Lesspipe should be disabled in dom0 for security reasons

[v6ak]

Lesspipe in dom0 adds some extra attack surface (e.g. when inspecting some logs) and should be disabled by default.

Related discussion: https://groups.google.com/forum/#!topic/qubes-users/kR2fMpZFtV8

[marmarek]

Fixed here QubesOS/qubes-core-admin-linux@8acd409

[marmarek]

Fixed here QubesOS/qubes-core-admin-linux@8acd409

[jpouellet]

Should we disable this in templates also?

I've always found it more surprising than useful, and sometimes find myself doing piping through cat -v or hexdump first just to see what is really going on.

Relevant to #830 (or any similar situation where one wants to read untrusted things in an AppVM and not be unpleasantly surprised by insecure defaults)

[jpouellet]

Should we disable this in templates also?

I've always found it more surprising than useful, and sometimes find myself doing piping through cat -v or hexdump first just to see what is really going on.

Relevant to #830 (or any similar situation where one wants to read untrusted things in an AppVM and not be unpleasantly surprised by insecure defaults)

[v6ak]

Maybe. I see some differences between dom0 and AppVMs, though:

• In dom0, security is more critical. (OTOH, there might be smaller attack surface.)
• In dom0, we should assume that the software (except some security-critical parts like kernel and Xen) is outdated. It used to be the case for months (from Fedora 20 EOL to Qubes 3.2 release) and it might be the case again. Unless we want to add various format parsers (including ARJ, ImageMagick and so on) to the small set of security-critical software in dom0 (I hope nobody wants it), we should disable lesspipe. In AppVM, I assume that admin usually installs security updates and having lesspipe enabled might be some reasonable tradeoff of security and convenience.
• This one is a matter of Qubes philosophy: The fact that dom0 is based on Fedora is rather an implementational. In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

Despite those my three points, I am slightly in favour of disabling lesspipe in AppVMs provided that admin can reenable it in an easy way. While this is some change to original distro, it is not huge. For security-oriented distro like Qubes, I believe it is acceptable.

[v6ak]

Maybe. I see some differences between dom0 and AppVMs, though:

• In dom0, security is more critical. (OTOH, there might be smaller attack surface.)
• In dom0, we should assume that the software (except some security-critical parts like kernel and Xen) is outdated. It used to be the case for months (from Fedora 20 EOL to Qubes 3.2 release) and it might be the case again. Unless we want to add various format parsers (including ARJ, ImageMagick and so on) to the small set of security-critical software in dom0 (I hope nobody wants it), we should disable lesspipe. In AppVM, I assume that admin usually installs security updates and having lesspipe enabled might be some reasonable tradeoff of security and convenience.
• This one is a matter of Qubes philosophy: The fact that dom0 is based on Fedora is rather an implementational. In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

Despite those my three points, I am slightly in favour of disabling lesspipe in AppVMs provided that admin can reenable it in an easy way. While this is some change to original distro, it is not huge. For security-oriented distro like Qubes, I believe it is acceptable.

[jpouellet]

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

[jpouellet]

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

[marmarek]

On Mon, Nov 14, 2016 at 09:44:10AM -0800, Jean-Philippe Ouellet wrote:

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

Yes. And indeed we don't have written it anywhere.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Mon, Nov 14, 2016 at 09:44:10AM -0800, Jean-Philippe Ouellet wrote:

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

Yes. And indeed we don't have written it anywhere.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[andrewdavidwong]

Added an entry to the dev FAQ about it. (It's not frequently asked, but there isn't really a better place for it.)

[andrewdavidwong]

Added an entry to the dev FAQ about it. (It's not frequently asked, but there isn't really a better place for it.)