mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-24 23:09:29 -05:00
Update passwordless root page
- Choose more descriptive permalink - Add redirect for old permalink - Adjust title to more accurately describe page content - Add intro - Update heading syntax - Update background description for accuracy - Create new section for configuration changes - Move section on replacing passwordless root with a dom0 prompt to community documentation - Improve grammar and style See the discussion on #1295 for background.
This commit is contained in:
parent
14593deb24
commit
cbe8c50d70
@ -1,16 +1,21 @@
|
|||||||
---
|
---
|
||||||
lang: en
|
lang: en
|
||||||
layout: doc
|
layout: doc
|
||||||
permalink: /doc/vm-sudo/
|
permalink: /doc/passwordless-root/
|
||||||
redirect_from:
|
redirect_from:
|
||||||
|
- /doc/vm-sudo/
|
||||||
- /en/doc/vm-sudo/
|
- /en/doc/vm-sudo/
|
||||||
- /doc/VMSudo/
|
- /doc/VMSudo/
|
||||||
- /wiki/VMSudo/
|
- /wiki/VMSudo/
|
||||||
ref: 165
|
ref: 165
|
||||||
title: Passwordless root access in qubes
|
title: Passwordless root
|
||||||
---
|
---
|
||||||
|
|
||||||
Background (`/etc/sudoers.d/qubes` in VM):
|
In certain parts of Qubes OS, root access (such as the use of the `sudo` command) can be obtained without having to provide a password. This is an intentional design decision. This page explains the rationale for that decision, as well as technical aspects associated with it.
|
||||||
|
|
||||||
|
## Background
|
||||||
|
|
||||||
|
Historically, there was a file called `/etc/sudoers.d/qubes` in Qubes VMs with the following content:
|
||||||
|
|
||||||
```
|
```
|
||||||
user ALL=(ALL) NOPASSWD: ALL
|
user ALL=(ALL) NOPASSWD: ALL
|
||||||
@ -60,7 +65,9 @@ user ALL=(ALL) NOPASSWD: ALL
|
|||||||
# joanna.
|
# joanna.
|
||||||
```
|
```
|
||||||
|
|
||||||
Below is a complete list of configuration made according to the above statement, with (not necessary complete) list of mechanisms depending on each of them:
|
## Configuration changes
|
||||||
|
|
||||||
|
Below is a complete list of configuration changes made according to the above statement, with a (not necessarily complete) list of mechanisms depending on each of them:
|
||||||
|
|
||||||
1. sudo (`/etc/sudoers.d/qubes`):
|
1. sudo (`/etc/sudoers.d/qubes`):
|
||||||
|
|
||||||
@ -100,90 +107,12 @@ Below is a complete list of configuration made according to the above statement,
|
|||||||
- Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working.
|
- Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working.
|
||||||
- Can be used for easy 'su -' from user to root.
|
- Can be used for easy 'su -' from user to root.
|
||||||
|
|
||||||
Replacing passwordless root access with Dom0 user prompt
|
|
||||||
--------------------------------------------------------
|
|
||||||
|
|
||||||
While ITL supports the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway.
|
## Replacing passwordless root with a dom0 prompt
|
||||||
We do not support it in any of our packages, but of course nothing is preventing the user from modifying his or her own system.
|
|
||||||
A list of steps to do so is provided here **without any guarantee of safety, accuracy, or completeness.
|
|
||||||
Proceed at your own risk.
|
|
||||||
Do not rely on this for extra security.**
|
|
||||||
|
|
||||||
1. Adding Dom0 "VMAuth" service:
|
See [here](https://github.com/Qubes-Community/Contents/blob/master/docs/security/replacing-passwordless-root-with-dom0-prompt.md).
|
||||||
|
|
||||||
```
|
|
||||||
[root@dom0 /]# echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
|
|
||||||
[root@dom0 /]# echo "@anyvm dom0 ask,default_target=dom0" \
|
|
||||||
>/etc/qubes-rpc/policy/qubes.VMAuth
|
|
||||||
[root@dom0 /]# chmod +x /etc/qubes-rpc/qubes.VMAuth
|
|
||||||
```
|
|
||||||
|
|
||||||
(Note: any VMs you would like still to have passwordless root access (e.g. Templates) can be specified in the second file with "\<vmname\> dom0 allow")
|
## Passwordless root in dom0
|
||||||
|
|
||||||
2. Configuring Fedora template to prompt Dom0 for any authorization request:
|
There is also passwordless root access in dom0. As explained in the comment in dom0's sudo configuration (in `/etc/sudoers.d/qubes`, which is different from the one in domUs), there is really no point to having user/root separation in dom0, because all the user data (and VM management interface) is already accessible from the user level in dom0, so there is nothing more to be obtained from gaining root access in dom0.
|
||||||
- In `/etc/pam.d/system-auth`, replace all lines beginning with "auth" with these lines:
|
|
||||||
|
|
||||||
```
|
|
||||||
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
|
||||||
auth requisite pam_deny.so
|
|
||||||
auth required pam_permit.so
|
|
||||||
```
|
|
||||||
|
|
||||||
- Require authentication for sudo.
|
|
||||||
Replace the first line of `/etc/sudoers.d/qubes` with:
|
|
||||||
|
|
||||||
```
|
|
||||||
user ALL=(ALL) ALL
|
|
||||||
```
|
|
||||||
|
|
||||||
- Disable PolKit's default-allow behavior:
|
|
||||||
|
|
||||||
```
|
|
||||||
[root@fedora-20-x64]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
|
|
||||||
[root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
|
||||||
```
|
|
||||||
|
|
||||||
3. Configuring Debian/Whonix template to prompt Dom0 for any authorization request:
|
|
||||||
- In `/etc/pam.d/common-auth`, replace all lines beginning with "auth" with these lines:
|
|
||||||
|
|
||||||
```
|
|
||||||
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
|
||||||
auth requisite pam_deny.so
|
|
||||||
auth required pam_permit.so
|
|
||||||
```
|
|
||||||
|
|
||||||
- Require authentication for sudo.
|
|
||||||
Replace the first line of `/etc/sudoers.d/qubes` with:
|
|
||||||
|
|
||||||
```
|
|
||||||
user ALL=(ALL) ALL
|
|
||||||
```
|
|
||||||
|
|
||||||
- Disable PolKit's default-allow behavior:
|
|
||||||
|
|
||||||
```
|
|
||||||
[root@debian-8]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
|
|
||||||
[root@debian-8]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
|
||||||
```
|
|
||||||
|
|
||||||
- In `/etc/pam.d/su.qubes`, comment out this line near the bottom of the file:
|
|
||||||
|
|
||||||
```
|
|
||||||
auth sufficient pam_permit.so
|
|
||||||
```
|
|
||||||
|
|
||||||
- For Whonix, if prompts appear during boot, create `/etc/sudoers.d/zz99` and add these lines:
|
|
||||||
|
|
||||||
```
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/virt-what
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck start
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck stop
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck status
|
|
||||||
```
|
|
||||||
|
|
||||||
Dom0 passwordless root access
|
|
||||||
-----------------------------
|
|
||||||
|
|
||||||
There is also passwordless user->root access in dom0.
|
|
||||||
As stated in comment in sudo configuration there (different one than VMs one), there is really no point in user/root isolation, because all the user data (and VM management interface) is already accessible from dom0 user level, so there is nothing more to get from dom0 root account.
|
|
||||||
|
Loading…
Reference in New Issue
Block a user