Whonix comes preconfigured so root isn’t really needed for the average user for anything other than customization or debugging.
apt-get-update-plus has a sudoers exception for that.
There’s no need to use sudo for that anyway. Unprivileged users can still run /sbin/reboot. The only issue is that /sbin isn’t part of $PATH by default (an alias can be added for reboot if needed).
Best option seems to be using str_replace on the openssh config file. It’s a bit hacky but better than just replacing the entire file.
I don’t use ssh much so I don’t know if there’s any better option.
Or, just not include it in security-misc since Whonix doesn’t have ssh anyway. We can leave configuring specific applications to be the user’s job.
We can add a warning to sudo mode and inform the user of the consequences of what they’re doing.
Restricting sudo is a security advantage. The only problem is if the user messes it up themselves which isn’t really on us.
wouldn’t improve security too much. At least wouldn’t help much for users who install some custom package every now and then. (They need to use sudo for that.) Let alone add custom (third party) APT sources list. (Requires root to edit sources.list.d.)
Mostly would help users who do follow Prevent Malware from Sniffing the Root Password.
(But these would not even want addgroup user sudo.)
Not sure it’s even worth it to implement boot modes nosudo=1 / sudo=1?
(Just called nosudo=1 / sudo=1 for discussion. Would be presented to user in better terminology.)
Comparison with Tails:
Tails boots always fresh, malware clean. Considered non-compromised.
(Just assuming it for sake of discussion not considering firmware trojans etc. When boot from read-only media boot.)
Tails boots by default without root access. Setting a root password is an opt-in. Tails an edge here.
There are kinda two paths there.
[1] Allowing more and more things (apt dist-upgrade, install packages from packages.debian.org) without need to gain root / entering sudo password. Android does that. Users can do a lot things there without root. For example, setting up VPNs.
[2] Make users boot into user admin.
These two are not really exclusive. [1] will always be limited. A lot effort to implement. Might never get there.
I typed too little. I meant, after users just run “sudo apt-get dist-upgrade” or “upgrade-nonroot” they can no longer use “sudo”. Kinda unexpected, breaking usability change. Considered unstable by users most likely.
That would mean “boot into user admin” is an OK solution too?
Sounds good.
Yes. However, it’s on us to provide easy, secure work flows. I think “boot into user admin” is a nice clear way to separate things. Will describe more clearly soon.
An alternative solution would be to add removing the sudo group to the hardening guides instead of making boot modes.
I don’t like the sound of that too much. Android is really different from Debian. If we allow unprivileged users to install packages, an attacker can install whatever they want from the repos to add attack surface.
e.g. 1: attacker installs package with setuid binary → exploits vulnerability → gains priv esc.
e.g. 2: attacker installs kernel module from the repos which adds kernel attack surface → exploits vulnerability in new module.
Meanwhile android apps cannot add any new kernel attack surface or increase the chances of priv esc. All apps are fully sandboxed, running as different users with strict SELinux policies and seccomp filters. It isn’t really comparable.
The admin user is better but not the best. An attacker can still login as the admin user too.
Btw by “boot” do you mean “login” (as a user called “admin” with sudo privileges) or are you talking about a boot mode? I assume you meant “login”.
No (good) password for user user required. (Except, if SSH login is permitted.)
Good password only required for user admin.
Boot into “sudo mode” meaning:
If users choose “sudo mode” in grub boot menu, the system would boot and login the user into user admin rather than user user. User admin would have root. After users are done, these are advised to reboot to continue using user user.
(And those who don’t like it could continue using user admin (bad) or sudo addgroup user sudo (slightly less bad).) [1])
Not sure the cumbersomeness usability wise is acceptable. Could poll about that. Could also poll about various alternatives.
How? An attacker (let’s say some compromised user account) cannot use su since not member of group sudo. Well, could try to bruteforce the password of user admin? That may be possible until we can port to wayland.
Bruteforcing the password is what I had in mind. Unless we set strong password requirements (see pam_cracklib), an attacker can attempt to login to the admin account and bruteforce the password.
No strong password required fortunately for linux user login. Bruteforcing into linux user accounts is already severely limited. Elsewhere. Summary written here just now:
Could we even go for autologin in X andvirtual console for user user when booting into user-only (non-root) mode?
In this mode, user admin stays password locked by default.
Could we even go for autologin in X and virtual console for user admin when booting into superuser mode?
In this mode, user user stays password locked by default.
Could we even go for passwordless sudo for user admin when booting into superuser mode?
All passwords locked by default.
No more default passwords for user user and no default password for user admin.
Still no root login.
implementation goals: secure auto login + secure passwordless sudo + uncrackable user passwords
By using locked passwords by default, there wouldn’t be any passwords that adversaries could crack.
