Real threat of installing software in dom0?

Hey,

What’s the real threat of installing software in dom0?

I get that in QubesOS it should be avoided if possible because there is no easy rollback like in template VMs and everything will be compromised.

But is it really that bad to install a few packages like picom?

Are Qubes users more at risk than standard Fedora users because we are using an old repo and somebody could hijack the repo and serve a malicious update?

I kinda don’t get why it’s so strongly discouraged.

I read the docs and threads in the forum.

It’s OK to install software in dom0. In fact, the first thing that one should do after Qubes OS installation is to install terminal completion to make fewer mistakes in the future:

$ sudo qubes-dom0-update bash-completion

A lot of other things are also OK to my opinion, like:

• mc (file manager),
• bc (can be used in scripts),
• devilspie2 (because xfce is not good without third-party stuff),
• mousepad (simple text editor that supports highlighting),
  and etc.

But what one should strongly avoid is installing in dom0 anything that allows connections, e.g. bluetooth stuff because it is an obvious hole in the security and logic of Qubes OS.

Because dom0 is ultimately trusted and has complete control over the rest of the system. If it were ever compromised, the entire system would be compromised. Ultimately, it’s your system and your decision, but we want users to be fully informed about this.

All that is true, but too general words. What is the thread model after all?
That somebody will use their name to push some package to the official Fedora repository (old one) that targets Qubes OS users who do not have this package installed by default at all?

If it ever happen, it will be a package that is already exists in dom0, one in around 1000 packages already shipped and automatically updated inside dom0 in Qubes OS out of the box.

People may be “OK” with that, but: No, it is not “OK”.

Definitively NOT.

Still NOT, a big NO.

Installing ANYTHING in dom0 is an obvious hole in the security and against logic of Qubes OS.

Yes, that the real question.

NO, packages in dom0 ARE NOT AUTOMATICALLY UPDATED.
That the reason why dom0 is based on an EOL (end of life) version of Fedora.
Even if it was (or will be) based on a non-EOL Fedora version, the packages will
not be updated for obvious security reasons.
Only packages provided (and reviewed) by the Qubes team will be updated.

If your serious about security, do not install anything in dom0.
For now, you need to trust Xen and Qubes team.
If you install X in dom0, the trust and security of your whole system is now transfert to X,
BEFORE Xen and Qubes team.

Please, do not give bad advice to people (Especially to beginners / non-tech users).

The target of Qubes OS are mostly non-tech users, therefore, all of your advice are bad.
No ofense, but when you reply, you must think of future readers, especially those who will
not read the docs because of lack of knowledge or time. Thank you.

As mentionned by @adw , it is your computer.
Adjust according to your threat model (and knowledge).

Just out of curiosity, why would you want to? And I’m not saying there is no good reason - but you can simply create a new Qube and do whatever you want with it.

That said, if you’re just looking for “permission”, it’s yours. You can do whatever you want with it.

Bottom line, you don’t need anyone’s permission to risk compromising the security of your own installation.

I did install one piece of software in dom0. It’s a text editor I myself wrote. There may be a vulnerability but I know there’s no malware in it.

Unfortunately I had to compile it in a VM, and port the executable to dom0…because there’s no compiler on dom0. So it throws messages about a library version not being available every time I run it.

Good to know - data is good, thanks!

Will packages that I install in dom0 like picom or feh be automatically updated in the future? And can’t I just pin them? What about the other packages that are already installed, are they just pinned?

And what about packages that are listed in the Qubes docs? Like I3 (which is the whole reason I am downloading software in dom0 want to customize that). And what about the Qubes Contrib repo?

I am serious about security if you tell me that I fucked up and my system is now compromised I will nuke this Install. (I installed around 20 packages and in total around 50 dependencies).

Could you explain what’s different from software that is already in dom0 and that I install from the fedora repo?

What exactly is problematic about installing software(just that somebody planted malware targeted for QubesOS three years ago???)

I took a good look in the Qubes Docs but nowhere is written what packages in dom0 are updated.

I mean obviously, Qubes maintains its own repo, but where can I see what’s safe to install and what’s not?
Why are the Fedora repos not disabled by default???

Is it only safe to install software that is in Qubes OS Project · GitHub ?

I would say that the difference is time and effort. If you’re willing to put in the time and effort testing every aspect of whatever it is you want to put in there, then do it. Even if you aren’t willing to invest such resources, I’d say do it anyway if you want. Nobody will stop you. There is no argument here. None whatsoever.

Now…if, for instance…when gamers start demanding or trying to shame or otherwise pressure the developers into including their pet resources, services and software in the actual distribution, that would be a whole other conversation. But, still, you’d get no argument from me because I’d be gone.

