From 3eaf344d6f521584232cd447a838e450930c52c1 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 14 Feb 2023 23:21:35 -0800 Subject: [PATCH] Move content from qubes-doc (QubesOS/qubes-doc#1296) --- ...cing-passwordless-root-with-dom0-prompt.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 docs/security/replacing-passwordless-root-with-dom0-prompt.md diff --git a/docs/security/replacing-passwordless-root-with-dom0-prompt.md b/docs/security/replacing-passwordless-root-with-dom0-prompt.md new file mode 100644 index 0000000..dd1d6ed --- /dev/null +++ b/docs/security/replacing-passwordless-root-with-dom0-prompt.md @@ -0,0 +1,82 @@ +# Replacing passwordless root with a dom0 prompt + +For context, please see [passwordless root](https://www.qubes-os.org/doc/passwordless-root/). + +While ITL supports the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway. +We do not support it in any of our packages, but of course nothing is preventing the user from modifying his or her own system. +A list of steps to do so is provided here **without any guarantee of safety, accuracy, or completeness. +Proceed at your own risk. +Do not rely on this for extra security.** + +1. Adding Dom0 "VMAuth" service: + + ``` + [root@dom0 /]# echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth + [root@dom0 /]# echo "@anyvm dom0 ask,default_target=dom0" \ + >/etc/qubes-rpc/policy/qubes.VMAuth + [root@dom0 /]# chmod +x /etc/qubes-rpc/qubes.VMAuth + ``` + + (Note: any VMs you would like still to have passwordless root access (e.g. Templates) can be specified in the second file with "\ dom0 allow") + +2. Configuring Fedora template to prompt Dom0 for any authorization request: + - In `/etc/pam.d/system-auth`, replace all lines beginning with "auth" with these lines: + + ``` + auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ + auth requisite pam_deny.so + auth required pam_permit.so + ``` + + - Require authentication for sudo. + Replace the first line of `/etc/sudoers.d/qubes` with: + + ``` + user ALL=(ALL) ALL + ``` + + - Disable PolKit's default-allow behavior: + + ``` + [root@fedora-20-x64]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules + [root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla + ``` + +3. Configuring Debian/Whonix template to prompt Dom0 for any authorization request: + - In `/etc/pam.d/common-auth`, replace all lines beginning with "auth" with these lines: + + ``` + auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ + auth requisite pam_deny.so + auth required pam_permit.so + ``` + + - Require authentication for sudo. + Replace the first line of `/etc/sudoers.d/qubes` with: + + ``` + user ALL=(ALL) ALL + ``` + + - Disable PolKit's default-allow behavior: + + ``` + [root@debian-8]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules + [root@debian-8]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla + ``` + + - In `/etc/pam.d/su.qubes`, comment out this line near the bottom of the file: + + ``` + auth sufficient pam_permit.so + ``` + + - For Whonix, if prompts appear during boot, create `/etc/sudoers.d/zz99` and add these lines: + + ``` + ALL ALL=NOPASSWD: /usr/sbin/virt-what + ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart + ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck start + ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck stop + ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck status + ```