It might be difficult to make progress with this.
At time of writing, Passwordless root access in qubes | Qubes OS is still stating:
WTF?! Have you lost your mind?!
In Qubes VMs there is no point in isolating the root account from
the user account. This is because
I am disagreeing with this. My pull request remove outdated write-up against sudo passwords by adrelanos · Pull Request #1365 · QubesOS/qubes-doc · GitHub was rejected. I’ve attempted to discuss this further in Qubes vm-sudo documentation write-up against sudo passwords inside App Qubes outdated · Issue #8823 · QubesOS/qubes-issues · GitHub but that also stalled
Replies are often:
- “but it’s not the default yet” → “true, but it’s still a worthwhile security feature to set as a goal”
- “but there are other ways for malware to gain root” → “true, but then these issues need to be fixed too”
But I am still not even getting my point across in saying that the docuemtnation should not state “no point”.
But since Automate vm sudo authorization setup · Issue #2695 · QubesOS/qubes-issues · GitHub is still open, there is hope. This just means this probably cannot be implemented in Qubes-Whonix until Qubes makes progress with this.