@DVM
The quoted part of the documentation is your answer.
Then, I guess, I don’t understand it.
Whether root is active and password protected or not, user data is still accessible to any attacker with user-level access to the qube.
Why is that a sufficient reason to make all data accessible at all times for all use cases?
If I may provide an analog: If you give your car keys to a friend for a weekend drive, you don’t also give him the key to your home and your bank account password.
Example: Is it not possible to have malware which relies on passwordless root to modify a system crypto library, resulting in the decryption of some or all user traffic? Then the malware can even delete itself and upon qube reboot the crypto library will be restored, thus leaving no trace. Integrity and availability of data are not affected but confidentiality is. That would not happen if the library would not be modifiable (regular restricted root).
Even if you restrict /rw access with the root account, you can still create malware persistence in the /home directory in various ways that will be executed every time the qube is started.
How exactly?
I know all this, I never said otherwise.
You call it “extreme” security. I still don’t know why. Why not call the passwordless root “extreme unsecurity” instead, as it is the actual deviation from the normal? Extreme security is, for example, to disable root login completely.
Understand that we’re not talking about a single system here. Of course, securing the root user is necessary in a classic *nix system scenario, but on Qubes OS it would be too much work. Imagine forcing non-advanced users to get a root password for every single qube they create (no password reuse since it’s not security oriented, right?), it will be painful for them and human error will obviously occur.
To run a command as root in a VM, we execute qvm-run --user root VMNAME command
in dom0. We don’t type (or need to remember) any passwords, right? So, this:
# At the same time allowing for easy user-to-root escalation in a VM
# is simply convenient for users, especially for update installation.
adds no value to it. Template updates are controlled by dom0 and it does not need passwordless sudo to run a root process in any VM. If there would be any root password, that would be just one - for dom0. However, I don’t see a practical use of it, except probably protecting the user from easily breaking one’s own system. That (and not the current opposite) may actually be helpful to beginners.
To put it differently, the alternative to passwordless root, as I see it, would be restricted but still passwordless root, just accessed through qvm-run
explicitly.
Everyone has a different threat model, if yours is to have a root password inside your qubes then do so, what’s stopping you from doing it on your system without making it the default for everyone?
The question is not what is stopping me from customizing things. As explained in the OP, I have read many times the answers which explain “you can disable/change/customize/harden it, etc.” That is clear. I am not discussing choice and I am not saying the current default is wrong (or right).
What I am trying to understand here is the logic of the security experts who obviously know much more than me, as I may be on a wrong track. Peri-phrased for clarity:
What is the logic of deliberately reducing security for convenience which, as shown, seems unnecessary (as it already exists even without passwordless sudo)?
Why is all that justified with, as it seems, contradictory reasons?