-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Feb 19, 2024 at 10:47:45PM +0100, PeakUnshift wrote: > Hello, > > When using a GuiVM, several issues appear regarding permission errors. I > created a topic on the forum and opened an issue: > - > https://forum.qubes-os.org/t/grant-full-admin-privileges-to-sys-gui-sys-gui-gpu/24368 > - https://github.com/QubesOS/qubes-issues/issues/8934 > > My message here is more general about what privileges a GuiVM should have. > Currently: > - dom0 is not accessible from sys-gui, but we can CTRL+ALT+F2 to access tty > or login back to XFCE's dom0 session. > - there is no way to access dom0 from sys-gui-gpu because the GPU is not > attached to it. > > Then, we need a way to get full admin privileges from the GuiVM: > - Should we grant full admin privileges to the GuiVM? > - Should we grand full admin privileges to a dedicated AdminVM? > - Should we create multiple adminVMs for different tasks, but all together, > give full privileges? > - Is it just a question of policies or is there other development needed in > order to execute dom0 commands from a domU? > > I'm aware that the GuiVM is still highly experimental, I try to gather > information in order to clarify the correct path to follow and thus help > future contributions.
Generally, the goal is to have specific qrexec services for everything that needs dom0 action, and then grant access to those, based on some sensible policy (in default GuiVM case, user controlling GuiVM is fully in control, but there can be a case where there is separate management VM for some tasks). It shouldn't be necessary to access dom0 shell at all. In the current implementation, several of those services are missing. We collect them in this project: https://github.com/orgs/QubesOS/projects/15/views/1 So, any missing part should get a ticket that we can add to the project above. In the meantime, some access to dom0 shell is likely useful - for sys-gui you found it already, but for sys-gui-gpu probably the easiest way is to setup something like qubes.VMShell. But remember it gives sys-gui-gpu unlimited access to dom0 - be careful what you install in the template for that qube and in the qube itself. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmXWvoEACgkQ24/THMrX 1yzQJQgAhGLTcIqVZHyNgSFk/J4QmqbIQFhqOobMYiLuEnTbwXKRawtja8mMzZux fmAwpgGv7BQxGgCJaAsB1vx7oDlz8Vl3yYKLtJapeSfXrMSHrJEKx0Nmudq3YRD1 QN4VMUkVibVbbUwjbZrwaN+t8S2zCFYkxgky4u9n3a2x18NmD2yO7vOsaSFZVb/p 02kEN/8RQJfbsc2BCp+BiK5LNVIFrjZMZ2Gb/ASJAbiVkMEK/KrtEB5BnritQ+hM GkuUAiKod/CuJKu09nSmmeMXZN2jANVr9WMic/JR1AlMkOUNLvN6wggD5Iadd1Pm f+IF2ggy7tb2oVbTzlE/nq5BTxQ7mQ== =oX8Z -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/Zda-gQMVJG9S69nY%40mail-itl.
