On 04/17/2018 12:25 AM, none wrote:
Is there some official opinion on this from whomever the Qubes
developers are ?
This is the closest to an official opinion I guess:
https://github.com/QubesOS/qubes-issues/issues/2748
Patrick/adrelanos (also on the Qubes team) has expressed positive
interest: https://github.com/tasket/Qubes-VM-hardening/issues/2
Looks like it's a bit non trivial, and interacts with dom0 ; hence I'm
likely to break Q4.0 trying to 'harden' it :)
I was thinking I could clone the Deb-9 Template, and all would be OK, if
I failed however .......
Its pretty benign to the OS itself. The dom0 commands should be
identical to the related Qubes doc about enabling sudo prompts:
https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt
You can skip the sudo prompt configuration and use the alternative for
restoring internal VM security: Just remove the
qubes-core-agent-passwordless-root package from the template.
The main risk with the vm-boot-protect-root service is that any settings
or scripts that are subsequently added to VMs in /rw/config,
/rw/usrlocal, and /rw/bind-dirs may be deleted (although the first time
it backs up those dirs and those copies are kept indefinitely).
Am a bit curious who is officially a dev on here, I have a few guess,
besides Marek, but maybe its folks with the PGP sigs , shrug.....
Just having a PGP sig doesn't indicate status with the project. The
Qubes core team is listed here:
https://www.qubes-os.org/team/
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d50aba31-12f8-be7d-075e-443dcc916efc%40posteo.net.
For more options, visit https://groups.google.com/d/optout.