Replace sudo with doas

Patrick · November 12, 2024, 1:43pm

Deleted.

arraybolt3 · November 20, 2024, 3:14am

OK, so to begin with, I was wrong about doas only allowing environment variables to be preserved on a per-command basis. (I.e., I thought you could only say "preserve vars X, Y, and Z for each command, and that you couldn’t say “preserve these environment variables regardless of what command I run”. This was due to me misreading OpenBSD’s doas.conf manpage (doas.conf(5) - OpenBSD manual pages). The Arch Wiki page for doas at doas - ArchWiki corrected my understanding here, the syntax to use for enabling an environment variable to be passed through on a per-user or per-group (rather than per-command) basis is apparently:

permit setenv { VAR1 VAR2 } :group

I’ll amend my original post to reflect this.

To follow up on my previous review of doas porting feasibility, I’ve taken a look at both Kicksecure and Whonix running under Qubes OS. Here are the results. Just like before, a checkmark means “looks like it can be ported” or “isn’t necessary”, while no checkmark means it’s likely to be problematic.

/etc/sudoers.d/qt_x11_no_mitshm

Specifies an environment variable to be preserved that affects all utilities on the system that leverage Qt. Depending on how exactly this rule is used, this could be trivial to translate, or it could be slightly tricky.
- Defaults env_keep += "QT_X11_NO_MITSHM"
- translates to (roughly):
- permit setenv { QT_X11_NO_MITSHM } :sudo

/etc/sudoers.d/qubes

This looks like a generic account-wide nopasswd exception for the qubes group. There’s some SELinux stuff going on with it that can’t be ported, but since Kicksecure is based on Debian I don’t expect this to be a problem (I don’t believe SELinux is even used in Whonix or other Debian-based Qubes).

/etc/sudoers.d/qubes-input-trigger

Contains several NOPASSWD exceptions for starting various Qubes input-related services as root. There are four sets of nine services each, each set is handled by one line of sudoers config, which covers all nine services with the help of a regex match. We don’t get regex matching in doas, so this would have to be replaced with 36 lines of doas configuration. Not great, but not horrible.
- user ALL=(root) NOPASSWD:/bin/systemctl --no-block start qubes-input-sender-keyboard@event[0-9].service
- translates to
- permit nopass user as root cmd /bin/systemctl args --no-block start qubes-input-sender-keyboard@event0.service, plus eight more lines with event1.service, event2.service, etc.

/etc/sudoers.d/umask

Trouble. This one changes umask settings for sudo commands in general. doas handles umask configuration entirely on its own and does not allow the end-user to configure it. Thus this cannot be translated. Depending on what doas’s umask settings are and how vital this configuration is, this may or may not be a blocker.

edit: somehow the O in “OK” got replaced by a smiling emoji, fixed it

arraybolt3 · November 20, 2024, 3:25am

One question that does come to mind is, the Qubes-specific config is coming from Qubes OS, not from Whonix or Kicksecure. Porting things to doas means that some of Qubes OS’s software will need to be ported to be doas-compatible also, which may or may not be something they’re interested in. In the worst case, we’d end up having to maintain sudoers support for Qubes, and only providing doas support for non-Qubes. Maintaining both sounds like it could be difficult. Might be worth filing a feature request in Qubes OS?

Patrick · November 20, 2024, 2:03pm

dpkg -S /etc/sudoers.d/umask

qubes-core-agent: /etc/sudoers.d/umask

Will need to open a ticket at Qubes.

