Disable root password on fedora-25-minimal (Qubes 4.0rc3)

51 views
Skip to first unread message

Fabrizio Romano Genovese

unread,
Jan 2, 2018, 12:26:27 PM1/2/18
to qubes-users
As in https://github.com/QubesOS/qubes-issues/issues/3157, by default the fedora minimal template will ask for a password while trying to perform any action as root. The rationale behind this is that the "ask/don't ask for root" policy should be customizable by the user.

...But how? I tried editing the /etc/shadow file to remove the root password, with no success whatsoever. I basically would like my minimal template to behave like any other, that is, to have a passwordless root. Any help would be greatly appreciated!

Thanks for your Time,
Fab

Tom Zander

unread,
Jan 2, 2018, 2:16:56 PM1/2/18
to qubes...@googlegroups.com, Fabrizio Romano Genovese
On Tuesday, 2 January 2018 18:26:27 CET Fabrizio Romano Genovese wrote:
> ...But how?

The naming is confusing as the root password is not really removed at all.
What happens is that a service called 'sudo' is configured to allow you to
do anything without a password.

Make sure you have this content at /etc/sudoers.d/qubes)

https://www.qubes-os.org/doc/vm-sudo/

also I suggest double checking that sudo is actually installed.

--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

Unman

unread,
Jan 2, 2018, 3:10:15 PM1/2/18
to 'Tom Zander' via qubes-users, Fabrizio Romano Genovese
On Tue, Jan 02, 2018 at 08:16:49PM +0100, 'Tom Zander' via qubes-users wrote:
> On Tuesday, 2 January 2018 18:26:27 CET Fabrizio Romano Genovese wrote:
> > ...But how?
>
> The naming is confusing as the root password is not really removed at all.
> What happens is that a service called 'sudo' is configured to allow you to
> do anything without a password.
>
> Make sure you have this content at /etc/sudoers.d/qubes)
>
> https://www.qubes-os.org/doc/vm-sudo/
>
> also I suggest double checking that sudo is actually installed.
>

To install sudo you will, of course need root.

You can either use the method Marek details on that page, or use 'sudo xl
console <qube>'from dom0 to get root access.

Fabrizio Romano Genovese

unread,
Jan 2, 2018, 3:51:53 PM1/2/18
to qubes-users
Hello all,

Thanks for the replies! I have already installed sudo just doing

qvm-run -u root fedora-25-minimal xterm

as Marek suggested, and then installing sudo as I usually do via dnf. The problem is that now sudo asks for the root password anyway. If for instance I give

sudo dnf update

on a "standard" terminal shell, I will be prompted for a password.

I already checked at

https://www.qubes-os.org/doc/vm-sudo/

What I don't have there is the file and /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla. Should I add it?

Cheers,
Fab

Unman

unread,
Jan 2, 2018, 5:38:16 PM1/2/18
to Fabrizio Romano Genovese, qubes-users
Yes, if you want to maintain your minimal status you can manually
add/edit those files.

unman

Fabrizio Romano Genovese

unread,
Jan 3, 2018, 11:20:08 AM1/3/18
to qubes-users
Ok, so for future reference (I found the instructions in https://www.qubes-os.org/doc/vm-sudo/ to be not completely clear):

The files mentioned in the first part of https://www.qubes-os.org/doc/vm-sudo/, namely:

/etc/sudoers.d/qubes
/etc/polkit-1/rules.d/00-qubes-allow-all.rules
/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla

are to be created/edited in the VM, not in Dom0. This effectively solves the problem.

Reply all
Reply to author
Forward
0 new messages