak.org/en/latest/introduction.htmlarchive.org iconarchive.today icon
  44. Although Firejail cannot be run in conjunction with Flatpak.
  45. Runtimes are basic dependencies that are used by packages.
  46. Note that source code is not considered in this comparison.
  47. In theory some adversaries are capable of mounting an indefinite freeze attack against all visitors arriving from the Tor network. This is considered unlikely because the threat of eventual detection is too high. Such an attack would be widely publicized and might lead to major improvements in how Internet encrypted/authenticated connections are established.
  48. Chromium exploitation example.
  49. https://github.com/flatpak/flatpak/issues/4032archive.org iconarchive.today icon
  50. https://flatpak.org/faq/archive.org iconarchive.today icon
  51. FlatPak as a Software Source / flathub as a source of softwarearchive.org iconarchive.today icon.
  52. flatpak installed applications do not show up in Qubes start menuarchive.org iconarchive.today icon
  53. https://www.debian.org/intro/why_debianarchive.org iconarchive.today icon
  54. https://www.debian.org/doc/manuals/debian-faq/ch-pkg_basics.en.htmlarchive.org iconarchive.today icon
  55. With reproducible package builds on the horizon, the security risk from the second factor will be minimal in the future.
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Install_Software&oldid=53497"