Home Explore Help
Sign In
Qubes
/
core-agent-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
core-agent-linu...
/
passwordless-root
/
qubes.sudoers

qubes.sudoers 2.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 
  1. Defaults !requiretty
    2. 

  2. %qubes ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t NOPASSWD: ALL
    3. 

  3. 

  4. # WTF?! Have you lost your mind?!
    5. 

  5. #
    6. 

  6. # In Qubes VMs there is no point in isolating the root account from
    7. 

  7. # the user account. This is because all the user data are already
    8. 

  8. # accessible from the user account, so there is no direct benefit for
    9. 

  9. # the attacker if she could escalate to root (there is even no benefit
    10. 

  10. # in trying to install some persistent rootkits, as the VM's root
    11. 

  11. # filesystem modifications are lost upon each start of a VM).
    12. 

  12. #
    13. 

  13. # One might argue that some hypothetical attacks against the
    14. 

  14. # hypervisor or the few daemons/backends in Dom0 (so VM escape
    15. 

  15. # attacks) most likely would require root access in the VM to trigger
    16. 

  16. # the attack.
    17. 

  17. #
    18. 

  18. # That's true, but mere existence of such a bug in the hypervisor or
    19. 

  19. # Dom0 that could be exploited by a malicious VM, no matter whether
    20. 

  20. # requiring user, root, or even kernel access in the VM, would be
    21. 

  21. # FATAL. In such situation (if there was such a bug in Xen) there
    22. 

  22. # really is no comforting that: "oh, but the mitigating factor was
    23. 

  23. # that the attacker needed root in VM!" We're not M$, and we're not
    24. 

  24. # gonna BS our users that there are mitigating factors in that case,
    25. 

  25. # and for sure, root/user isolation is not a mitigating factor.
    26. 

  26. #
    27. 

  27. # Because, really, if somebody could find and exploit a bug in the Xen
    28. 

  28. # hypervisor -- as of 2016, there have been only three publicly disclosed
    29. 

  29. # exploitable bugs in the Xen hypervisor from a VM -- then it would be
    30. 

  30. # highly unlikely that that person couldn't also find a user-to-root
    31. 

  31. # escalation in the VM (which as we know from history of UNIX/Linux
    32. 

  32. # happens all the time).
    33. 

  33. #
    34. 

  34. # At the same time allowing for easy user-to-root escalation in a VM
    35. 

  35. # is simply convenient for users, especially for update installation.
    36. 

  36. #
    37. 

  37. # Currently this still doesn't work as expected, because some idotic
    38. 

  38. # piece of software called PolKit uses own set of policies. We're
    39. 

  39. # planning to address this in Beta 2. (Why PolKit is an idiocy? Do a
    40. 

  40. # simple experiment: start 'xinput test' in one xterm, running as
    41. 

  41. # user, then open some app that uses PolKit and asks for root
    42. 

  42. # password, e.g.  gpk-update-viewer -- observe how all the keystrokes
    43. 

  43. # with root password you enter into the "secure" PolKit dialog box can
    44. 

  44. # be seen by the xinput program...)
    45. 

  45. #
    46. 

  46. # joanna.
    47. 

  47. 

  48. # vim: ft=sudoers
    49.