TODO: come up with the title

Qubes can have a steep learning curve. This means that when you are setting up a system for someone else to use, that explaining qubes in full to them can be difficult.

Here we try to create restricted sys-guis, where they only need to see the parts that pertain to them. Basically a administrative gui login (dom0), and a restricted user sys-gui login.

The restricted user gui login serves the following: - Cut down the user interface to just the necessary interface to tasks that they need to do
- example: Scrolling through a list of 63 AppVMs to find the correct one is a bit cumbersome for me, and could be confusing to new users.
While the 'find' option is there, that would require explaining, and for them to know the name of the appvm they want and/or the command they want. (I.E. they cannot use process of eliminiation of the available options to figure out which one they want) - example: They may not need to see that sys-firewall type qubes connect to sys-net. Instead some users may be better off just knowing about a sys-internet (renamed from sys-firewall for them), and sys-vpn-to-work, and may be better off not even knowing about sys-net on day one.

Please note that this procedure has not gone through any qubes-os security review

Step 1: set up the basic sys-gui:

You can set up a sys-gui qube by doing:

qvm-prefs default-mgmt-dvm template fedora-38
(Note: fedora-40-xfce is another option, but sometimes gives a "no such module" salt.{something}.six} error### (also, dont use debian)

sudo qubesctl top.enable qvm.sys-gui
sudo qubesctl top.enable qvm.sys-gui pillar=True
sudo qubesctl --all state.highstate

if everything worked, you can then: 

sudo qubesctl top.disable qvm.sys-gui

Then finally create a qube called work-sys-gui and then do: 

qvm-prefs  work-sys-gui guivm sys-gui

Then you can logout, then change the upper right corner option on the login screen to "sys-gui" then login again.

You should now be logged into sys-gui. (sys-gui now seems to have a blue hamster as the desktop background). Great. Now quick, log out and log back into dom0 before the screen lock triggers!

(Should we give pointers to documentation on using sys-gui here?)

Should we give something here at this point to give people some sys-gui stuff to explore before moving on to a restricted user? Give me your thoughts.

From basic sys-gui to a restricted user

Give yourself a way to unlock the screen when logged into sys-gui:

Before anything else, lets create a way for you to unlock the screen when you are running sys-gui: 

sudo /bin/sh -c "sudo grep '^user:' /etc/shadow | sed 's/^user:\([^:]*\):.*/sys-gui:\1/' >  /etc/qubes-sys-gui-user-passwords"
sudo chmod 600 /etc/qubes-sys-gui-user-passwords
now create a file in dom0 called /usr/local/bin/fix-guivm-password.sh, that contains:

NEW_PASSWORD_HASH=`sudo grep "^$1:" /etc/qubes-sys-gui-user-passwords | sed 's/^[^:]*://'`

ESCAPED_PASSWORD_HASH="${NEW_PASSWORD_HASH//\//\\\/}"

qvm-run --pass-io --no-gui --user=root $1 "sed -i 's/^user:[^:]*:/user:$ESCAPED_PASSWORD_HASH:/' /etc/shadow"
then do: 
chmod a+x /usr/local/fix-guivm-password.sh

Then, make a backup of /usr/bin/qubes-guivm-session , and replace it with:

#!/usr/bin/bash -e

USER=`whoami`
if [ $USER = 'user' ]; then
    VM='sys-gui';
else
    VM="sys-gui-$USER";
fi

echo "Throwing away parameter $1 and running $VM as our sys-gui domain instead"

print_usage() {
cat >&2 <<USAGE
Usage: $0 vmname
Starts given VM and runs its associated GUI daemon. Used as X session for the
GUI domain.
USAGE
}

if [ $# -lt 1 ] ; then
    print_usage
    exit 1
fi

# Start VM, gui-daemon and audio
qvm-start --skip-if-running "$VM"
qvm-start-daemon --watch "$VM" &

/usr/local/bin/fix-guivm-password.sh $VM

# Run the inner session (Xephyr) and wait until it exits
exec qvm-run -p --no-gui --service "$VM" qubes.GuiVMSession

Now you should be able to logout of dom0, change the upper right corner option on the login screen to "sys-gui" then login again.

