diff --git a/developer/system/vm-sudo.md b/developer/system/vm-sudo.md new file mode 100644 index 00000000..2ed578d0 --- /dev/null +++ b/developer/system/vm-sudo.md @@ -0,0 +1,50 @@ +--- +lang: en +layout: doc +permalink: /doc/vm-sudo-implementation/ +redirect_from: +- /en/doc/vm-sudo-implementation/ +- /doc/VMSudo-implementation/ +ref: 341 +title: Passwordless root access in qubes +--- + +The rationale behind passwordless root in qubes is set out [here](/doc/vm-sudo). Implementation is by the qubes-core-agent-passwordless-root package. + +This page sets out the configuration changes made, with (not necessary complete) list of mechanisms depending on each of them: + +1. sudo (`/etc/sudoers.d/qubes`): + + ``` + Defaults !requiretty + %qubes ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t NOPASSWD: ALL + + (...) + ``` + + - Easy user -> root access (main option for the user). + - `qvm-usb` (not really working, as of R2). + +2. PolicyKit (`/etc/polkit-1/rules.d/00-qubes-allow-all.rules`): + + ``` + //allow any action, detailed reasoning in sudoers.d/qubes + polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; }); + + ``` + + PAM (`/etc/pam.d/su.qubes` or `/usr/share/pam-configs/su.qubes`) + ``` + auth sufficient pam_succeed_if.so use_uid user ingroup qubes + ``` + + - NetworkManager configuration from normal user (`nm-applet`). + - Updates installation (`gpk-update-viewer`). + - User can use pkexec just like sudo Note: above is needed mostly because Qubes user GUI session isn't treated by PolicyKit/logind as "local" session because of the way in which X server and session is started. + Perhaps we will address this issue in the future, but this is really low priority. + Patches welcomed anyway. + +3. Empty root password: + - Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working. + - Can be used for easy 'su -' from user to root. +