Qubes service attack surface considerations with Whonix's sysmaint mode
4 views
Skip to first unread message
Aaron Rainbolt
Oct 29, 2025, 12:25:34 AM (3 days ago) Oct 29
to qubes...@googlegroups.com
For a while now, Whonix has had a feature called "user-sysmaint-split",
which attempts to reduce the attack surface present during typical
system use by making it impossible to run `sudo` or `pkexec` when
logged in using an account other than `sysmaint` (or `root`, of
course). To access `sudo` and `pkexec`, one has to reboot into a
special "sysmaint mode". Whonix 17 had this feature, but in Qubes OS
R4.2 it mostly just required that users install software by launching a
root terminal in the appropriate qube using either a dispvm console or
qvm-run. No one ever actually booted into sysmaint mode under R4.2.
In R4.3, we now have the boot modes feature that allows users to boot
into either user or sysmaint modes as they see fit, with Whonix AppVMs
defaulting to user mode and Whonix templates defaulting to sysmaint
mode. One of the features of sysmaint mode is that services that aren't
considered essential for administering the system are intentionally not
started when booted in sysmaint mode. (This way services like `nginx`
for instance can't become compromised and then attempt to elevate their
permissions to root by compromising an application running under the
sysmaint user account, which could be a possibility since some
applications, including X11, open ports or UNIX sockets that are
world-writable). Only whitelisted services are allowed to start.
This brought up a question; are there *any* services shipped as part of
Qubes OS's template "additions" that should not be run during a
sysmaint session? Right now only a few are whitelisted, but from
looking at what services aren't running in a sysmaint session, it seems
a lot of the Qubes services that are getting skipped now
(qubes-firewall.service, qubes-network-uplink.service,
qubes-rootfs-resize.service, maybe qubes-sync-time.service and
qubes-update-check.timer) really should be getting run. Rather than
going through these on a case-by-case basis, would it be better to just
say "if the service is shipped by a Qubes package and is enabled, run
it even in sysmaint mode"? Or are there some services that might
provide some level of attack surface that could reasonably be kept off
in sysmaint mode? I suspect all services should always be enabled.
--
Aaron
which attempts to reduce the attack surface present during typical
system use by making it impossible to run `sudo` or `pkexec` when
logged in using an account other than `sysmaint` (or `root`, of
course). To access `sudo` and `pkexec`, one has to reboot into a
special "sysmaint mode". Whonix 17 had this feature, but in Qubes OS
R4.2 it mostly just required that users install software by launching a
root terminal in the appropriate qube using either a dispvm console or
qvm-run. No one ever actually booted into sysmaint mode under R4.2.
In R4.3, we now have the boot modes feature that allows users to boot
into either user or sysmaint modes as they see fit, with Whonix AppVMs
defaulting to user mode and Whonix templates defaulting to sysmaint
mode. One of the features of sysmaint mode is that services that aren't
considered essential for administering the system are intentionally not
started when booted in sysmaint mode. (This way services like `nginx`
for instance can't become compromised and then attempt to elevate their
permissions to root by compromising an application running under the
sysmaint user account, which could be a possibility since some
applications, including X11, open ports or UNIX sockets that are
world-writable). Only whitelisted services are allowed to start.
This brought up a question; are there *any* services shipped as part of
Qubes OS's template "additions" that should not be run during a
sysmaint session? Right now only a few are whitelisted, but from
looking at what services aren't running in a sysmaint session, it seems
a lot of the Qubes services that are getting skipped now
(qubes-firewall.service, qubes-network-uplink.service,
qubes-rootfs-resize.service, maybe qubes-sync-time.service and
qubes-update-check.timer) really should be getting run. Rather than
going through these on a case-by-case basis, would it be better to just
say "if the service is shipped by a Qubes package and is enabled, run
it even in sysmaint mode"? Or are there some services that might
provide some level of attack surface that could reasonably be kept off
in sysmaint mode? I suspect all services should always be enabled.
--
Aaron
Reply all
Reply to author
Forward
0 new messages