[Whonix-devel] [qubes-users] Guide: Monero wallet/daemon isolation w/qubes+whonix
patrick-mailinglists at whonix.org
Thu Aug 16 07:05:00 CEST 2018
is missing how to actually use it.
I guess it is simply: run `monero-wallet-cli` or monero gui in
> Patrick Schleizer:
>> I didn't notice this thread until now.
>> Now reference here:
>> I am wondering how to save users from as many manual steps as possible.
>> To save users from having to edit /rw/config/rc.local...
>>> socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
>> monerod-ws user.monerod"
>> Could maybe replaced by file:
>> $pre_command socat TCP-LISTEN:18081,fork,bind=127.0.0.1
>> EXEC:"qrexec-client-vm monerod-ws user.monerod"
>> Should work after reboot (or after "sudo systemctl restart
> Tested, works on Whonix 14/Qubes 4.0.
> Would you consider shipping this as a default Whonix file, or maybe part
> of a package?
In package https://github.com/Whonix/qubes-whonix when using socket
File name should not contain "anon-ws-disable-stacked-tor" / "autogen".
Replace "ExecStart=/lib/systemd/systemd-socket-proxyd 10.152.152.10:9050"
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
Untested. Does that work?
Would this break monerod for users not using this Monero wallet/daemon
isolation? I mean, does monerod use local port 18081 by default? In that
case we'd need to change that port.
> If not, the user will have to put this on the TemplateVM
> or config bind-dirs; which are both additional steps.
>> /etc/qubes-rpc/policy/user.monerod could maybe become:
>> To have users from manually creating it, could be dropped here:
>> If you like, create a pull request and see what Marek thinks.
> This would be useful. It's on my radar.
>> /home/user/monerod.service would be better in /rw so only root can write
>> to it. Even better perhaps systemd user services?
> Interesting, I didn't know about this. I don't see how moving the file
> from /home/user/ to /home/user/.config/systemd/user is more secure,
> I think moving it to /rw may be slightly better, but
> passwordless sudo kind of negates that.
Indeed only useful for users of these:
Qubes-VM-hardening will be easily available one day probably.
I guess password protected sudo will get more and more easy in Qubes so
very much worth going for proper access rights.
> The best would be to put it on the TemplateVM in /lib/systemd/system/,
> but, again, this is more steps for the user.
> In regards to monero being in stretch-backports now, I think it might be
> an equal number of steps or more than there is now, and more confusing
> for the user, to add stretch-backports to the TemplateVM's sources and
> install via apt. If it were in stretch this would be no question.
And only monerod is in Debian. monero gui is not.
More information about the Whonix-devel