Continuing the discussion from "Now You're Thinking with Qubes":
one primary point of using minimals is to minimize attack surface in critical VMs like firewall and sys-net, etc
2 Likes
Moved this into its own topic as I believe this deserved its own conversation, as it is a often misunderstood advanced topic.
See also:
2 Likes
Also: If you have many templates that are used for one specific use case (read: need only one specific software) you save storage.
saving storage is to use a single (default) template.
anything other is using MORE storageā¦ 
The real - and number one - reason for me:
If less packages installed ā much less frequent updates ā less interruption for the given VM.
and you can also customize the template for your minimal services here.
and you can create separate āminimal servicesā backups as well.
But it is still using more disk space at the end of the day.
2 Likes
It would be less attack surface actually, means more securityā¦
the less attack surface is really questionableā¦
How it is an attack surface if an application installed, but not even started, not even used?
(assume it is coming from the same repo, that you trust anyway)
After initial RCE you have many more options for privilege escalation.
1 Like
only if you have not using the default passwordless sudo, right?
So - for me - it is not an additional attack surface at all.
but even with more strict settings, a compromised user account very likely can download any further exploits they want - unless you restrict the net access by a firewall vm (or by not assigning any netvm). But thatās another topic, and surely not a related to a minimal template.
so at the end, this is very weak, and questionable benefit. - thatās how I see.
1 Like
Agree.
Tho i am very hesitant to install every software i ever want in one template and use that for anything, but i have multiple.
After 4.1 stable, i only use 1 minimal template for each distro and install everything there.
using dispvm all time, and configure firewall for each use. for me itās enough.
I really donāt like having too many template for each apps, decreasing effectivity.
And this is only benign thing what ātrustedā apps can doā¦
ā¦ and we donāt need apps, but malicious ātrustedā open source packages only, needed just to start the templateā¦
It doesnāt matter if an application is started, or used.
Most packages bring in libraries and associated packages, any one of
which might provide a foothold for an attacker. Thatās how the attack
surface increases, not just by bugs in running applications.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like
Why Use Minimal Templates?
Even though minimal templates are, ceteris paribus, more secure, I contend that most novice users shouldnāt try to use them. Why not? Because many novice users end up tying themselves in knots, breaking their own installations, and probably decreasing their own security through excessive tinkering. These users should first focus on learning the basics.
For some reason, minimal templates seem to be fetishized. That is, the amount of attention they receive, and the fervor with which users (especially novice users) pursue them, seems disproportionate to their value. This isnāt to denigrate their value. Like any tool, they are precisely as useful as they are. As a matter of perception, however, many novice users seem to think theyāre far more important than they are, often to the point of conceiving of them as mandatory.
I see many new users jump immediately from installing Qubes to wanting to do advanced things that they think are mandatory for their privacy and security but that almost never really are. (If those things were truly mandatory, they would probably be included in the base installation by now.) These users often exhibit the attitude, āIf I canāt do this advanced thing, then I might as well not use Qubes at all.ā Of course, this is precisely backward. The bulk of the benefit comes from using Qubes at all, even in its default configuration. Everything after that is of comparatively minor benefit. In terms of the 80/20 principle, this would be like saying, āIf I canāt have the remaining 20%, then I might as well not have the first 80%.ā This is exactly what it means to make the perfect the enemy of the good.
There are always more things you can do for incremental increases in security. That doesnāt mean the juice is always worth the squeeze. After a certain point, itās probably not, especially when excessive tinkering out of your depth jeopardizes prior fundamental security gains. Prioritizing security is, by its very nature, a conservative approach thatās generally at odds with the more popular āmove fast and break thingsā ethos. Neither one is inherently superior. Each has its place. But attempting to combine them in a single endeavor courts self-contradiction.
10 Likes
I feel somewhat guilty in having often advertised the advantages of debian-minimal without sufficiently pointing out that most of what I value can be done with the stock debian templates as well:
- stable environment is a property of Debian
- less frequent updates is a property of Debian
- less frequent EOL is a property of Debian
- one qube per app can be done with stock Debian too
Or in other words, if there wouldnāt be a debian-minimal Iād use debian proper instead of e.g. fedora-minimal. Qubes OS R4.1 makes it trivial now to choose Debian templates by default at installation time.
2 Likes
Well If found that when I changed the firewall and network templates from full fat (and it had got fat) Debian to minimal it stopped a lot of errors on my slow (I/O) installation, when VMs would sometimes hang on startup. Plus the updates were a lot quicker.
This is of course all true, but I did not have the impression that novice users are pushed to use minimal templates. But itās a good things to emphasize their advantages are much smaller than using Qubes vs a conventional OS. Itās mentioned in the docs, but perhaps it could also link to more info (this post of yours?).
1 Like
+1
Not being pushed, but often pushing themselves (or so it seems to me).
Sure:
3 Likes