For a while now, Whonix has had a feature called "user-sysmaint-split", which attempts to reduce the attack surface present during typical system use by making it impossible to run `sudo` or `pkexec` when logged in using an account other than `sysmaint` (or `root`, of course). To access `sudo` and `pkexec`, one has to reboot into a special "sysmaint mode". Whonix 17 had this feature, but in Qubes OS R4.2 it mostly just required that users install software by launching a root terminal in the appropriate qube using either a dispvm console or qvm-run. No one ever actually booted into sysmaint mode under R4.2.
In R4.3, we now have the boot modes feature that allows users to boot into either user or sysmaint modes as they see fit, with Whonix AppVMs defaulting to user mode and Whonix templates defaulting to sysmaint mode. One of the features of sysmaint mode is that services that aren't considered essential for administering the system are intentionally not started when booted in sysmaint mode. (This way services like `nginx` for instance can't become compromised and then attempt to elevate their permissions to root by compromising an application running under the sysmaint user account, which could be a possibility since some applications, including X11, open ports or UNIX sockets that are world-writable). Only whitelisted services are allowed to start. This brought up a question; are there *any* services shipped as part of Qubes OS's template "additions" that should not be run during a sysmaint session? Right now only a few are whitelisted, but from looking at what services aren't running in a sysmaint session, it seems a lot of the Qubes services that are getting skipped now (qubes-firewall.service, qubes-network-uplink.service, qubes-rootfs-resize.service, maybe qubes-sync-time.service and qubes-update-check.timer) really should be getting run. Rather than going through these on a case-by-case basis, would it be better to just say "if the service is shipped by a Qubes package and is enabled, run it even in sysmaint mode"? Or are there some services that might provide some level of attack surface that could reasonably be kept off in sysmaint mode? I suspect all services should always be enabled. -- Aaron -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/20251028232506.23946525%40kf-m2g5.
pgpuXD7GqxypX.pgp
Description: OpenPGP digital signature
