packages/os/linux/variants/milady-tails/docs/inherited-tails-sudoers-review.md
Date: 2026-05-17
Scope: broad sudoers rules inherited from the Tails base that are still present in the elizaOS Live overlay. This review does not bless broad root for the elizaOS app. It records which inherited Tails rules are accepted for Tails feature parity and which mitigations must stay in place.
elizaOS Live accepts the inherited Tails sudoers rules listed below for the demo and release-candidate path because they back existing Tails features: Greeter, Persistent Storage, Tor Browser, Tails Upgrader, and WhisperBack.
elizaOS-owned policy remains stricter:
ALL, NOPASSWD: ALL, arbitrary arguments,
package managers, service managers, mount tools, disk writers, or shellsamnesia, not root/usr/local/lib/elizaos/capability-runnerroot-statusAny new broad sudoers rule outside this reviewed list is a security failure.
| File | User | Command | Purpose | Risk | Decision |
|---|---|---|---|---|---|
tails-greeter-cryptsetup.toml | Debian-gdm | /sbin/cryptsetup with arbitrary arguments | Lets the Tails Greeter unlock Persistent Storage before the live session starts. | Greeter compromise could invoke cryptsetup broadly. | Accept inherited rule; do not expose it to elizaOS app code. |
tails-greeter-umount.toml | Debian-gdm | /bin/umount with arbitrary arguments | Lets the Tails Greeter cleanly unmount Persistent Storage devices during setup/error handling. | Greeter compromise could unmount arbitrary paths. | Accept inherited rule; keep it Greeter-only. |
tbb.toml | amnesia | /usr/local/lib/tails-run-tor-browser-in-flatpak with ENVFILE | Preserves Tails Tor Browser launch path. | Wrapper argument validation is trusted; bad wrapper validation could widen browser launch control. | Accept inherited rule; elizaOS must not reuse it for app launch. |
tps.toml | amnesia, tails-persistent-storage | Tails Persistent Storage frontend/service commands, including a privileged internal NOPASSWD: ALL bridge from tails-persistent-storage to amnesia | Keeps Tails Persistent Storage working. elizaOS data persistence is implemented as a native TPS feature. | This is the broadest inherited rule and requires upstream TPS trust. | Accept inherited rule for Tails parity; elizaOS adds only bounded TPS bindings and no whole-home or system persistence. |
upgrade.toml | amnesia, tails-upgrade-frontend, tails-install-iuk | Tails signed Incremental Upgrade Kit flow, including internal ALL for the installer user | Preserves Tails updater plumbing and signed IUK install flow. | Updater compromise has high impact. | Accept inherited rule; elizaOS app/runtime updates must use separate signed manifests and must not bypass Tails IUK for OS/base updates. |
whisperback.toml | amnesia | /usr/local/bin/whisperback with arbitrary arguments | Preserves inherited bug-reporting UX. | Wrapper argument validation is trusted; reports can contain sensitive data if user includes it. | Accept inherited rule; elizaOS should replace or constrain support reporting before enterprise release. |
scripts/security-smoke.sh fails on any broad elizaOS-owned sudoers rule.scripts/security-smoke.sh fails on any unexpected broad inherited sudoers
rule not listed here.Before a public enterprise release, decide whether to:
Do not remove these rules casually. They are part of core Tails behavior, and breaking them can break Persistent Storage, Greeter, Tor Browser, upgrades, or support reporting.