qubes.sudoers 2.3 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546
  1. user ALL=(ALL) NOPASSWD: ALL
  2. # WTF?! Have you lost your mind?!
  3. #
  4. # In Qubes VMs there is no point in isolating the root account from
  5. # the user account. This is because all the user data are already
  6. # accessible from the user account, so there is no direct benefit for
  7. # the attacker if she could escalate to root (there is even no benefit
  8. # in trying to install some persistent rootkits, as the VM's root
  9. # filesystem modifications are lost upon each start of a VM).
  10. #
  11. # One might argue that some hypothetical attacks against the
  12. # hypervisor or the few daemons/backends in Dom0 (so VM escape
  13. # attacks) most likely would require root access in the VM to trigger
  14. # the attack.
  15. #
  16. # That's true, but mere existence of such a bug in the hypervisor or
  17. # Dom0 that could be exploited by a malicious VM, no matter whether
  18. # requiring user, root, or even kernel access in the VM, would be
  19. # FATAL. In such situation (if there was such a bug in Xen) there
  20. # really is no comforting that: "oh, but the mitigating factor was
  21. # that the attacker needed root in VM!" We're not M$, and we're not
  22. # gonna BS our users that there are mitigating factors in that case,
  23. # and for sure, root/user isolation is not a mitigating factor.
  24. #
  25. # Because, really, if somebody could find and exploit a bug in the Xen
  26. # hypervisor -- so far there have been only one (!) publicly disclosed
  27. # exploitable bug in the Xen hypervisor from a VM, found in 2008,
  28. # incidentally by one of the Qubes developers (RW) -- then it would be
  29. # highly unlikely if that person couldn't also found a user-to-root
  30. # escalation in VM (which as we know from history of UNIX/Linux
  31. # happens all the time).
  32. #
  33. # At the same time allowing for easy user-to-root escalation in a VM
  34. # is simply convenient for users, especially for update installation.
  35. #
  36. # Currently this still doesn't work as expected, because some idotic
  37. # piece of software called PolKit uses own set of policies. We're
  38. # planning to address this in Beta 2. (Why PolKit is an idiocy? Do a
  39. # simple experiment: start 'xinput test' in one xterm, running as
  40. # user, then open some app that uses PolKit and asks for root
  41. # password, e.g. gpk-update-viewer -- observe how all the keystrokes
  42. # with root password you enter into the "secure" PolKit dialog box can
  43. # be seen by the xinput program...)
  44. #
  45. # joanna.