Allow opting out from `sudo: ALL=(ALL) NOPASSWD:ALL` in the VM

[AkihiroSuda]

lima/pkg/cidata/cidata.TEMPLATE.d/user-data

Line 38 in d7a96eb

sudo: ALL=(ALL) NOPASSWD:ALL

sudo: ALL=(ALL) NOPASSWD:ALL is quite common for cloud instances, but its bad practice does not necessarily need to be replicated for Lima.

There should be a configuration to disable NOPASSWD sudo and generate a random password for it

Needs:

• /mnt/lima-cidata should not need mode=0700,dmode=0700,overriderockperm,uid=0 #4593

[jandubois]

So how would a user become root inside the VM to e.g. install a package, or change a service config? Would you store the random password somewhere? If yes, inside the VM or on the host?

I guess the question is: what scenarios are you trying to protect against?

[AkihiroSuda]

So how would a user become root inside the VM to e.g. install a package, or change a service config? Would you store the random password somewhere? If yes, inside the VM or on the host?

Yes, store a random password inside the VM.
#4595 (macOS guests) stores the password in /Users/${USER}.guest/password.

I guess the question is: what scenarios are you trying to protect against?

Protecting the host from potential VM breakouts that needs the root in the guest, e.g., QEMU VENOM

[jandubois]

Protecting the host from potential VM breakouts that needs the root in the guest, e.g., QEMU VENOM

So this is about "accidental" breakouts, not "malicious" breakouts. Because a targeted attack that knows how Lima handles this could just look up the password in the file.

E.g. an autonomous AI agent running inside the VM will be able to figure this out by itself.

[AkihiroSuda]

Because a targeted attack that knows how Lima handles this could just look up the password in the file.

The user is expected to change their password after the initial login