[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Qubes sudo / su / root Hardening - Development Discussion

Too bad, that Qubes-Whonix users do not fully benefit much from the recent user/root/misc hardening by Whonix by default such as for example:

Preventing malware from gaining root is vital to prevent malware from breaking out of a VM, spreading to dom0 or other VMs. Many attacks aren’t possible with root and/or kernel level compromise.
(More meaningful separation of root and kernel is being worked on.)

This is currently really bad in Qubes Debian templates. Any compromised user (not only user user) can use su without a password and gain root. (bug reported here)

Just learned that qubes-template-debian-10-minimal comes without passwordless root by default. This is documented here:
https://www.qubes-os.org/doc/templates/minimal/#passwordless-root
Quote:

It is an intentional design choice for Passwordless Root Access in VMs to be optional in Minimal TemplateVMs. Since the Minimal TemplateVMs are minimal , they are not configured for passwordless root by default. To update or install packages, execute the following command in dom0 (where X is your distro and version number):

[user@dom0 ~]$ qvm-run -u root X-minimal xterm

This opens a root terminal in the Minimal TemplateVM, from which you can use execute root commands without sudo . You will have to do this every time if you choose not to enable passwordless root.

If you want to be able to use sudo inside a Minimal TemplateVM (or TemplateBasedVMs based on a Minimal TemplateVM), open a root terminal as just instructed, then install the qubes-core-agent-passwordless-root package.

Optionally, verify that passwordless root now works by opening a normal (non-root) xterm window in the Minimal TemplateVM, then issue the command sudo -l . This should give you output that includes the NOPASSWD keyword.

In Qubes Debian minimal templates user user is also by default not a member of group sudo.

This is an excellent basis for Qubes-Whonix.
(Which is already based on Qubes Debian minimal templates.)

Qubes-Whonix package qubes-whonix-shared-packages-recommended currently Depends: on qubes-core-agent-passwordless-root. This dependency could be dropped.

The question is, how users could easily gain root then. In dom0 command line:

qvm-run -u root X-minimal xterm

Or

qvm-run -u root X-minimal xfce4-terminal

Usability issue. Which may be fixable. More on that below.

Security issue? Better than the default we have now. However, I am not sure if that is non-ideal security wise. Running a GUI application as root? Maybe a better default would be if a user admin would be a member of group sudo by default? Then open a terminal as user admin and allow admin to use sudo without a password?

Usability. Somehow add a Qubes start menu entry. Not sure that is yet supported by Qubes to run something as a different user from Qubes start menu.

Example:

dom0

cat .local/share/qubes-appmenus/debian-10/apps.templates/xfce4-terminal.desktop

[Desktop Entry]

Exec=qvm-run -q -a --service – %VMNAME% qubes.StartApp+xfce4-terminal

We’d have to use qvm-run -u admin. That may require Qubes dom0 enhancements.

If these aren’t coming / too late, maybe we could work around that limitation somehow. Perhaps an /etc/sudoers.d exception. Maybe a dom0 yes/no prompt using qrexec.

1 Like

Why not make sudo require a password and allow it to be used in VMs just like in non-Qubes-Whonix?

Then a user can do

qvm-run X-minimal xfce4-terminal
sudo command
1 Like

That might work.

But maybe in Qubes we can do better than that. Thanks to dom0 / qrexec we could have a safer implementation.

This is related to the ideas of a safer implementation in Non-Qubes-Whonix, possible using multiple boot modes in grub boot menu:

In Qubes we may or may not have access to different boot modes using Qubes start menu.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]