On Wed, May 06, 2020 at 01:35:06PM +0200, [email protected] wrote: > On Wed, May 06, 2020 at 12:02:55PM +0200, haaber wrote: > > > https://labs.f-secure.com/advisories/saltstack-authorization-bypass > > > Thanks for the source. How do you infer that this "doesn't apply" (and > > maybe "did never apply") to qubes? Recall my question: where does salt > > the vulnerabilities are both in some networked-zeroMQ cloud-management > component. which qubes is most certainly not using. > > > > appear "under the hood" in qubes? This question seems relevant, since at > > least I (almost) never invoke salt by hand. Is that not a reasonable > > question? Explain. > > the most user-exposed part of qubes-salt is ... > ... if you run qubesctl things to manage service vms. > it all stays either within a vm or uses qrexec where needed. > if you want to take a look, check /srv/ for the salt parts > and /usr/lib/python*/*/qubessalt/ for the qubesctl parts. >
Actually, the *most* user-exposed use of salt in Qubes is its use in the qui-updates tool. Salt is used to provision the qubes at initial install - I'd also argue that you *should* use salt to set up and control your templates and qubes, since it allows you to rebuild your system automatically. No more trying to remember what packages you installed in a template, or how you set up a particular qube. To expand on what has been said, in a normal salt setup, there is a server (master) and assorted minions - the minions sit on other networked devices. This vulnerability affects authentication on the server and allows for complete control over the server, and therefore control of all minions controlled by it. It's a huge security flaw. Of course, one might wonder what sort of security is in place where the control and command server is connected to the wider internet, as the advisory suggests. In Qubes, by default, there is one minion, in dom0, which isn't networked. So there is no scope for this vulnerability to impact the salt configuration that Qubes uses, and to undermine the security of dom0. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200506131715.GA20750%40thirdeyesecurity.org.
