Security benefits of rootless template VMs
72 views
Skip to first unread message
Alex Lu
Jul 10, 2020, 4:18:30 AM7/10/20
to qubes...@googlegroups.com
I've been thinking about splitting my templateVMs into a bunch of
smaller ones with no root access where I don't need it. Is having like 5
templateVMs 4 of which have no root is better than having 1 templateVM
which have root and in charge of every appVM? Or there is no security
benefits considered I never do anything in templateVMs, besides
installing packages, all of which are from official repos?
Alex
smaller ones with no root access where I don't need it. Is having like 5
templateVMs 4 of which have no root is better than having 1 templateVM
which have root and in charge of every appVM? Or there is no security
benefits considered I never do anything in templateVMs, besides
installing packages, all of which are from official repos?
Alex
unman
Jul 12, 2020, 8:35:59 AM7/12/20
to qubes...@googlegroups.com
will be more difficult for the attacker to use root commands.
The Qubes position is that this benefit is illusory, in that if an
attacker is able to compromise your qube in the first place they will be
able to get root, even if `su` is not available.
Take a look at /etc/sudoers.d/qubes.
That said, there is a clear benefit in using multiple templates, in that
you reduce the attack surface of each qube. Base your templates off
minimal templates and only install the packages you need for qubes that
will use that template.
unman
dmoe...@gmail.com
Jul 12, 2020, 12:36:20 PM7/12/20
to qubes-users
On Friday, July 10, 2020 at 4:18:30 AM UTC-4, Alex Lu wrote:
Is having like 5 templateVMs 4 of which have no root is better than having 1 templateVM
which have root and in charge of every appVM?
There is one potential disadvantage to this setup: Will you actually bother to keep all those templates updated? Especially if some of them have no root, some have sudo prompts, and some have sudo access without prompts, it starts to become a real pain. You have to keep in mind the human cost to managing this kind of complexity, even with nice new tools like Qubes Update.
799
Jul 13, 2020, 2:23:07 AM7/13/20
to dmoe...@gmail.com, qubes-users
Hello,
The problem having to update several templates can easily be solved by invoking a script in dom0.
It will update the template even if sudo is not installed because of the option --user=root within the command line.
Try it out:
---- 8< ----- snip ------ ------
| #!/bin/bash |
| # update-all.sh - Update all Template-VMs |
| # Update dom0 |
| sudo qubes-dom0-update |
| # Update all Fedora templates |
| echo "[ Updating Fedora Templates ]" |
| for i in `qvm-ls | grep Template | grep t-fedora | gawk '{ print $1 }'`; |
| do |
| echo |
| echo "Updating $i ..." |
| qvm-run --auto --user root --pass-io $i 'dnf -y update'; |
| qvm-shutdown $i; |
| echo "... done." |
| done |
| # Update all Debian Templates |
| echo "[ Updating Debian Templates ]" |
| for i in `qvm-ls | grep Template | grep t-debian | gawk '{ print $1 }'`; |
| do |
| echo |
| echo "Updatung $i ..." |
| qvm-run --auto --user root --pass-io $i 'apt-get update && apt-get -y upgrade'; |
| qvm-shutdown $i; |
| echo "... done." |
| done |
| # Update Whonix Templates |
| echo "[ Updating Whonix Templates ]" |
| for i in `qvm-ls | grep Template | grep whonix | gawk '{ print $1 }'`; |
| do |
| echo |
| echo "Updatung $i ..." |
| qvm-run --auto --user root --pass-io $i 'apt-get update && apt-get -y upgrade'; |
| qvm-shutdown $i; |
| echo "... done." |
---- 8< ----- snip ------ ------
Regards
799
Reply all
Reply to author
Forward
0 new messages