This time when the screen locks, it should be the same password as "user" in dom0 (hopefully)

add a second sys-gui:

Create a file called "add-new-sys-gui-user.sh" that contains:

sudo qubes-dom0-update mkpasswd

NEWUSER=$1
NEWSYSGUI=sys-gui-$NEWUSER

echo "DEBUG: adding new user $NEWUSER and new qube $NEWSYSGUI"


sudo adduser $NEWUSER --groups qubes,tty
#passwd $NEWUSER

echo enter the password for the new $NEWUSER user
NEW_PASSWORD_HASH=`mkpasswd`
ESCAPED_PASSWORD_HASH="${NEW_PASSWORD_HASH//\//\\\/}"

###todo: if a password for that sys-gui-user vm  is already in there it will create 2.  add a check for that
sudo /bin/sh -c "echo '$NEWSYSGUI:$NEW_PASSWORD_HASH' >> /etc/qubes-sys-gui-user-passwords"
sudo sed -i "s/^$NEWUSER:[^:]*:/$NEWUSER:$ESCAPED_PASSWORD_HASH:/" /etc/shadow
echo password added

sudo /bin/sh -c "sed 's/user/$NEWUSER/' /etc/sudoers.d/qubes-input-trigger > /etc/sudoers.d/qubes-input-trigger-$NEWUSER"

##create the new sys-gui qube
sudo qvm-clone sys-gui $NEWSYSGUI

echo "now create the qubes that this user should have access to and do 'qvm-prefs guivm {new qube} $NEWSYSGUI' for each one"

then do: 

chmod a+x add-new-sys-gui-user.sh;

Then doing:

./add-new-sys-gui-user.sh bob

will ask for a password for bob, then add a new dom0 user login called "bob", create a sys-gui-bob, and set up some basic policies for it. Once that is done, then just like before, pick a color and do something like:

qvm-create bob-work --label orange 
qvm-prefs bob-work guivm sys-gui-bob
qvm-create bob-personal --label orange 
qvm-prefs bob-personal guivm sys-gui-bob
in order to give bob some VM's. Then log out of dom0, select "bob" as the login person, select "sys-gui" from the upper right session list, then type bobs password and you should see a new sys-gui the blue "qubes domains" cube icon in the system tray should acknowledge the existence of the qubes you set sys-gui-bob as the guivm for.

You can confirm you are in bobs sys-gui-bob by right clicking on the desktop, selecting terminal and seeing the hostname of sys-gui-bob.

Notes:

echo also check the policy files to make sure no admin permissions have been given to this qube

echo 'hit enter to see what permissions this new sys-gui-user instance has out of the box (that you may want to disable):' read

grep -ir $NEWSYSGUI /etc/qubes/policy.d/ | less

sudo /bin/sh -c "sed 's/sys-gui/$NEWSYSGUI/g' /etc/qubes/policy.d/50-gui-sys-gui.policy > /etc/qubes/policy.d/50-gui-$NEWSYSGUI.policy"

echo 'Note there are more sys-gui policies in /etc/qubes/policy.d/50-gui-sys-gui.policy/include that need to be assessed too'

##### OPTIONAL echo 'optionally, you can give the vm "readonly admin" rights. if you want to, see the last 2 lines of this file. exiting' exit sudo /bin/sh -c "grep 'sys-gui[^-]' /etc/qubes/policy.d/include/admin-local-rwx | sed 's/sys-gui([^-])/$NEWSYSGUI\1/g' >> /etc/qubes/policy.d/include/admin-local-ro" sudo /bin/sh -c "grep 'sys-gui[^-]' /etc/qubes/policy.d/include/admin-global-rwx | sed 's/sys-gui([^-])/$NEWSYSGUI\1/g' >> /etc/qubes/policy.d/include/admin-global-ro"

If you look at the qubes available, it's just the work-sys-gui qube. Now, you can load the settings for the work-sys-gui qube, and you can run things in work-sys-gui with your default network. You can also change the network from sys-firewall (or whatever your default network was) to "none", and network access will no longer be available. perfect.

However, you are not allowed to change network access back from "none" to sys-firewall (or whatever your default network was). This looks like a policy issue! But we have 2 problems now. #1. Every time we want to change the policies, we need to log out and log back in as dom0. And #2 dom0 gets the notifications of what policy was denied when we tried to enable sys-firewall. This takes forever and is not condusive to trial and error.

We will fix those parts now by installing a "useless sys-gui-vnc" that does not have network access (and cant be reached remotely).