Qubes sudo / su / root Hardening - Development Discussion

Patrick · July 29, 2023, 11:37am

The issue is that setup-wizard-dist (which starts ACW) cannot start because passwordless sudo was disabled. Since ACW didn’t autostart and since the user didn’t enable Tor, sdwdate didn’t proceed because it cannot without Tor being enabled.

I added a comment on how to accomplish autostart of setup-wizard-dist but I won’t enable it by default since that would be counter to the user original goals, which is sudo hardening.

Additionally there better error handling in case of sudo issues has been implemented:
setup-wizard-dist/usr/libexec/setup-wizard-dist/setup-wizard-dist at master · Kicksecure/setup-wizard-dist · GitHub

There will now be an error popup.

command:
sudo --non-interactive --set-home /usr/bin/setup-wizard-dist
failed.

This might be due to the user using sudo hardening.

The error message will probably be improved.

Patrick · July 29, 2023, 11:56am

This by itself is quite possibly insufficient. The user might need to follow the complete Qubes documentation here:

Patrick · July 29, 2023, 12:04pm

A more up to date version - might - be this one:
https://github.com/Qubes-Community/Contents/blob/master/docs/security/replacing-passwordless-root-with-dom0-prompt.md

This is a bit confusing. Created a ticket for it:
vm-sudo documentation outdated · Issue #8375 · QubesOS/qubes-issues · GitHub

Proper support by Qubes for this would require implementation of this Qubes feature request:

github.com/QubesOS/qubes-issues

Automate vm sudo authorization setup

opened 02:28AM - 12 Mar 17 UTC

tasket

T: enhancement C: core P: major

#### Qubes OS version (e.g., `R3.2`): R3.2 #### Affected TemplateVMs (e.g., …`fedora-23`, if applicable): All Linux --- ### General notes: Users wishing to enable dom0 prompts for domU sudo authorization must edit several config files according to doc/vm-sudo... https://www.qubes-os.org/doc/vm-sudo/ Since this configuration has worked well for many months with only one (fixable) sticking point, I figured the setup could be automated with a script provided by Qubes. This would allow the user to choose the sudo mode without being mired in the technical configuration process. --- #### Related issues: #2693

Patrick · July 29, 2023, 12:09pm

There will now also be a better error message in case sdwdate-log-viewer cannot be started from sdwdate-gui due to sudo hardening:
https://github.com/Kicksecure/sdwdate-gui/blob/master/usr/libexec/sdwdate-gui/log-viewer

Patrick · July 30, 2023, 4:04pm

Patrick · July 30, 2023, 4:05pm

Quote Passwordless root access in qubes | Qubes OS

While the Qubes developers support the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway. We do not support it in any of our packages, but of course nothing is preventing the user from modifying his or her own system. A list of steps to do so is provided here without any guarantee of safety, accuracy, or completeness. Proceed at your own risk. Do not rely on this for extra security.

Patrick · February 9, 2024, 1:31pm

flatpak issue:

Permission Denied with Flatpak (/sys/block)

Qubes specific: If user removed qubes-core-agent-passwordless-root he will get this issue.

so to correctly address the issues here:

Issue (1)
bwrap: Can't find source path /sys/block: Permission denied