From 04d898ffad34eb2b71d26f22f72beaec3ab89180 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Wed, 14 Mar 2018 08:16:04 +0100 Subject: [PATCH] Update incoming directory to QubesIncoming Five years ago, commit https://github.com/QubesOS/qubes-core-agent-linux/commit/a9bd7120c4252b0b7f1a93f9fe874c2cb0140ff3 changed the target directory of qfile-unpacker from /home/user/incoming to /home/user/QubesIncoming. Update the documentation accordingly. --- services/qfilecopy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/qfilecopy.md b/services/qfilecopy.md index 033bd104..7022b5f7 100644 --- a/services/qfilecopy.md +++ b/services/qfilecopy.md @@ -27,4 +27,4 @@ In Qubes Beta1, we have reimplemented interVM file copy using qrexec, which addr The rpc action for regular file copy is *qubes.Filecopy*, the rpc client is named *qfile-agent*, the rpc server is named *qfile-unpacker*. For DispVM copy, the rpc action is *qubes.OpenInVM*, the rpc client is named *qopen-in-vm*, rpc server is named *vm-file-editor*. Note that the qubes.OpenInVM action can be done on a normal AppVM, too. -Being a rpc server, *qfile-unpacker* must be coded securely, as it processes potentially untrusted data format. Particularly, we do not want to use external tar or cpio and be prone to all vulnerabilities in them; we want a simplified, small utility, that handles only directory/file/symlink file type, permissions, mtime/atime, and assume user/user ownership. In the current implementation, the code that actually parses the data from srcVM has ca 100 lines of code and executes chrooted to the destination directory. The latter is hardcoded to `~user/incoming/srcVM`; because of chroot, there is no possibility to alter files outside of this directory. +Being a rpc server, *qfile-unpacker* must be coded securely, as it processes potentially untrusted data format. Particularly, we do not want to use external tar or cpio and be prone to all vulnerabilities in them; we want a simplified, small utility, that handles only directory/file/symlink file type, permissions, mtime/atime, and assume user/user ownership. In the current implementation, the code that actually parses the data from srcVM has ca 100 lines of code and executes chrooted to the destination directory. The latter is hardcoded to `~user/QubesIncoming/srcVM`; because of chroot, there is no possibility to alter files outside of this directory.