Not my intention at all. If what I am doing is stupid I will just stop and just use what the developers recommend. I am extremely grateful for QubesOS. I love it and have been using it for years. I just wanted to install I3 and have some questions about the security of it.

Have I said something unreasonable?

Not at all. I actually went a bit off topic…sorry. I do that sometimes…

Why not? Can you elaborate?
This package was missed from original Fedora almost certainly by mistake.
So I do not understand your resolute and capitalized NOT.

And authors of ~1000 packages from Fedora. If somebody targets Qubes OS they can modify the package in advance, the modification will be used in dom0 eventually. Can’t they?

You still did not explained thread model that you are so afraid of.
The thread model that should prevent you from installing bash completion or bc.

But you are probably OK with installation of hundred of KDE packages or i3 packages that are provided in documentation, right? It is suddenly “OK”, isn’t it?

Good point. I think the logic of @szz9pza about using outdated fedora version in dom0 to avoid updates - is not correct.
It’s probably because it is hard for reasonably small Team to test everything before release and support updated versions of Fedora because it has too short release cycle unlike Ubuntu LTS releases with 5-10 years support. We see that with templates which get unsupported too fast. So fast that the Team is almost not in time to prepare fedora-templates replacements.

Maybe, and you probably want to error on the side of caution.

Dom0 is both and adminVM and sys-gui, which isn’t ideal, in the future sys-gui will be separated from the adminVM/dom0. There are some software that if you want to use it you have to install it in dom0, eg. if you want to change the compositor.

The downside is that you are installing it in the adminVM which has full access to the system, and changes to dom0 can impact security, performance, and stability.

You shouldn’t be using dom0, so you shouldn’t need to install any software in dom0. Most of the time when someone wants to install software in dom0, it’s because they are not using Qubes OS as it’s intended to be used, and thinks of Dom0 as Linux.

The capitalized NOT is because you advice to everyone to install it.
bash-completion is quite small, so you can review the code, unless you do it,
I would not advice to install it.

In some extend, yes, some part of Fedora project must be trusted for dom0.
I include those part in the Qubes team, even if they can’t review everything,
I guess they have some unit-test to make sure the code in dom0 is reasonably secure.

And obviously, Fedora and/or Debian are also in the chain of trust for the templates.

That why the less code there are in dom0, the better.
We are trusting Qubes team to do the right thing and to not include those packages into dom0.

When I give advice, to the best of my knowledge, I assume the highest threat model.
Some have installed Qubes OS as enthusiastic, that may not be the case for others.

For KDE, maybe, as it was previously the default in Qubes OS.
I still not recommend it, especially for high threat model (neither KDE or i3 or else).

My point is quite simple:
Do not install anything in dom0 unless you reviewed the code (yourself or by a trust person).

It resumes pretty well the situation.

As we all pointed it out, it depends on your threat model, as always.
But even for low threat model, I do not recommend to install anything in dom0, and will never do.

At the end of the day, you decide the chain of trust of your installation.

Totally valid points. But could you please elaborate on these points?:

What exactly is problematic about installing software(just that somebody planted malware targeted for QubesOS three years ago???)

I took a good look in the Qubes Docs but nowhere is written what packages in dom0 are updated.

I mean obviously, Qubes maintains its own repo, but where can I see what’s safe to install and what’s not?
Why are the Fedora repos not disabled by default???

Is it only safe to install software that is in Qubes OS Project · GitHub ?

Your system is ‘probably’ not compromised. But now, there is a ‘probably’, ‘potentially’, etc.
You have changed the chain of trust of Qubes OS.
Now, Xen/Qubes team are not anymore the first.

There are a list in Qubes Global Settings > version information
But I guess that anything in dom0 can be updated if Qubes team decide to.

It should be reasonably safe. That depends.
By example for i3 (window manager) is not developed by the Qubes project (neither KDE).
But as it is in the official part of the documentation, I guess it has been reviewed (probably not everythings).

I made my point I think. I will let others people make theirs.
Would like to have @unman point of view. And correct if mistakes were said.

OK, I see. No, i3 and KDE have millions of lines, and I am sure your guess about Qubes OS Team being able to review 1000 fedora packages included in dom0 is wrong. And I doubt they have some unit-test for 1000 third-party packages included in dom0, too.

Also I am sure that nobody from the Team had time nor ability to review tons and tons of software that is considered to be OK to install in dom0 according to the official documentation. And it is fine, it is OK, because you still use Fedora in dom0 with 1000 packages that was also not reviewed that way.

Your assumption that installation of mc or bc or bash completion makes system less secure than installation of huge Desktop Environment cannot be true, obviously.

One should understand what is he doing, how does the system work and then blind following some basic recommendations will not be necessary.