New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lesspipe should be disabled in dom0 for security reasons #1014

Closed
v6ak opened this Issue May 28, 2015 · 6 comments

Comments

Projects
None yet
4 participants
@v6ak

v6ak commented May 28, 2015

Lesspipe in dom0 adds some extra attack surface (e.g. when inspecting some logs) and should be disabled by default.

Related discussion: https://groups.google.com/forum/#!topic/qubes-users/kR2fMpZFtV8

@marmarek

This comment has been minimized.

Member

marmarek commented Jul 8, 2015

@marmarek marmarek closed this Jul 8, 2015

@jpouellet

This comment has been minimized.

Contributor

jpouellet commented Nov 14, 2016

Should we disable this in templates also?

I've always found it more surprising than useful, and sometimes find myself doing piping through cat -v or hexdump first just to see what is really going on.

Relevant to #830 (or any similar situation where one wants to read untrusted things in an AppVM and not be unpleasantly surprised by insecure defaults)

@v6ak

This comment has been minimized.

v6ak commented Nov 14, 2016

Maybe. I see some differences between dom0 and AppVMs, though:

  • In dom0, security is more critical. (OTOH, there might be smaller attack surface.)
  • In dom0, we should assume that the software (except some security-critical parts like kernel and Xen) is outdated. It used to be the case for months (from Fedora 20 EOL to Qubes 3.2 release) and it might be the case again. Unless we want to add various format parsers (including ARJ, ImageMagick and so on) to the small set of security-critical software in dom0 (I hope nobody wants it), we should disable lesspipe. In AppVM, I assume that admin usually installs security updates and having lesspipe enabled might be some reasonable tradeoff of security and convenience.
  • This one is a matter of Qubes philosophy: The fact that dom0 is based on Fedora is rather an implementational. In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

Despite those my three points, I am slightly in favour of disabling lesspipe in AppVMs provided that admin can reenable it in an easy way. While this is some change to original distro, it is not huge. For security-oriented distro like Qubes, I believe it is acceptable.

@jpouellet

This comment has been minimized.

Contributor

jpouellet commented Nov 14, 2016

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

@marmarek

This comment has been minimized.

Member

marmarek commented Nov 14, 2016

On Mon, Nov 14, 2016 at 09:44:10AM -0800, Jean-Philippe Ouellet wrote:

In AppVMs, I believe that Qubes tries to rather respect the distro culture where possible.

@marmarek is this true? I haven't such a policy seen it stated anywhere in Qubes docs. (Not saying it should or shouldn't be - just asking)

Yes. And indeed we don't have written it anywhere.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

andrewdavidwong added a commit to QubesOS/qubes-doc that referenced this issue Nov 15, 2016

@andrewdavidwong

This comment has been minimized.

Member

andrewdavidwong commented Nov 15, 2016

Added an entry to the dev FAQ about it. (It's not frequently asked, but there isn't really a better place for it.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment