Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QRexec services should be able to specify the user they must run as #6354

Closed
DemiMarie opened this issue Jan 21, 2021 · 0 comments · Fixed by QubesOS/qubes-core-qrexec#109
Closed

QRexec services should be able to specify the user they must run as #6354

DemiMarie opened this issue Jan 21, 2021 · 0 comments · Fixed by QubesOS/qubes-core-qrexec#109
Assignees
@DemiMarie
Labels
C: core P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Release 4.2

Comments

@DemiMarie
Copy link

The problem you're addressing (if any)
qrexec services should be able to specify the user they should run as. qubes.VMRootShell should always specify root, for example.

Describe the solution you'd like
Add a service configuration option to specify the user the service will run as.

Where is the value to a user, and who might that user be?
This will make service writing less error-prone.

Describe alternatives you've considered
None

Additional context
#6229 (comment)

Relevant documentation you've consulted

Related, non-duplicate issues
#6229
@DemiMarie DemiMarie added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Jan 21, 2021
@DemiMarie DemiMarie added this to the Release 4.2 milestone Jan 21, 2021
@DemiMarie DemiMarie self-assigned this Jan 21, 2021
@DemiMarie DemiMarie mentioned this issue Jan 21, 2021
Closed
@DemiMarie DemiMarie mentioned this issue Apr 26, 2023
Merged
@DemiMarie DemiMarie reopened this Apr 26, 2023
@andrewdavidwong andrewdavidwong added the pr submitted A pull request has been submitted for this issue. label Apr 26, 2023
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue May 28, 2023
@DemiMarie
Allow specifying a username in service config
5ccb5d4 
This also dramatically improves the configuration parser.  Configuration
files now use a strict subset of TOML rather than an ad-hoc format with
no validation.

Fixes: QubesOS/qubes-issues#6354
Fixes: QubesOS/qubes-issues#8153
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Jul 2, 2023
@DemiMarie
Allow specifying a username in service config
ba51675 
This also dramatically improves the configuration parser.  Configuration
files now use a strict subset of TOML rather than an ad-hoc format with
no validation.

Fixes: QubesOS/qubes-issues#6354
Fixes: QubesOS/qubes-issues#8153
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Aug 3, 2023
@DemiMarie
Allow specifying a username in service config
71e08f1 
This also dramatically improves the configuration parser.  Configuration
files now use a strict subset of TOML rather than an ad-hoc format with
no validation.

Fixes: QubesOS/qubes-issues#6354
Fixes: QubesOS/qubes-issues#8153
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Aug 4, 2023
@DemiMarie
Allow specifying a username in service config
c001c0c 
This also dramatically improves the configuration parser.  Configuration
files now use a strict subset of TOML rather than an ad-hoc format with
no validation.  I also did a significant amount of refactoring and
hardened the code against bogus input.  These changes are not security
fixes because the input comes from dom0, which is trusted.

Fixes: QubesOS/qubes-issues#6354
Fixes: QubesOS/qubes-issues#8153
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Aug 4, 2023
@DemiMarie
Allow specifying a username in service config
27dc7be 
This also dramatically improves the configuration parser.  Configuration
files now use a strict subset of TOML rather than an ad-hoc format with
no validation.  I also did a significant amount of refactoring and
hardened the code against bogus input.  These changes are not security
fixes because the input comes from dom0, which is trusted.

Fixes: QubesOS/qubes-issues#6354
Fixes: QubesOS/qubes-issues#8153
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Aug 7, 2023
@DemiMarie
Allow specifying a username in service config
7d2acea 
This also dramatically improves the configuration parser.  Configuration
files now use a strict subset of TOML rather than an ad-hoc format with
no validation.

Fixes: QubesOS/qubes-issues#6354
Fixes: QubesOS/qubes-issues#8153
@andrewdavidwong andrewdavidwong removed this from the Release 4.2 milestone Aug 13, 2023
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Sep 15, 2023
@DemiMarie
Allow specifying a username in service config
d1b1e5b 
This also dramatically improves the configuration parser.  Configuration
files now use a strict subset of TOML rather than an ad-hoc format with
no validation.

Fixes: QubesOS/qubes-issues#6354
Fixes: QubesOS/qubes-issues#8153
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Sep 19, 2023
@marmarek
tests/integ: add test for per-service user override
1732b9f 
QubesOS/qubes-issues#6354
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Sep 19, 2023
@marmarek
tests/integ: add test for per-service user override
56d422e 
QubesOS/qubes-issues#6354
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Sep 19, 2023
@marmarek
tests/integ: add test for per-service user override
c965d85 
QubesOS/qubes-issues#6354
Closed
@andrewdavidwong andrewdavidwong added this to the Release 4.2 milestone Oct 7, 2023
@qubesos-bot qubesos-bot mentioned this issue Oct 12, 2023
Closed
ben-grande added a commit to ben-grande/vim-qrexec that referenced this issue Apr 30, 2024
@ben-grande
Change user key to correct name force-user
70feeb7 
Fixes: QubesOS/qubes-issues#6354
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DemiMarie DemiMarie

Labels
C: core P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
Release 4.2
Development

Successfully merging a pull request may close this issue.

Allow specifying a username in service config DemiMarie/qubes-core-qrexec
2 participants
@DemiMarie @andrewdavidwong