Restrict umask to 027 except for sudo/root broken

opened 02:09PM - 06 Jan 24 UTC

adrelanos

Currently umask is set to `027` (read, write for owner and group only). (Group …is OK because Debian uses `usergroups` by default, [`UPG`](https://wiki.debian.org/UserPrivateGroups) (UserPrivateGroups)). This however should not be the case for files created by root as this is super confusing, causing issues when creating files in `/etc` (or `/usr`) as these won't be readable by applications normally suppose to be able to read these running as non-root. That part is broken. Therefore unfortunately this feature has to be reverted until this can be fixed. This was discussed before here: * https://github.com/Kicksecure/security-misc/pull/18 The following unfortunately has to be removed. [`/usr/share/pam-configs/umask-security-misc`](https://github.com/Kicksecure/security-misc/blob/master/usr/share/pam-configs/umask-security-misc) ``` Name: Restrict umask to 027 (by package security-misc) Default: yes Priority: 100 Session-Type: Additional Session-Interactive-Only: yes Session: [success=1 default=ignore] pam_succeed_if.so uid eq 0 optional pam_umask.so umask=027 ``` I cannot even just out-comment it to make it easier to tinker as folder `/usr/share/pam-configs` does not support comments. Populating `/etc/pam.d` from `/usr/share/pam-configs` is a Debian / Ubunut feature. * https://unix.stackexchange.com/questions/337808/where-is-the-official-documentation-for-the-files-in-usr-share-pam-configs-in * https://wiki.ubuntu.com/PAMConfigFrameworkSpec ---- Command for testing: touch a && ls -la a && rm a I tried various stuff to fix it: * delete `Session-Interactive-Only: yes` * ``` [success=2 default=ignore] pam_succeed_if.so debug uid eq 0 [success=1 default=ignore] pam_succeed_if.so debug use_uid uid eq 0 optional pam_umask.so debug umask=027 ``` ---- This issue is only happening in non-Qubes. Not reproducible in Qubes Debian. This might be because Qubes login session work differently. This is probably also why I did not spot this issue beforehand. ---- Contributing: I don't necessarily need the config snippet for `/usr/share/pam-configs` as I might be able to figure that out but the config snipped required for `/etc/pam.d` would very useful.

Will also need a ticket.

Yes.

Yes, please.

arraybolt3 · November 21, 2024, 10:30pm

I just did a quick test, and it appears that processes launched via doas simply inherit the umask of the caller.

[user ~]% umask
022
[user ~]% doas bash
root@localhost:/home/user# umask
0022
root@localhost:/home/user# exit
exit
[user ~]% umask 077
[user ~]% doas bash
root@localhost:/home/user# umask
0077
root@localhost:/home/user# exit
exit
[user ~]% umask 000
[user ~]% doas bash
root@localhost:/home/user# umask
0000
root@localhost:/home/user# exit
exit

Similar behavior is observed when using doas zsh rather than doas bash. This may be sufficient to work around the inability to configure umask in doas.

