On Fri, Mar 10, 2017 at 05:01:32PM -0800, andres...@gmail.com wrote: > Hello! > > The "open" root behavior seems a little strange to me too. But, thinking > coldly, what would change in your scenario if root was protected? > > The attacker would not be able to modify /usr/bin/audacious, or install > muhbackdoorz to system. But she/he could still delete all your home data, or > send it through web, or install something inside home and add it to .bashrc, > or ... > > Considering all important data in a DomU is owned by one user, and neither > root nor the non-root user can leave DomU, the damage caused by any of them > seems almost the same. > > More info: > https://www.qubes-os.org/doc/vm-sudo/ > > > Regards! >
Many people find this a strange aspect of Qubes - but this is right. What exactly does an attacker gain by being able to su root? All the qubes data is already accessible. OP should fill in the detail in explaining how the absence of a root password makes their scenario "more trivial to perform and more dangerous". In fact, correct use of mail qubes makes compromise extremely unlikely - e.g configuring mailcaps to open files in disposableVMs, using limited or text only mail readers, actually reading the mail in a network isolated qube,using separate qubes for different mail activities and personas, using custom mini templates,all these can be simply done. Of course, "unlikely" doesn't mean "impossible". But the point is that implementing qubes isolation means that the effects of compromise can be restricted and contained. So yes, in a very real sense, it doesn't matter to me if the qube where I collect mail, (which isn't the qube where I read it) is compromised in some way. Incidentally, it's possible to run a tool like Tripwire against the template and run it during extended sessions for individual qubes, and to run it against /rw also, should you wish. One final point OP - it isn't clear to me that you understand how TemplateBased qubes work: apologies if you do. There are very limited parts of the file system which aren't rewritten on every boot. And in fact if you make substantial use of disposableVMs then the whole of the file system is indeed rebuilt every time it is needed. Oh, and, of course, if you really want to use a password to get to root, the mechanism for implementing that is set out on the page in the docs. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170311025506.GB19792%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
