Why Use Minimal Templates?

Continuing the discussion from "Now You're Thinking with Qubes":

one primary point of using minimals is to minimize attack surface in critical VMs like firewall and sys-net, etc

Moved this into its own topic as I believe this deserved its own conversation, as it is a often misunderstood advanced topic.

See also:

1 Like

Also: If you have many templates that are used for one specific use case (read: need only one specific software) you save storage.

saving storage is to use a single (default) template.
anything other is using MORE storage… :wink:

The real - and number one - reason for me:
If less packages installed → much less frequent updates → less interruption for the given VM.

and you can also customize the template for your minimal services here.
and you can create separate ‘minimal services’ backups as well.

But it is still using more disk space at the end of the day.

2 Likes

It would be less attack surface actually, means more security…

the less attack surface is really questionable…
How it is an attack surface if an application installed, but not even started, not even used?
(assume it is coming from the same repo, that you trust anyway)

After initial RCE you have many more options for privilege escalation.

1 Like

only if you have not using the default passwordless sudo, right?

So - for me - it is not an additional attack surface at all.

but even with more strict settings, a compromised user account very likely can download any further exploits they want - unless you restrict the net access by a firewall vm (or by not assigning any netvm). But that’s another topic, and surely not a related to a minimal template.

so at the end, this is very weak, and questionable benefit. - that’s how I see.

1 Like

Agree.

Tho i am very hesitant to install every software i ever want in one template and use that for anything, but i have multiple.

After 4.1 stable, i only use 1 minimal template for each distro and install everything there.
using dispvm all time, and configure firewall for each use. for me it’s enough.

I really don’t like having too many template for each apps, decreasing effectivity.

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

And this is only benign thing what “trusted” apps can do…

… and we don’t need apps, but malicious “trusted” open source packages only, needed just to start the template…

It doesn’t matter if an application is started, or used.
Most packages bring in libraries and associated packages, any one of
which might provide a foothold for an attacker. That’s how the attack
surface increases, not just by bugs in running applications.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

Why Use Minimal Templates?

Even though minimal templates are, ceteris paribus, more secure, I contend that most novice users shouldn’t try to use them. Why not? Because many novice users end up tying themselves in knots, breaking their own installations, and probably decreasing their own security through excessive tinkering. These users should first focus on learning the basics.

For some reason, minimal templates seem to be fetishized. That is, the amount of attention they receive, and the fervor with which users (especially novice users) pursue them, seems disproportionate to their value. This isn’t to denigrate their value. Like any tool, they are precisely as useful as they are. As a matter of perception, however, many novice users seem to think they’re far more important than they are, often to the point of conceiving of them as mandatory.

I see many new users jump immediately from installing Qubes to wanting to do advanced things that they think are mandatory for their privacy and security but that almost never really are. (If those things were truly mandatory, they would probably be included in the base installation by now.) These users often exhibit the attitude, “If I can’t do this advanced thing, then I might as well not use Qubes at all.” Of course, this is precisely backward. The bulk of the benefit comes from using Qubes at all, even in its default configuration. Everything after that is of comparatively minor benefit. In terms of the 80/20 principle, this would be like saying, “If I can’t have the remaining 20%, then I might as well not have the first 80%.” This is exactly what it means to make the perfect the enemy of the good.

There are always more things you can do for incremental increases in security. That doesn’t mean the juice is always worth the squeeze. After a certain point, it’s probably not, especially when excessive tinkering out of your depth jeopardizes prior fundamental security gains. Prioritizing security is, by its very nature, a conservative approach that’s generally at odds with the more popular “move fast and break things” ethos. Neither one is inherently superior. Each has its place. But attempting to combine them in a single endeavor courts self-contradiction.

7 Likes

I feel somewhat guilty in having often advertised the advantages of debian-minimal without sufficiently pointing out that most of what I value can be done with the stock debian templates as well:

  • stable environment is a property of Debian
  • less frequent updates is a property of Debian
  • less frequent EOL is a property of Debian
  • one qube per app can be done with stock Debian too

Or in other words, if there wouldn’t be a debian-minimal I’d use debian proper instead of e.g. fedora-minimal. Qubes OS R4.1 makes it trivial now to choose Debian templates by default at installation time.

1 Like

Well If found that when I changed the firewall and network templates from full fat (and it had got fat) Debian to minimal it stopped a lot of errors on my slow (I/O) installation, when VMs would sometimes hang on startup. Plus the updates were a lot quicker.

This is of course all true, but I did not have the impression that novice users are pushed to use minimal templates. But it’s a good things to emphasize their advantages are much smaller than using Qubes vs a conventional OS. It’s mentioned in the docs, but perhaps it could also link to more info (this post of yours?).

1 Like

+1

Not being pushed, but often pushing themselves (or so it seems to me).

Sure:

3 Likes