From 7390bef3a78979a0110b7751ae00f43fadd8c5ec Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 30 Jul 2023 12:03:38 -0400 Subject: [PATCH] Update vm-sudo.md remove part that was moved to Qubes community fixes https://github.com/QubesOS/qubes-issues/issues/8375 --- user/security-in-qubes/vm-sudo.md | 76 +------------------------------ 1 file changed, 2 insertions(+), 74 deletions(-) diff --git a/user/security-in-qubes/vm-sudo.md b/user/security-in-qubes/vm-sudo.md index 7a840ab9..79902835 100644 --- a/user/security-in-qubes/vm-sudo.md +++ b/user/security-in-qubes/vm-sudo.md @@ -105,83 +105,11 @@ Replacing passwordless root access with Dom0 user prompt While the Qubes developers support the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway. We do not support it in any of our packages, but of course nothing is preventing the user from modifying his or her own system. -A list of steps to do so is provided here **without any guarantee of safety, accuracy, or completeness. +A list of steps to do so is provided at [Qubes community, Replacing passwordless root with a dom0 prompt +](https://github.com/Qubes-Community/Contents/blob/master/docs/security/replacing-passwordless-root-with-dom0-prompt.md) **without any guarantee of safety, accuracy, or completeness. Proceed at your own risk. Do not rely on this for extra security.** -1. Adding Dom0 "VMAuth" service: - - ``` - [root@dom0 /]# echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth - [root@dom0 /]# echo "@anyvm dom0 ask,default_target=dom0" \ - >/etc/qubes-rpc/policy/qubes.VMAuth - [root@dom0 /]# chmod +x /etc/qubes-rpc/qubes.VMAuth - ``` - - (Note: any VMs you would like still to have passwordless root access (e.g. Templates) can be specified in the second file with "\ dom0 allow") - -2. Configuring Fedora template to prompt Dom0 for any authorization request: - - In `/etc/pam.d/system-auth`, replace all lines beginning with "auth" with these lines: - - ``` - auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ - auth requisite pam_deny.so - auth required pam_permit.so - ``` - - - Require authentication for sudo. - Replace the first line of `/etc/sudoers.d/qubes` with: - - ``` - user ALL=(ALL) ALL - ``` - - - Disable PolKit's default-allow behavior: - - ``` - [root@fedora-20-x64]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules - [root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla - ``` - -3. Configuring Debian/Whonix template to prompt Dom0 for any authorization request: - - In `/etc/pam.d/common-auth`, replace all lines beginning with "auth" with these lines: - - ``` - auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ - auth requisite pam_deny.so - auth required pam_permit.so - ``` - - - Require authentication for sudo. - Replace the first line of `/etc/sudoers.d/qubes` with: - - ``` - user ALL=(ALL) ALL - ``` - - - Disable PolKit's default-allow behavior: - - ``` - [root@debian-8]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules - [root@debian-8]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla - ``` - - - In `/etc/pam.d/su.qubes`, comment out this line near the bottom of the file: - - ``` - auth sufficient pam_permit.so - ``` - - - For Whonix, if prompts appear during boot, create `/etc/sudoers.d/zz99` and add these lines: - - ``` - ALL ALL=NOPASSWD: /usr/sbin/virt-what - ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart - ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck start - ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck stop - ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck status - ``` - Dom0 passwordless root access -----------------------------