Qubes does not pretend to be a multi-user system.
We originally discussed some possibilities of creating unprivileged
(multi) user account(s) in Dom0, so that e.g. user Alice didn't have
access to user's Bob's AppVMs. But Rafal immediately came up with a
dozen on of potential attack vectors from such unprivileged user
accounts to system admin (root), that we decided to give up on this. The
biggest problem here is that the Xen infrastructure, e.g. the Xen Daemon
(xend)'s management interface, has not been designed to allow for secure
control of Xen by an unprivileged user. So, there doesn't seem to be a
secure way to e.g. allow user Alice to talk to Xend in order to control
her VMs, but at the same time to not introduce huge attack surface that
might let her escalate to root.
Plus, there are many other avenues for a user that has physical access
to the machine to escalate themselves to root. E.g. they can boot system
in single user mode (this will be in the future prevented as a side
effect of using Intel TXT trusted boot). Or the user might insert a
Firewire/PCCARD and again gain full control over the system (this will
be in the future prevented via more fine-grained VT-d permissions and
isolated storage domain).
So, for the above reasons, we currently do not plan to implement support
for multi-users for Qubes. We just know it cannot be done securely in
We currently try to protect the user from various threats, rather than
protect the system from the user.
Obviously other OSes, like Windows or Mac, are not any better in terms
of multi-user security.
I'm not saying they're not solvable, but are currently not planning on
investing our efforts into this directions, as I think there are more
important things to do first.
But of course, if you have an idea of how to lock down xend, so that we
could grant securely access to it (and only to some operations) to an
unpriviliged user, we would most likely be willing to incorporate your
is there a way to connect to appvm console directly from qubes login screen? The reason for doing this is to give access to internet to other user while not giving him possibility to access anything else, he will be locked in virtual machine, neither usb copying will be allowed.
What is your opinion on this? What about security issues?
thanx for advice.