Qubes OS for unprivileged users

Hi,

I wonder if it is possible to configure and use Qubes OS with a specific setup. I would need to configure a Qubes OS workstation and give it to an employee, but that person should not be allowed to make a few changes like:

  • modify VPN
  • modify firewall
  • have admin access to the qubes
  • being able to make changes to the system

I know Qubes OS is meant to be used by a single user with administrator access at all levels, but I wonder Qubes OS could be used in cybersecurity environments with strict policies.

1 Like

Maybe it is possible to achieve with a dedicated login in sys-gui, and only give them the qubes they need by configuring the guivm of each qube, and setup a root password on each.

However, they will still be able to configure the qubes, I guess a policy could be modified to prevent sys-gui to modify attributes of a qube.

Just for completeness:
Is Qubes a multi-user system?

Design for a Guest qube also comes to mind. Theoretically a disposable full-screen untrusted qube with minimal privileges without having access to qvm-copy/move… and proper policies to reject access to global clipboard and other critical resources. Disallowing user to exit the full-screen mode of the guest qube without powering it off. Upon exit should return to the login screen.

1 Like