Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-12-26 12:54:55 -05:00
Code Issues Projects Releases Packages Wiki Activity
qubes-doc/developer/system/vm-sudo.rst
parulin 3c50a11385
Clean some orphaned pages 
* `split-gpg-2` is not orphaned anymore
* Add `developer/system/vm-sudo` to the index
* Change title of `developer/system/vm-sudo` to avoid duplicates
* Update link to `download-mirrors` in the index
* Minor improvements on `download-mirrors`
* Remove `firewall_4.1`: it is not useful anymore
2025-12-16 09:17:10 -05:00

53 lines
1.8 KiB
ReStructuredText
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=======================================
Passwordless root access implementation
=======================================
The rationale behind passwordless root in qubes is set out :doc:`here </user/security-in-qubes/vm-sudo>`. Implementation is by the qubes-core-agent-passwordless-root package.
This page sets out the configuration changes made, with (not necessary complete) list of mechanisms depending on each of them:
1. sudo (``/etc/sudoers.d/qubes``):
.. code:: text
Defaults !requiretty
%qubes ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t NOPASSWD: ALL
(...)
- Easy user -> root access (main option for the user).
- ``qvm-usb`` (not really working, as of R2).
2. PolicyKit (``/etc/polkit-1/rules.d/00-qubes-allow-all.rules``):
.. code:: text
//allow any action, detailed reasoning in sudoers.d/qubes
polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; });
PAM (``/etc/pam.d/su.qubes`` or ``/usr/share/pam-configs/su.qubes``) ``auth sufficient pam_succeed_if.so use_uid user ingroup qubes``
- NetworkManager configuration from normal user (``nm-applet``).
- Updates installation (``gpk-update-viewer``).
- User can use pkexec just like sudo **Note:** above is needed mostly because Qubes user GUI session isnt treated by PolicyKit/logind as “local” session because of the way in which X server and session is started. Perhaps we will address this issue in the future, but this is really low priority. Patches welcomed anyway.
3. Empty root password:
- Used for access to root account from text console (``qvm-console-dispvm``) - the only way to access the VM when GUI isnt working.
- Can be used for easy su - from user to root.
Reference in a new issue View git blame Copy permalink