Lesspipe should be disabled in dom0 for security reasons #1014

Closed
v6ak opened this Issue May 28, 2015 · 6 comments

Projects

None yet

4 participants

@v6ak
v6ak commented May 28, 2015

Lesspipe in dom0 adds some extra attack surface (e.g. when inspecting some logs) and should be disabled by default.

Related discussion: https://groups.google.com/forum/#!topic/qubes-users/kR2fMpZFtV8

@marmarek marmarek added this to the Release 3.0 milestone May 31, 2015
@marmarek marmarek closed this Jul 8, 2015
@jpouellet
Contributor

Should we disable this in templates also?

I've always found it more surprising than useful, and sometimes find myself doing piping through cat -v or hexdump first just to see what is really going on.

Relevant to #830 (or any similar situation where one wants to read untrusted things in an AppVM and not be unpleasantly surprised by insecure defaults)

@v6ak
v6ak commented Nov 14, 2016

Maybe. I see some differences between dom0 and AppVMs, though:

  • In dom0, security is more critical. (OTOH, there might be smaller attack surface.)
  • In dom0, we should assume that the software (except some security-critical parts like kernel and Xen) is outdated. It used to be the case for months (from Fedora 20 EOL to Qubes 3.2 release) and it might be the case again. Unless we want to add various format parsers (including ARJ, ImageMagick and so on) to the small set of security-critical software in dom0 (I hope nobody wants it), we should disable lesspipe. In AppVM, I assume that admin usually installs security updates and having lesspipe enabled might be some reasonable tradeoff of security and convenience.
  • This one is a matter of Qubes philosophy: The fact that dom0 is based on Fedora is rather an implementational. In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

Despite those my three points, I am slightly in favour of disabling lesspipe in AppVMs provided that admin can reenable it in an easy way. While this is some change to original distro, it is not huge. For security-oriented distro like Qubes, I believe it is acceptable.

@jpouellet
Contributor

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

@marmarek
Member

On Mon, Nov 14, 2016 at 09:44:10AM -0800, Jean-Philippe Ouellet wrote:

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

Yes. And indeed we don't have written it anywhere.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

@andrewdavidwong andrewdavidwong added a commit to QubesOS/qubes-doc that referenced this issue Nov 15, 2016
@andrewdavidwong andrewdavidwong Add FAQ entry on respecting distros' culture
See discussion on QubesOS/qubes-issues#1014.
732ba93
@andrewdavidwong
Member

Added an entry to the dev FAQ about it. (It's not frequently asked, but there isn't really a better place for it.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment