Tails OS deliberately disables root access by default to increase security. Removing root privileges makes privilege escalation attacks such as zero‑click exploits much harder because malicious code cannot obtain administrator rights. While this reduces the attack surface, vulnerabilities in regular privilege applications can still be exploited, allowing an attacker to operate within those limits. Privilege escalation remains possible if there are bugs that permit code execution with higher privileges. Therefore, removing root does not eliminate all risk. Since Tails removes root to gain this security benefit, why doesn’t Qubes OS optionally use the same approach for its AppVMs or disposable templates when performing particularly sensitive operations?
Do Qubes developers consider this a worthwhile hardening measure?
Is it a valid security enhancement?
I tested the root_annihilator script to strip root access in AppVMs and Disposable VMs using the procedure below:
What improvements could be made to the script so that it matches or exceeds the “no‑root” mode used by Tails?
Any suggestions would be appreciated. Procedure I Followed
In the target AppVM or Disposable Template, clone the VM to create a backup.
Edit /rw/config/rc.local inside the VM:
sudo nano /rw/config/rc.local
Copy and paste the contents of the script located at:
Save the file and reboot the system.
On each boot, /rw/config/rc.local runs the root_annihilator script by /rw/config/rc.local !
Result
Root can no longer be used to run arbitrary scripts or perform privileged tasks, but it is still possible to execute updates with sudo, for example:
sudo apt update
sudo apt upgrade
Is it possible to completely eliminate this capability? Or is it safe enough to leave it as is?
Why I BackUp the VM
Modifying /rw/config/rc.local becomes impossible once the VM boots without root, because the script disables root. To edit the file again, I would need to mount the VM’s disk partition from another environment and manually change the script something that is far more cumbersome than simply restoring the cloned backup.
Why should Qubes OS remove the root acces and where?
Inside AppVMs it makes no sense, because you cannot alter the system in any way,
Inside templates, how should a attacker get access, if template has no network at all?
The QubesOS uses an complete different way for hardening as it is in (for example) Tails. Contrary, in QubesOS AppVMs passwordless root is default (and makes sense).
You can read the explanation from Joanna (One of the founder of this OS) in every Qube under
/etc/sudoers.d/qubes
You can remove the passwordless-root package from any template, that you like, then you don’t have root access at all (because root has a unknown random password). Then, you can only executing commands, that requires root access from dom0 in that VM or template (so used by whonix).
Scenario A : A random user without technical knowledge could install a repository or run a bash script that contain malicious code and then this code could give the ability to a attacker to reach internet. His post is about removing root from Appvm and DispVM his idea is really amazing i like it !
Scenrio B : A random user without technical knowledge about how Qubes works could think to update his template and install software he must connect the template to sys-firewall.
The scenario B happened to me the first time i installed Qubes i thought i have to link my template to sys-firewall i think the Qubes OS developpers must create a warning that appear after the first installation about that.
You could say “People must read the doc before doing anything” but today people are too lazy to read anything. So yeah his post is really interesting thanks @leandroibov
But an AppVM or DisposableVM, if it is compromised through an existing vulnerability via zero‑click, zero‑day attacks, malicious links, etc., and the attacker needs root privileges to complete the intrusion—considering that these compromises require root access—then, because root exists, the attacker will be able to control the AppVM and obtain data or cause damage to the AppVM or DisposableVM while it is running. During that time the attack could cause harm, steal data, etc. In both cases, the presence of root allowed the intrusion and enabled various damages, even though with a DisposableVM the damage is only temporary. If root access were not available, such attacks could be prevented, since the intrusions required root. Therefore, an AppVM or DisposableVM without root would block this kind of root‑level intrusion and prevent the resulting damage. So don’t we gain additional security this way? A supply‑chain attack on a Debian or Fedora repository used for the templates, which also requires root access, might be stopped if root were disabled in the AppVM or DisposableVM, saving the victim from having data stolen. Would eliminating root—as Tails does be beneficial? The root_annihilator script works on a regular Linux system, but in Qubes it works only partially, likely because each Qube has its own configuration under /etc/sudoers.d/qubes.
@leandroibov, I really don’t understand what you are trying to achieve here, like with your previous script. The docs could answer some if not all your questions:
I suggest that you take a look at the Qubes OS architecture, to understand the goals of this OS (very different from Tails OS). Whonix and Kicksecure wikis might also be useful.
As @murdock pointed out, there is already a very convenient way to remove root access. Instead, you are providing a script that should be downloaded from the internet and executed as root to prevent users from using scripts that should be downloaded from the internet and executed as root. That’s a bit ironic, don’t you think?
You don’t get the point of his script at all… and i don’t understand why are you talking about the goal of Tails ? He’s trying to make Qubes more secure and safe which is… the goal of Qubes ?
You’re right but some user are using the “full” template instead of the minimal because they’re scared to deal with potential issue or they don’t have the technical knowledge so again his post is really useful for those users
You don’t fully understand Qubes architecture. And foolish new users who installs scripts in templates or in dom0 (where internet settings for templates) will not use Qubes OS (such newcomers use Linux Mint and Ubuntu). Tails remains a far less secure system because it is a monolithic OS with no isolation at all, and their task is to somehow solve this problem. If you want to use an AppVM and DVM without sudo‑root, just use Whonix and Kicksecure AppVMs.
But your guide will also be useful for those who want max user isolation. If this way really work in debian-fedora appVMs.