Could the use of autologin be abused by non-autologin, limited user accounts such as user web? Could for example a compromised linux user account web take advantage of user user being autologin? I wouldn’t know. Maybe different for graphical applications running under a different user account? But then probably X is too broken to consider this anyhow.
Would an auto logged in virtual console offer any attack surface for compromised non-user user accounts such as user web?
Users will always be able to configure what they want. (Such as the current behavior of only user user and ability to use sudo.) In this post I am trying to find a design for the default which works good enough for most users.
Also wondering what the right package (or package name) for this would be. It interacts with grub-live, maybe apparmor-profile-everything (superroot) and is Kicksecure / Whonix specific (?).
Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)
Boot modes considered too unimportant to be added to grub default boot menu:
LIVE mode ADMIN
LIVE mode SUPERADMIN
Recovery LIVE mode SUPERADMIN
I don’t see good use cases for these. But could be convinced otherwise with user feedback.
If anyone cares about these, there could be files in /etc/grub.d/ folder that add such entries but these files could be non-executable by default. Thereby update-grub would ignore them. To opt-in into such modes, users could just run sudo chmod +x /etc/grub.d/somenumber_name-of-boot-mode.
Also users who really want something special/custom would be able to add whatever they want to /etc/grub.d/ folder / grub boot menu.
Also by using grub boot menu editing (key e) at grub boot menu, kernel parameters can be adjusted and any combination would be possible.
Use cases for the different modes:
PERSISTENT mode USER (For daily activities.): Useful for browsing, e-mail, chat, etc. or just letting an already set up and installed server run. Even upgrading through upgrade-nonroot.
LIVE mode USER (For daily activities.): Same as above but without persistence.
PERSISTENT mode ADMIN (For software installation.): users could run sudo apt install whatever-software-package, then reboot into USER. Editing /etc/apt/sources.list.damong many other things prohibited for better security.
PERSISTENT mode SUPERADMIN (Be very cautious!): users could add foreign sources to /etc/apt/sources.list.d or do anything (full freedom), then (optional but advisable) reboot to ADMIN mode, install packages from third party repositories.
Recovery PERSISTENT mode SUPERADMIN (Be very cautious!): The usual recovery mode.
Anti-opposition / “I want the old Whonix back”:
Users who don’t like (any, multiple or all) of the new options…
and who want “the old Whonix” “with unrestricted sudo” (PERSISTENT mode SUPERADMIN) back, who don’t want to see any of the new options [A], [B], [C]… These could just make these /etc/grub.d folder / grub menu entries gone by running sudo chmod -x /etc/grub.d/somenumber_name-of-boot-mode. (There could be a script to simplify that.)
/etc/grub.d/10_linux PERSISTENT mode USER
/etc/grub.d/11_linux_live LIVE mode USER
/etc/grub.d/12_linux_admin PERSISTENT mode ADMIN
/etc/grub.d/13_linux_admin_live LIVE mode ADMIN
/etc/grub.d/14_linux_superadmin PERSISTENT mode SUPERADMIN
/etc/grub.d/15_linux_superadmin_live LIVE mode SUPERADMIN
/etc/grub.d/16_linux_recovery_mode PERSISTENT mode SUPERADMIN
/etc/grub.d/17_linux_recovery_mode_live Recovery LIVE mode SUPERADMIN
Should stay below /etc/grub.d/20_ because that is already used by an existing script.
Note: some files will not be created in the first iteration (and not sure ever) - those listed in chapter Boot modes considered too unimportant to be added to grub default boot menu: in my post above.
I will add a safety feature. Copy /boot/grub/grub.cfg to a temporary location, then use /usr/bin/grub-script-check to check the temporary file is valid before actually installing it to real location /boot/grub/grub.cfg.
“boot into user”, “boot into admin” and “boot into superadmin” should probably be all separate users. (user, admin, superadmin)
Also need to get the terminology right superadmin vs superroot. I guess when booting it will be user superadmin which is a limited user which can use unrestricted sudo which we will then call superroot.
I am wondering if when booting into admin or superadmin mode, if as few services as possible should be load. That is because when for example a compromised web server is running under a limited user, user admin or superadmin is more in danger as if no such services were started. Ideally no malware running under limited user accounts would be running during maintenance, admin and superadmin mode. That could be too difficult. Can be future work. Might be hard to whitelist which services should run (Tor, debian-tor, …) vs which ones should not. Also when booting into admin mode to install lets say a web server then the admin might want to fully set it up which wouldn’t work if service starting was restricted. Perhaps it is possible to use no-autostart at boot but regular autostart after package installation.