qubes-doc/developer/system/vm-sudo.md

---
lang: en
layout: doc
permalink: /doc/vm-sudo-implementation/
redirect_from:
- /en/doc/vm-sudo-implementation/
- /doc/VMSudo-implementation/
ref: 341
title: Passwordless root access in qubes
---

The rationale behind passwordless root in qubes is set out [here](/doc/vm-sudo).  Implementation is by the qubes-core-agent-passwordless-root package.

This page sets out the configuration changes made, with (not necessary complete) list of mechanisms depending on each of them:

1. sudo (`/etc/sudoers.d/qubes`):

    ```
    Defaults !requiretty
    %qubes ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t NOPASSWD: ALL

    (...)
    ```

    - Easy user -> root access (main option for the user).
    - `qvm-usb` (not really working, as of R2).

2. PolicyKit (`/etc/polkit-1/rules.d/00-qubes-allow-all.rules`):

    ```
    //allow any action, detailed reasoning in sudoers.d/qubes
    polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; });

    ```

    PAM (`/etc/pam.d/su.qubes` or `/usr/share/pam-configs/su.qubes`)
    ```
    auth    	sufficient	pam_succeed_if.so use_uid user ingroup qubes
    ```

    - NetworkManager configuration from normal user (`nm-applet`).
    - Updates installation (`gpk-update-viewer`).
    - User can use pkexec just like sudo Note: above is needed mostly because Qubes user GUI session isn't treated by PolicyKit/logind as "local" session because of the way in which X server and session is started.
      Perhaps we will address this issue in the future, but this is really low priority.
      Patches welcomed anyway.

3. Empty root password:
    - Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working.
    - Can be used for easy 'su -' from user to root.