Patrick · November 22, 2024, 9:39am

github.com/QubesOS/qubes-issues

Support Qubes that use doas rather than sudo

opened 04:05AM - 22 Nov 24 UTC

ArrayBolt3

T: enhancement P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## The problem you're addressing (if any) All official Qubes OS templates currently use `sudo` as a privilege escalation framework. This is mandatory, as Qubes OS ships some `sudoers` configuration files, which obviously won't be usable without `sudo`. Not all distros and users necessarily want to use `sudo`, however - it's big and complicated, thus potentially more vulnerable than a simpler privilege escalation framework. Whonix in particular is currently looking into the possibility of porting over our existing `sudoers` configuration to `doas`, allowing us to replace `sudo` with `doas`. In the event we do attempt to migrate to `doas`, we do not want to have both `sudo` and `doas` installed in the Whonix VMs since that results in an increase of attack surface rather than a decrease. Since Qubes OS is a top-priority platform for Whonix, we cannot port from `sudo` to `doas` without there being `doas` configuration that replaces Qubes OS's existing `sudoers` config present within individual Qubes. ### The solution you'd like Ideally, there would be `doas` configuration snippets that would be able to replace the `sudoers` config shipped by Qubes OS packages. That way, any Qubes that used `doas` could simply use a `qubes-doas-config` package rather than whatever package ships the `sudoers` config. (If the `sudoers` config is currently bundled into a package, obviously it would have to be split out for this to work.) Additionally, any parts of Qubes OS that currently use `sudo` to elevate privileges within a Qube would have to be adjusted to use `doas` when appropriate, and documentation that instructs the user to use `sudo` would have to be adjusted to mention `doas` if that documentation was applicable to any official Qubes that used `doas`. ### The value to a user, and who that user might be Any users who are using a defense-in-depth strategy by disabling passwordless sudo within individual Qubes would potentially benefit from this. The only valid reason to disable passwordless sudo within a Qube is to make it harder for an attacker to attempt any attacks against Xen or dom0, by requiring them to bypass the in-Qube privilege restrictions first. It is theoretically easier to bypass the in-Qube restrictions if `sudo` is in use than if `doas` is in use, due to `sudo`'s much larger size and much more powerful (and easy to mess up with) configuration file format. In contrast, `doas` is many times smaller than `sudo`, and features a much less powerful configuration file format that is harder to make mistakes with. Thus for users who are bothering with disabling passwordless sudo, using `doas` in place of `sudo` in at least some Qubes should result in an even harder-to-breach first line of defense. For obvious reasons, users who are leaving passwordless sudo enabled on all of their Qubes will not see any significant security benefit from this change. ### Completion criteria checklist (This section is for developer use only. Please do not modify it.)

Patrick · November 30, 2024, 9:58am

upstream feature discussion: 'Investigating adding functionality to doas' thread - MARC

Patrick · December 8, 2024, 4:23pm

Late, but better late then never… How about run0?

Advantages:

Speak for itself on its homepage.

Disadvantages:

Increases dependency on systemd, but moving away from Debian (systemd based) is not very likely anyhow (Requesting a Port to a Different Base Operating System) as well as for reasoning documented on systemd.
No credential caching yet. (run0: persistent authentication feature (if possible, probably not) · Issue #33366 · systemd/systemd · GitHub)

arraybolt3 · December 8, 2024, 5:50pm

I don’t really think we should go with run0:

We won’t be able to migrate to run0 until the release of Trixie, at least. run0 was added in systemd 256, Bookworm is using systemd 252.
It doesn’t appear possible to configure run0 to run commands without requiring a password. That’s a dealbreaker, we have too much stuff that needs to be run as root without a password. (I mean, I guess we could try to migrate everything that needs to run as root passwordless to systemd, but that sounds difficult or potentially impossible.)
It’s unclear how to configure it at all - it’s configured “by polkit”, but polkit is a generic authorization framework, it doesn’t allow you to specify specific commands and arguments the way sudoers or doas config does. pkexec works by using an “annotation” in polkit whereby you basically tack on extra info to a polkit action so that pkexec knows how to authenticate what, but run0 doesn’t use that. How would one configure certain environment variables to be allowed to pass through while denying others? No idea, it might not even be possible.
It’s larger than doas. Way larger. run0 (really systemd-run) is 2642 lines long (including newlines and whatnot), and is heavily tied into the systemd codebase, which is about 1.3 million lines of C code. It’s unclear how much of that could be used to exploit run0, but some of it quite possibly can. doas on the other hand is relatively isolated (the only library it uses beyond the C standard library is PAM), and is only 1,850 lines long. Ergo, less attack surface.

There’s a few other issues or at least concerns (for instance you can pass through arbitrary environment variables using the --setenv argment, the only reason this isn’t a security vulnerability that I can see is that you can’t configure run0 to run a command without a password), but I don’t think it’s practical or advisable for Kicksecure or Whonix to use run0. I think we’ll be in much better shape if we stick with doas. Thanks to doas’s isolation, we can probably audit it easier too if we choose to do that.

Patrick · December 8, 2024, 5:55pm

Excellent points on run0, thank you! So if anything, let’s stick with doas.

