Confusion on installing dangerzone on whonix-workstation in virtualbox
Closed this issue · 3 comments
Whonix-workstation is based on kicksecure, which is a hardened version of debian bookworm.
I installed dangerzone in whonix workstation. It says, "Dangerzone Requires Docker Desktop. Docker is installed but isn't running. Open Docker and make sure it's running in the background." This confuses me. https://github.com/freedomofpress/dangerzone/blob/main/INSTALL.md#linux says that "On Linux, Dangerzone uses Podman instead of Docker Desktop for creating an isolated environment. It will be installed automatically when installing Dangerzone."
Why is it asking me for docker? And what do I need to do to get it to work? Thank you.
Sigh, we really have to fix #212 ...
Sorry for the confusion, Podman is indeed used on Linux environments. For a more accurate error, can you please run dangerzone-cli? It's the CLI flavor of the Dangerzone GUI that you are using, and it prints some messages to your terminal.
My guess is that Podman somehow fails to load the container image, which is located in /usr/share/dangerzone/container.tar.gz. If you can share some logs from the Dangerzone CLI, it would help.
Thank you. Here is terminal output.
[workstation user ~]% dangerzone-cli
Usage: dangerzone-cli [OPTIONS] FILENAMES...
Try 'dangerzone-cli --help' for help.
Error: Missing argument 'FILENAMES...'.
zsh: exit 2 dangerzone-cli
[workstation user ~]% dangerzone
[DEBUG] Inferred system color scheme as OSColorMode.LIGHT
[ERROR] Docker is not running
[DEBUG] Setting up Dangerzone updater
[DEBUG] Consulting updater settings before checking for updates
[DEBUG] Checking platform type
[DEBUG] Running on Linux, disabling updates
[DEBUG] Will not check for updates, based on updater settings
zsh: exit 2 dangerzone
[workstation user ~]% dangerzone-cli --help
Usage: dangerzone-cli [OPTIONS] FILENAMES...
Options:
--output-filename TEXT Default is filename ending with -safe.pdf
--ocr-lang TEXT Language to OCR, defaults to none
--archive Archives the unsafe version in a subdirectory named
'unsafe'
--version Show the version and exit.
--help Show this message and exit.
[workstation user ~]% dangerzone-cli --version
0.7.0
[workstation user ~]% touch testfile.txt
[workstation user ~]% dangerzone-cli testfile.txt
╭──────────────────────────╮
│ ▄██▄ │
│ ██████ │
│ ███▀▀▀██ │
│ ███ ████ │
│ ███ ██████ │
│ ███ ▀▀▀▀████ │
│ ███████ ▄██████ │
│ ███████ ▄█████████ │
│ ████████████████████ │
│ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ │
│ │
│ Dangerzone v0.7.0 │
│ https://dangerzone.rocks │
╰──────────────────────────╯
Assigning ID 'f3mBqd' to doc '/home/user/testfile.txt'
ERRO[0000] running `/usr/bin/newuidmap 7682 0 1000 1 1 100000 65536`:
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: fork/exec /usr/bin/newuidmap: permission denied
Traceback (most recent call last):
File "/usr/bin/dangerzone-cli", line 33, in <module>
sys.exit(load_entry_point('dangerzone==0.7.0', 'console_scripts', 'dangerzone-cli')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dangerzone/errors.py", line 103, in wrapper
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dangerzone/cli.py", line 87, in cli_main
dangerzone.isolation_provider.install()
File "/usr/lib/python3/dist-packages/dangerzone/isolation_provider/container.py", line 155, in install
if Container.is_container_installed():
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dangerzone/isolation_provider/container.py", line 197, in is_container_installed
found_image_id = subprocess.check_output(
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 466, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 571, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/usr/bin/podman', 'image', 'list', '--format', '{{.ID}}', 'dangerzone.rocks/dangerzone']' returned non-zero exit status 125.
zsh: exit 1 dangerzone-cli testfile.txt
[workstation user ~]%
Great, thanks for the error log. So, here's the culprit:
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: fork/exec /usr/bin/newuidmap: permission denied
The issue here is that the newuidmap binary, provided your system, does not have the necessary file permissions to work. Here's some reading material that can help you understand this error:
- Kicksecure documentation on disabling SUID/SGID: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
- A nice writeup on what are
suidbits, and what are file capabilities (advanced): https://brauner.io/2018/08/05/unprivileged-file-capabilities.html
Kicksecure offers a way to re-enable these capabilities (see https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-enable_Specific_SUID_Binaries). You can try these instructions on the newuidmap / newgidmap binaries, and see if Dangerzone works. Then, you can persist these changes with some instructions that are mentioned later on in this page.
Hopefully this will resolve your problem. In the meantime, I'm closing this issue since the error here is not caused by Dangerzone, and it involves an operating system that we don't provide support for yet.