I just use whonix ws as example here. First I noticed all qubes vm allow passwordless root access. I like Qubes OS, but to be honest I think passwordless root access is not a very good idea. I know the qubes dev talked why they enable passwordless root here https://www.qubes-os.org/doc/vm-sudo/, but every script or program can easily gain root access just made me very uncomfortable. I also doubt the solution provided by this page(which is dom0 prompt for root access) is a good method.
The Linux system has a mature password way of authentication. Can I just use the traditional Unix authentication? I know many people will say this mechanism is buggy and will not stop any attacker, but I still believe lock the root access behind a password has some advantages. A lot of kernel defense and harden mechanism require this password auth mechanism, because everything is meaningless when a program can easily gain root access. I believe a properly configured kernel and access control system is capable to fend off most attackers at the very beginning. Even an attacker failed to compromise Xen, the attacker is still able to collect a lot of information about the user with a root access VM.
The whonix workstation and gateway in virtualbox environment works in password way, is it possible to migrate this mechanism to qubes OS platform? Thanks for your help.