My thought is more that the root account should be disabled by default, similar to the standard implementations of Debian and Ubuntu if sudo is used. Generally use of an unlocked root account and sudo are considered to be mutually exclusive, since sudo has better logging for which users access root by invoking sudo. It also allows for restricting which users can gain access to root.
Although I am also not sure if user account separation is worth it anyhow, see:
However, advocating “we ship passwordless by default, because user separation is …”, is likely to generate lots of confusion, clarification requests, FUD, etc. Therefore I am not daring to go that route yet.
I completely agree with Joanna here – and she’s right about permissions being irrelevant for sophisticated attackers (which includes Whonix threat model). Passwordless in my opinion, still feels too wrong, so I keep the comfort of having a password. But I understand it’s nothing more than a psychological benefit, not a practical security benefit. You’d likely have a mutiny on your hands if you did that but who knows… Joanna made a good case and users who aren’t comfortable with it can always override it manually and require a password for sudo…
But, I think there’s a significant differentiation that needs to be made between Whonix via VirtualBox and Whonix+Qubes. As far as I see it, permissions are more important for Whonix via VirtualBox since it’s a shared system (workstation), and less important for Whonix+Qubes since it’s heavily isolated by VMs. At least that’s my “belief” due to the isolation between VMs in Qubes. Since Whonix (at least the Workstation) is a mostly shared system (not a collection of isolated VMs), one must rely on extremely strict separation of modes of anonymity and only use Whonix for 100% anon operations if that’s the case. And this model would require for multiple instances of Whonix Workstations for each mode. Perhaps that’s intentional. Otherwise malware would be “game over” for anonymity. The difference of the Qubes+Whonix model is that modes of anonymity can be on a per-VM basis.
I’m sure you already know and have considered all of this far more than I can contribute, but at least my opinion would be:
- lock the root account by default
- use sudo (only) with password by default
That, I believe, would be better than having both root and sudo accessible. I understand it’s less than perfect – nothing is perfect.
My main concern is that I don’t see the benefit of having an unlocked root account, but I do see benefits of locking it.
Thanks for the reply and the discussion, and I greatly appreciate your work!