mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-23 22:39:27 -05:00
Move specifics of passwordless root implementation to developer docs.
Closes PR #1296
This commit is contained in:
parent
75102ad8ad
commit
0d34d104d9
50
developer/system/vm-sudo.md
Normal file
50
developer/system/vm-sudo.md
Normal file
@ -0,0 +1,50 @@
|
||||
---
|
||||
lang: en
|
||||
layout: doc
|
||||
permalink: /doc/vm-sudo-implementation/
|
||||
redirect_from:
|
||||
- /en/doc/vm-sudo-implementation/
|
||||
- /doc/VMSudo-implementation/
|
||||
ref: 341
|
||||
title: Passwordless root access in qubes
|
||||
---
|
||||
|
||||
The rationale behind passwordless root in qubes is set out [here](/doc/vm-sudo). Implementation is by the qubes-core-agent-passwordless-root package.
|
||||
|
||||
This page sets out the configuration changes made, with (not necessary complete) list of mechanisms depending on each of them:
|
||||
|
||||
1. sudo (`/etc/sudoers.d/qubes`):
|
||||
|
||||
```
|
||||
Defaults !requiretty
|
||||
%qubes ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t NOPASSWD: ALL
|
||||
|
||||
(...)
|
||||
```
|
||||
|
||||
- Easy user -> root access (main option for the user).
|
||||
- `qvm-usb` (not really working, as of R2).
|
||||
|
||||
2. PolicyKit (`/etc/polkit-1/rules.d/00-qubes-allow-all.rules`):
|
||||
|
||||
```
|
||||
//allow any action, detailed reasoning in sudoers.d/qubes
|
||||
polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; });
|
||||
|
||||
```
|
||||
|
||||
PAM (`/etc/pam.d/su.qubes` or `/usr/share/pam-configs/su.qubes`)
|
||||
```
|
||||
auth sufficient pam_succeed_if.so use_uid user ingroup qubes
|
||||
```
|
||||
|
||||
- NetworkManager configuration from normal user (`nm-applet`).
|
||||
- Updates installation (`gpk-update-viewer`).
|
||||
- User can use pkexec just like sudo Note: above is needed mostly because Qubes user GUI session isn't treated by PolicyKit/logind as "local" session because of the way in which X server and session is started.
|
||||
Perhaps we will address this issue in the future, but this is really low priority.
|
||||
Patches welcomed anyway.
|
||||
|
||||
3. Empty root password:
|
||||
- Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working.
|
||||
- Can be used for easy 'su -' from user to root.
|
||||
|
Loading…
Reference in New Issue
Block a user