Actually, I was just considering, a “sudoless” design. It might be possible. Development notes are here:

In that case, neither a port to doas would be required (nor a run0 port would be required).

arraybolt3 · December 9, 2024, 6:03am

Hmm, sudoless comes with its own unique set of challenges as well, though it looks hopeful. Some notable hurdles from an initial quick skim:

The following things in Kicksecure and Whonix will probably break if sudo isn’t usable by the end-user. These aren’t just things where the user can just boot into admin mode when needed, these are things that will break the user-mode user experience.
- bootclockrandomization
- sdwdate
- setup-dist (in particular the easyorca feature, but it looks bitrotten?)
- tb-starter (this one in particular will break badly)
- tb-updater (this also may break pretty badly)
- Various things in usability-misc
- (maybe?) anon-gw-anonymizer-config

(I have a more detailed list of stuff here, but it’s not polished enough for me to publish yet, some of the more complicated packages I didn’t audit fully.)

Many of the features here cannot be implemented by using systemd services or other background things. We will still need some way to run certain commands as root, even in user mode (this will be important for doing things like enabling Tor Browser to be launched even when /home is mounted noexec). I have an idea for this that would be written in Python and would avoid any use of setuid executables, but we will need something along these lines for things to be practical.
How will Qubes OS VMs handle this? Will they just run as admin automatically and not use user mode at all?

Patrick · December 9, 2024, 4:34pm

How so? It has no sudoers exception.

This one we can say “boot into admin mode”.

Needs re-design.

We’ll just break the functionality as long as doas isn’t installed. As long as Tor Browser is unavailable as a Debian package [1] and thereby properly installed into the system and keeping out executable of the /home folder, Whonix probably should not enable noexec [1] for /home by default.

Qubes has a separate ticket. → Qubes sudo / su / root Hardening - Development Discussion

Qubes default is to install qubes-core-agent-passwordless-root. The plan for Kicksecure, Whonix is to no longer install qubes-core-agent-passwordless-root by default. Users will then be advised to open a Qubes Root Console instead.

[1] Would stable Tor Browser deb package help or burden whonix devs?
[2] Enhanced Security via Mount Options and Compiler Restrictions

arraybolt3 · December 9, 2024, 7:59pm

True (I believe, working off memory and didn’t double-check), however there’s a GUI script for it that doesn’t seem like something that can be used in admin mode (it only applies to each specific boot). I guess it is a privileged operation though, so it probably is something we’ll just live without.

hmm, I guess it won’t be that much of a problem based on the research I’ve done so far. We will lose the ability to restart, stop, or even view the logs of sdwdate though, is that acceptable?

Patrick · December 10, 2024, 5:53pm

If worse comes to worse, yes. sdwdate-gui could show restart/stop actions only if started as admin.

As for logs, a sdwdate-logs.service systemd unit, doing something like the following would likely work (simplified):

journalctl --boot --output=cat -u sdwdate > /run/sdwdate/sdwdate-log.txt

In practice, sdwdate-log-viewer would need to be adjusted to do that. (Or something similar to sdwdate-log-viewer.)

Patrick · March 29, 2025, 10:42am

We ended up not using doas. Instead, GitHub - Kicksecure/privleap: Limited Privilege Escalation Framework has been invented thanks to @arraybolt3. privleap has been written in memory-safe language Python. privleap does not have SUID attack surface because it has been implemented without SUID.

All uses of sudo by account user in Kicksecure, Whonix source code have been ported to to privleap. past notes: sudo / doas / sudoless / privleap

No Access to Privilege Escalation Tools (such as sudo or pkexec) for Limited Accounts (such as for account user) has been implemented as part of:

With user-sysmaint-split installed, there is no sudo SUID attack surface even if account user gets compromised. This is because account user can no longer use sudo by default. [1]

Example sudo command.

sudo nano

Example error message.

zsh: permission denied: sudo
zsh: exit 126 sudo nano

User documentation:

This has been available at least since 17.3.5.3 and above. (Unreleased at time of writing.)

Written about this also here:
Why passwordless sudo by default? - #5 by Patrick - Support - Kicksecure Forums

[1] opt-out: Unrestricted Admin Mode