Re: [qubes-users] Re: Security benefits of rootless template VMs

2020-07-13 Thread 799 
Hello,

 schrieb am So., 12. Juli 2020, 18:36:

> On Friday, July 10, 2020 at 4:18:30 AM UTC-4, Alex Lu wrote:
>>
>> Is having like 5 templateVMs 4 of which have no root is better than
>> having 1 templateVM
>> which have root and in charge of every appVM?
>>
>
> There is one potential disadvantage to this setup: Will you actually
> bother to keep all those templates updated? Especially if some of them have
> no root, some have sudo prompts, and some have sudo access without prompts,
> it starts to become a real pain. You have to keep in mind the human cost to
> managing this kind of complexity, even with nice new tools like Qubes
> Update.
>

The problem having to update several templates can easily be solved by
invoking a script in dom0.
It will update the template even if sudo is not installed because of the
option --user=root within the command line.

Try it out:
https://github.com/one7two99/my-qubes/blob/master/dom0-scripts/update-all.sh

 8< - snip -- --
#!/bin/bash
# update-all.sh - Update all Template-VMs
# Update dom0
sudo qubes-dom0-update

# Update all Fedora templates
echo "[ Updating Fedora Templates ]"
for i in `qvm-ls | grep Template | grep t-fedora | gawk '{ print $1 }'`;
do
echo
echo "Updating $i ..."
qvm-run --auto --user root --pass-io $i 'dnf -y update';
qvm-shutdown $i;
echo "... done."
done

# Update all Debian Templates
echo "[ Updating Debian Templates ]"
for i in `qvm-ls | grep Template | grep t-debian | gawk '{ print $1 }'`;
do
echo
echo "Updatung $i ..."
qvm-run --auto --user root --pass-io $i 'apt-get update && apt-get -y
upgrade';
qvm-shutdown $i;
echo "... done."
done
# Update Whonix Templates
echo "[ Updating Whonix Templates ]"
for i in `qvm-ls | grep Template | grep whonix | gawk '{ print $1 }'`;
do
echo
echo "Updatung $i ..."
qvm-run --auto --user root --pass-io $i 'apt-get update && apt-get -y
upgrade';
qvm-shutdown $i;
echo "... done."
done
 8< - snip -- --

Regards

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vXyNSYqa53VfSUZ6d7pTyGh4ETbK2ijDgsHW-5bSAqHA%40mail.gmail.com.

[qubes-users] Re: Security benefits of rootless template VMs

2020-07-12 Thread dmoerner 
On Friday, July 10, 2020 at 4:18:30 AM UTC-4, Alex Lu wrote:
>
> Is having like 5 templateVMs 4 of which have no root is better than having 
> 1 templateVM 
> which have root and in charge of every appVM?
>

There is one potential disadvantage to this setup: Will you actually bother 
to keep all those templates updated? Especially if some of them have no 
root, some have sudo prompts, and some have sudo access without prompts, it 
starts to become a real pain. You have to keep in mind the human cost to 
managing this kind of complexity, even with nice new tools like Qubes 
Update.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6123a05b-8a8a-44a5-aad7-79d8c07fdd0do%40googlegroups.com.