Brainstorm: Confined users without wheel access

By the way, another possibility is to activate the root account and use it only in a separated TTY. So e.g., CTRL+ALT+F5 to switch from the GUI’s TTY to a normal terminal and than use only this one for logging in as root.

Formally, if you would use the same password for both (user+root), and if you log into both only directly (so not from within one account logging into the other), the user accounts themselves would never come in contact to your password, because if you only use it to log in, then it is the system that checks if the password matches, and if so, it logs you in as the respective user. Thus, the latter never comes in contact to with the actual password or its hash in /etc/shadow.

This means, you would have a separation, and could use the root account only when necessary for relevant actions.

Generally, this is not considered a good practice because it adds a strong social vulnerability: users tend to enter their password when they are asked for. We do this often intuitively. Especially when people are used to do admin stuff from within the account. Thus, if the GUI would be captured or leaked, the attacker would have also the password for root. This could thus bypass the separation by social means (in case you introduce this to prevent exploitation of captured / leaking GUI through malicious or vulnerable apps).

Anyway, separating root and the user account (at the best, as good practice, with separated passwords) is one way to avoid the user account to become the possibility to act as superuser. And to exclude any connection between GUIs and superuser.

With user_u (SELinux confinement) you could even forbid the user to even try su/sudo, but that does currently add some restrictions that break some functionalities and thus is not yet eligible for production use.

I felt so free and moved that comment.

I think it is interesting to discuss how user accounts without wheel access can work, and how root could be isolated more securely

I suspect run0 in systemd 256 will be a possible solution.
It has great isolation from the user’s env and defines what can be done using polkit, not the sudoers config.

I think there is already a very long discussion, and several spin-off-topics that have been moved from there, that led to the Confined Users SIG

Concerning the post above, I just wanted to make sure that the “traditional” way still exists. This should not be forgotten. And even if the password is used twice, it doesn’t impact much of the security compared to using a sudo if the sudo has no restrictions anyway, while it might even create an increase of security in several circumstances given the higher separation and exclusion of the password from the actual user account and its GUI.

From another point of view, if something like sysadm_u or staff_u (SELinux confinement) is used within a GUI, even with using su/sudo, it increases isolation because it is then much harder for other processes to access the terminal/console that is running su/sudo and its respective inputs/outputs.

Added confined-users

on an experiment where I replaced sudo with doas on Fedora Kinoite, I had issues with shutdown, as there may be something hardcoded to require sudo.

This should be looked at with run0