Multiple Boot Modes for Better Security - an Implementation of Untrusted Root
From Whonix
< Dev
This concept is generic. Works for both, hosts and VMs. Both, Whonix and non-Whonix (Kicksecure).
Contents
- 1 Grub Default Boot Menu Entries
- 2 boot modes considered too unimportant to be added to grub default boot menu
- 3 Use Cases for the Different Boot Modes
- 4 opt-out to get same behavior as old Whonix
- 5 /etc/grub.d file names
- 6 Terminology
- 7 Capabilities of secureroot vs superroot
- 8 Server Support
- 9 Implementation
- 10 Related
- 11 Footnotes
Grub Default Boot Menu Entries[edit]
PERSISTENT mode USER (For daily activities.)LIVE mode USER (For daily activities.)PERSISTENT mode SECUREADMIN (For software installation.)PERSISTENT mode SUPERADMIN (Be very cautious!)Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)
[edit]
LIVE mode SECUREADMINLIVE mode SUPERADMINRecovery LIVE mode SUPERADMIN
I don’t see good use cases for these. But could be convinced otherwise with user feedback.
If anyone cares about these, there could be files in /etc/grub.d/ folder that add such entries but these files could be non-executable by default. Thereby update-grub would ignore them. To opt-in into such modes, users could just run sudo chmod +x /etc/grub.d/somenumber_name-of-boot-mode.
Also users who really want something special/custom would be able to add whatever they want to /etc/grub.d/ folder / grub boot menu.
Also by using grub boot menu editing (key e) at grub boot menu, kernel parameters can be adjusted and any combination would be possible.
Use Cases for the Different Boot Modes[edit]
PERSISTENT mode USER (For daily activities.): Useful for browsing, e-mail, chat, etc. or just letting an already set up and installed server run. Even upgrading throughupgrade-nonroot.LIVE mode USER (For daily activities.): Same as above but without persistence.PERSISTENT mode SECUREADMIN (For software installation.): users could runsudo apt install whatever-software-package, then reboot into USER. Editing/etc/apt/sources.list.damong many other things [archive] prohibited for better security.PERSISTENT mode SUPERADMIN (Be very cautious!): users could add foreign sources to/etc/apt/sources.list.dor do anything (full freedom), then (optional but advisable) reboot to SECUREADMIN mode, install packages from third party repositories.Recovery PERSISTENT mode SUPERADMIN (Be very cautious!): The usual recovery mode.
opt-out to get same behavior as old Whonix[edit]
Users who don’t like (any, multiple or all) of the new options...
PERSISTENT mode USER (For daily activities.)[A]LIVE mode USER (For daily activities.)[B]PERSISTENT mode SECUREADMIN (For software installation.)[C]
and who want "the old Whonix" "with unrestricted sudo" (PERSISTENT mode SUPERADMIN) back, who don't want to see any of the new options [A], [B], [C]... These could just make these /etc/grub.d folder / grub menu entries gone by running sudo chmod -x /etc/grub.d/somenumber_name-of-boot-mode. (There could be a script to simplify that.)
/etc/grub.d file names[edit]
filename purpose
/etc/grub.d/10_linux PERSISTENT mode USER /etc/grub.d/11_linux_live LIVE mode USER /etc/grub.d/12_linux_secureadmin PERSISTENT mode SECUREADMIN /etc/grub.d/13_linux_secureadmin_live LIVE mode SECUREADMIN /etc/grub.d/14_linux_superadmin PERSISTENT mode SUPERADMIN /etc/grub.d/15_linux_superadmin_live LIVE mode SUPERADMIN /etc/grub.d/16_linux_recovery_mode PERSISTENT mode SUPERADMIN /etc/grub.d/17_linux_recovery_mode_live Recovery LIVE mode SUPERADMIN
Should stay in lexical order below files named /etc/grub.d/20_ because that is already used by an existing script.
Note: some files will not be created in the first iteration (and not sure ever) - those listed in chapter Boot modes considered too unimportant to be added to grub default boot menu: in my post above.
Terminology[edit]
secure admin modevs usersecureadminvssecureroot: When booting intosecure admin mode, the user will be logged in as usersecureadmin. Insecureadmin mode, when runningsudo somethingthe command will effectively run assecureroot(untrusted root).super admin modevs usersuper adminvssuperroot: When booting intosuper admin mode, the user will be logged in as usersuperadmin. Insuper admin mode, when runningsudo somethingthe command will effectively run assuperroot(unrestricted root).untrusted root: A command running asrootbut with restrictions applied by apparmor-profile-everything.unrestricted root: When runningsudo something, the behavior will be the same as on most Linux distributions such as Debian whererootcan do everything thatrootcan usually do on such Linux distributions.
Capabilities of secureroot vs superroot[edit]
secureroot will be untrusted root, therefore restricted but can still:
- install packages
- change most system settings
secureroot cannot by design:
- change anything that could lead to
superroot - change the running kernel
- replace bootloader (only if APT does this due to an upgrade)
- uninstall certain packages required to enforce the separation of
securerootandsuperrootsuch as for example apparmor-profile-apparmor
superroot by design will be able to do everything.
Server Support[edit]
grub boot menu isn’t easily accessible for many/most servers. How would these various boot modes be available for servers? No solution yet. See forum discussion: https://forums.whonix.org/t/multiple-boot-modes-for-better-security-persistent-user-live-user-persistent-admin-persistent-superadmin-persistent-recovery-mode/7708/50 [archive]
Implementation[edit]
- https://github.com/Whonix/apparmor-profile-everything/tree/master/etc/grub.d [archive]
- https://github.com/Whonix/apparmor-profile-everything [archive]
Related[edit]
- AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening. [archive]
- disable newly (all) installed services by default [archive]
- Verified Boot
- Untrusted Root - improve Security by Restricting Root [archive]
- forum discussion, AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy [archive]
Footnotes[edit]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier
Did you know that Whonix could provide protection against backdoors [archive]? See Verifiable Builds [archive]. Help is wanted and welcomed.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.