Qubes sudo / su / root Hardening - Development Discussion

The issue is that setup-wizard-dist (which starts ACW) cannot start because passwordless sudo was disabled. Since ACW didn’t autostart and since the user didn’t enable Tor, sdwdate didn’t proceed because it cannot without Tor being enabled.

I added a comment on how to accomplish autostart of setup-wizard-dist but I won’t enable it by default since that would be counter to the user original goals, which is sudo hardening.

Additionally there better error handling in case of sudo issues has been implemented:
setup-wizard-dist/usr/libexec/setup-wizard-dist/setup-wizard-dist at master · Kicksecure/setup-wizard-dist · GitHub

There will now be an error popup.

sudo --non-interactive --set-home /usr/bin/setup-wizard-dist

This might be due to the user using sudo hardening.

The error message will probably be improved.

1 Like

This by itself is quite possibly insufficient. The user might need to follow the complete Qubes documentation here:

1 Like

A more up to date version - might - be this one:

This is a bit confusing. Created a ticket for it:
vm-sudo documentation outdated · Issue #8375 · QubesOS/qubes-issues · GitHub

Proper support by Qubes for this would require implementation of this Qubes feature request:

1 Like

There will now also be a better error message in case sdwdate-log-viewer cannot be started from sdwdate-gui due to sudo hardening:

1 Like

Quote Passwordless root access in qubes | Qubes OS

While the Qubes developers support the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway. We do not support it in any of our packages, but of course nothing is preventing the user from modifying his or her own system. A list of steps to do so is provided here without any guarantee of safety, accuracy, or completeness. Proceed at your own risk. Do not rely on this for extra security.

flatpak issue: