So you think that a real attacker (or any malware) will use su, or sudo to get root?
What you would get with that prompt is you can âcontrollâ your own activity only, which leads to a false sense of securityâŚ
So you think that a real attacker (or any malware) will use su, or sudo to get root?
What you would get with that prompt is you can âcontrollâ your own activity only, which leads to a false sense of securityâŚ
Did you read Automate vm sudo authorization setup ¡ Issue #2695 ¡ QubesOS/qubes-issues ¡ GitHub and following comments? From my interpretation of itâŚ
Joanna, founder of Qubes got convinced that it is a good idea:
Automate vm sudo authorization setup ¡ Issue #2695 ¡ QubesOS/qubes-issues ¡ GitHub
Solar Designer, security researcher is also convinced it helps.
@marmarek, Qubes lead developer wants to implement it. The ticket is still open. I am interpreting this as Qubes would be interested to get this interpreting. It would be done faster if contributions were provided.
This is so far an argument from authority but hopefully valid in this case. But then when I look at the actual arguments made in the ticket, it makes sense to me.
Non-root enforcement is a long standing standard security feature of Android and iPhone. This is only a prerequisite or supporting feature of other features on top of it. References what inspires my viewpoint:
(Non-root enforcement can be and is abused as user freedom restriction but if itâs a security feature or freedom restriction is a policy decision, not an inherent issue.)
Well Joanna was clear (at least to me) that root isolation would serve to protect Xen.
While undoubtedly Xen is the most critical point of Qubes, whole idea is not about protecting Qubes. Otherwise tomorrow, hardening Whonix by Qubes developers (for example) could be also considered as âprotecting Qubesâ. And the day after, hardening Windows by themselves again.
As I see it, it should be Xen and other distro developers to protect their OSs.
As Joanna wrote too, âmost, or perhaps all of the XSAs that affected Qubes required root in the VMâ.
What this could tell us is that for the one who plans to attack Xen, he/she first has to realize how to attack and gain root. And the one who is able to attack Xen is for sure able to gain root.
Iâm not advocating either option, Iâm just noticing. Maybe itâs better to spare energy and resources for further Qubes OS developing itself.
Told ya! But most of the people here told me nah, the passwordless root is fine.
well lets think about solution , how about a policy that asks if you want to do SUDO in a certain VM?
I think you forgot to add â/sâ.
If you were being serious then I think you should reread the thread,
since you seem to have missed key points.
Passwordless root is a convenience, and part of a trade off between
usability and security.
Attacks on Xen may require root. The point is that someone who has a
Xen exploit will undoubtedly have a root escalation.
I remember Joannaâs comment, and I have reread it since. I think itâs a
misinterpretation to think that she changed her mind. That comment is
obviously her thinking through the options, not reaching conclusions.
Some years ago, there was a thread on this subject - Flogging a Dead
Horse. I donât think the debate has moved on since.
If you donât like passwordless root, remove that package. Thatâs all. Why
people get so exercised about the issue is beyond me.
thatâs what is recommended instead.
I agree with Joanna. Some people are concerned that if a VM gets remotely hacked or runs malware like through Javascript that it could deanonymize the user. Remember Murphyâs law that if something can happen will happen. We have also seen bugs that provide privilege escalation to give root access to malware. Even though they are fixed later with a patch we have no way of knowing about zero day vulnerabilities that provide privilege escalation to later gain root access. So there is no point in having a password.
Can somebody report how well the password prompt works (currently and in the future)?
https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt
This is exactly why I donât use "IF"s when computers are, but "WHEN"s instead. It healsâŚ
Also I think removing the password makes thing simpler. Simplicity is better than security.
Wait, isnât the main point of passwordful sudo is to protect against physical attacks? If your user is remotely compromised attacker might keylog (or just wait for an opportunity indefinitely (assuming that they managed to survive shutdown or youâre unaware that you are compromised and get consistently compromised by the same mechanism))âŚ
It works fine.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
No point in having a sudo password due to sudo password sniffing, there is however a Rationale for Protecting the Root Account / Strong Linux User Account Isolation.
The idea is to âbreak the exploit chainâ. user / root isolation is just 1 component building block among others. The concept of "âbreak the exploit chainâ is being elaborated here: