Whonix-gw: trouble after disabling passwordless root access

[fiftyfour...@gmail.com]

Hi all,

Sorry for the recent spam--I've been spending a lot more time with Qubes and coming across issues that I haven't seen mentioned here yet. 

Here's another one:

If you disable passwordless root access in whonix-gw, tor control panel (accessed by right clicking the sw-date tray icon) stops working entirely, and whonix-ws will cause whonix-gw to continually spam you with dom0 sudo prompts if you enabled that. Ignoring them and dragging them off to another workspace hasn't caused any issues, but it's still annoying to deal with. 

Has anyone else had this experience or have any suggestions?

[Qubes]

Leave passwordless root enabled on whonix-gw?

[fiftyfour...@gmail.com]

I had a feeling someone would give that answer, but let's assume that's not an option. 

[fiftyfour...@gmail.com]

Problem seems to have gone away after using configure-sudo-prompt from tasket's qubes-vm-hardening on a fresh installation of qubes-template-whonix-gw-15

[Qubes]

What risk(s) are you mitigating by disabling passwordless root?

[fiftyfour...@gmail.com]

On Thursday, 6 August 2020 00:37:08 UTC+8, Qubes wrote:

What risk(s) are you mitigating by disabling passwordless root?

 You should look at this the other way around--what do I stand to lose by keeping passwordless root? If I can take a low-cost step that would dramatically raise the cost for would-be attackers, wouldn't it be a prudent step to take? Besides, even Joanna herself backtracked on her claim that passwordless root is the best option (forgot where I read it, but I definitely did)

[Chris Laprise]

IIRC she gave some indication that guest VMs shouldn't be defenseless
internally.

My own philosophy (which prompted me to create Qubes-VM-hardening) is
that if we're going to have these VMs running regular OSes, they should
at least have their normal security or some equivalent intact. And also
that the combination of normal security and Qubes security should yield
extra benefits, which I think Qubes-VM-hardening does.

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[fiftyfour...@gmail.com]

On Thursday, 6 August 2020 17:36:05 UTC+8, Chris Laprise wrote:

IIRC she gave some indication that guest VMs shouldn't be defenseless
internally.

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

Found it!

There might be potential attacks against the hypervisor or daemons/backends in dom0 that require root access. Qubes founder Joanna Rutkowska initially assessed there was limited benefit from isolating the root account from the user account, because all user data is already accessible from the latter [archive]. However, she later changed her opinion on the matter; see here [archive].

https://www.whonix.org/wiki/Qubes-Whonix_Security#cite_note-11 

https://web.archive.org/web/20200323113623/https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301316132

The Whonix documentation for Qubes is actually generally applicable beyond Whonix--I highly recommend anyone interested in securing their computers look around the Whonix wiki (i.e. basically everyone reading this). The page I linked is a good starting point. Kudos to the Whonix Wiki maintainer.

>My own philosophy (which prompted me to create Qubes-VM-hardening) is

that if we're going to have these VMs running regular OSes, they should
at least have their normal security or some equivalent intact. And also
that the combination of normal security and Qubes security should yield
extra benefits, which I think Qubes-VM-hardening does.

This is what baffles me about some people's mindsets--if they prize security so much that thet take the time and trouble to install and learn Qubes --no small feat for most of us-- why not go a bit further and batton down the hatches of their VMs? It's usually a one-time investment that requires little to no maintenance with a huge payoff with regard to their goal (which I presume is secure computing). Kudos to you for making this process a heck of a lot easier for non-technical people, like me.

[fiftyfour...@gmail.com]

On Thursday, 6 August 2020 22:24:38 UTC+8, 54th Parallel wrote:

There might be potential attacks against the hypervisor or daemons/backends in dom0 that require root access. Qubes founder Joanna Rutkowska initially assessed there was limited benefit from isolating the root account from the user account, because all user data is already accessible from the latter [archive]. However, she later changed her opinion on the matter; see here [archive].

Upon reading that more carefully, I realized that it's explicitly about dom0, but I think the general concept applies to other VMs as well.