Git-Mirrors
/
qubes-doc
mirror of https://github.com/QubesOS/qubes-doc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update page on passwordless root. 

Confirm that Joanna's statement continues to reflect the views of the developers.
Provide details on replacing passwordless root.
Implementation details are moved to developer docs.
This commit is contained in:
unman 2024-02-19 00:32:00 +00:00
parent 0d34d104d9
commit fdcb21e178
No known key found for this signature in database
GPG Key ID: BB52274595B71262
1 changed files with 14 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
user/security-in-qubes/vm-sudo.md
View File

@ -10,7 +10,7 @@ ref: 165
title: Passwordless root access in qubes
---
Background (`/etc/sudoers.d/qubes` in VM):
The background to passswordless root access is summarised in this statement, that used to be found at `/etc/sudoers.d/qubes` in each qube:
```
user ALL=(ALL) NOPASSWD: ALL
@ -59,59 +59,31 @@ user ALL=(ALL) NOPASSWD: ALL
#
# joanna.
```
The core of this statement continues to reflect the views of the Qubes developers.
Below is a complete list of configuration made according to the above statement, with (not necessary complete) list of mechanisms depending on each of them:
Passwordless root is provided by the `qubes-core-agent-passwordless-root package`.
Details of the implementation are [here](/doc/vm-sudo-implementation)
1. sudo (`/etc/sudoers.d/qubes`):
[Minimal templates](/doc/templates/minimal/), which are intended for use by advanced users, do not have this package installed by default.
```
user ALL=(ALL) NOPASSWD: ALL
(...)
```
Replacing passwordless root access
----------------------------------
- Easy user -> root access (main option for the user).
- `qvm-usb` (not really working, as of R2).
Some users may wish to modify their system by enabling user/root isolation in qubes.
We do not support this in any packages, but users are free to remove the qubes-core-agent-passwordless-root package if they wish, using standard packaging tools.
2. PolicyKit (`/etc/polkit-1/rules.d/00-qubes-allow-all.rules`):
```
//allow any action, detailed reasoning in sudoers.d/qubes
polkit.addRule(function(action,subject) { return polkit.Result.YES; });
```
and `/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla`:
```
[Qubes allow all]
Identity=*
Action=*
ResultAny=yes
ResultInactive=yes
ResultActive=yes
```
- NetworkManager configuration from normal user (`nm-applet`).
- Updates installation (`gpk-update-viewer`).
- User can use pkexec just like sudo Note: above is needed mostly because Qubes user GUI session isn't treated by PolicyKit/logind as "local" session because of the way in which X server and session is started.
Perhaps we will address this issue in the future, but this is really low priority.
Patches welcomed anyway.
3. Empty root password:
- Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working.
- Can be used for easy 'su -' from user to root.
Root access can then be gained from dom0 by (e.g) `qvm-run -u root QUBE qubes-run-terminal`, or `qvm-console-dispvm QUBE`.
Replacing passwordless root access with Dom0 user prompt
--------------------------------------------------------
While the Qubes developers support the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway.
We do not support this in any of our packages, but of course nothing is preventing a user from modifying his or her own system.
A list of steps to do so is provided in the [Qubes community guide, Replacing passwordless root with a dom0 prompt
](https://forum.qubes-os.org/t/replacing-passwordless-root-with-a-dom0-prompt/19074) **without any guarantee of safety, accuracy, or completeness.
An alternative approach is to enable user/root isolation by using a dom0 generated prompt.
A list of steps to do so is provided in the [Qubes community guide, Replacing passwordless root with a dom0 prompt](https://forum.qubes-os.org/t/replacing-passwordless-root-with-a-dom0-prompt/19074) **without any guarantee of safety, accuracy, or completeness.
Proceed at your own risk.
Do not rely on this for extra security.**
Dom0 passwordless root access
-----------------------------
There is also passwordless user->root access in dom0.
As stated in the comment in sudo configuration there (which is different from the one in individual qubes), there is really no point in user/root isolation, because all the user data (and VM management interface) is already accessible from dom0 user level, so there is nothing more to get from dom0 root account.
There is also passwordless user->root access in dom0.
As stated in the comment in `/etc/sudoers.d/qubes` there is really no point in user/root isolation in dom0, because all user data (and the whole Qubes management interface) is already accessible to the user, so there is nothing more to be gained from the dom0 root account.