sysmaint - System Maintenance User
Donate
Whonix specific sysmaint account documentation. Default Installation Status Differences:
- Whonix-Workstation versus Whonix-Gateway;
- GUI (Xfce) versus CLI;
- Older versions versus new images.
Starting from Whonix-Workstation version 17.3.0.5 Xfce and above, Whonix comes with user-sysmaint-split by default.
There are two accounts:
user- For daily activities.sysmaint- For system maintenance administrative activities, such as installing software or upgrading.
This is a security feature. (
rationale
)
The opposite of user-sysmaint-split is Unrestricted Admin Mode, which users can opt in to enable.
Version Overview[edit]
| Feature | Whonix-Workstation Xfce (GUI) | Whonix-Gateway Xfce (GUI) | Whonix-Workstation CLI | Whonix-Gateway CLI |
|---|---|---|---|---|
user-sysmaint-split
|
Yes, installed by default in new images. | No, not installed by default. | No, not installed by default. | No, not installed by default. |
| Old Versions | No, will not be automatically installed during the Whonix 17 release cycle to avoid breaking existing user workflows. | No, will remain sudo passwordless by default for better usability.
|
No, not applicable, will remain sudo passwordless by default.
|
No, not applicable, will remain sudo passwordless by default.
|
| New Images | Yes, will come with user-sysmaint-split installed by default.
|
No, will remain sudo passwordless by default and user-sysmaint-split will not be included.
|
No, user-sysmaint-split will not be included.
|
No, user-sysmaint-split will not be included.
|
| 17 to 18 Release Upgrade | Yes, user-sysmaint-split will be installed by default.
|
No change. Will remain sudo passwordless by default.
|
No, user-sysmaint-split will not be included.
|
No, user-sysmaint-split will not be included.
|
| Opt-Out | Yes, supported via custom configurations. | Yes | Yes | Yes |
| Opt-In | Yes, user-sysmaint-split can be installed at any time.
|
Yes | Yes | Yes |
user-sysmaint-split - Whonix-Workstation versus Whonix-Gateway - Default Installation Status Differences[edit]
This is because, according to the threat model and usage instructions, the user should not use Whonix-Gateway for anything other than running and configuring Tor. End-user applications, such as a browser, should be run inside Whonix-Workstation. Therefore, according to our current understanding, user-sysmaint-split would have no security benefit for Whonix-Gateway. As a result, Whonix-Gateway will remain sudo passwordless by default for better usability. Whonix-Workstation will come with user-sysmaint-split installed by default. [1]
user-sysmaint-split - GUI vs CLI - Default Installation Status Differences[edit]
user-sysmaint-split is different for the graphical user interface (GUI) versus the command line interface (CLI) version.
In the future, the CLI version will be improved to be more suitable for servers.
Server support for user-sysmaint-split, however, isn't as sophisticated yet as it is for the GUI version. For some server use cases, user-sysmaint-split may be less needed or unneeded. This topic is elaborated in the development chapter user-sysmaint-split Server Support.
Upstream[edit]
Redirection to Kicksecure Documentation
- Introduction: Whonix Documentation Introduction, User Expectations, Footnotes and References, User Expectations - What Documentation Is and What It Is Not
- Whonix is based on Kicksecure™: Whonix is built on top of Kicksecure. This means it uses many of the same security tools, design concepts, and configurations.
- Kicksecure is based on Debian: Kicksecure is developed using Debian as its base. Debian is a widely used, stable, and free Linux operating system.
- Inheritance: As a result, Whonix is also based on Debian.
- Debian is GNU/Linux-based: Debian is built using the GNU/Linux operating system. GNU provides essential tools and Linux is the system’s kernel (core).
- Shared documentation benefits: Since each system is based on the one below it, a lot of documentation and guides are shared. This reduces the need to duplicate information.
- Inherited documentation: Most instructions and explanations are inherited from Kicksecure or Debian, unless otherwise specified.
- Shared principles: The systems share similar security goals and setup instructions. In most cases, users can follow Kicksecure documentation when using Whonix.
- Keep using Whonix: This does not mean users should switch to Kicksecure. This page only points to related, helpful information.
- Where to apply the instructions: Follow the instructions inside Whonix unless specifically stated otherwise.
- Wiki editors notice: This information is pulled from a reusable wiki template: upstream_wiki. (See which pages use this.)
- Comparison: Whonix versus Kicksecure
- Documentation compatibility: Because Whonix is based on Kicksecure, you can often follow Kicksecure’s instructions as long as you apply them in the right place.
- Summary: Whonix is built on top of Kicksecure, which itself is based on Debian. Debian is a GNU/Linux operating system. This layered design means Whonix inherits many features, tools, and documentation from both Kicksecure and Debian.
- Click here: Visit the related page in the Kicksecure wiki for full documentation and background:
- Note: Re-interpretation...
Kicksecure: Perform these steps inside Kicksecure.
Instead, apply the steps inside Whonix-Workstation.
Kicksecure for Qubes: Perform these steps inside Qubes
kicksecure-17Template.
Instead, use the whonix-workstation-17 Template for these steps.
Footnotes[edit]
- ↑
No user applications are running there, besides:
- Tor Controller (optional, manual start only)
- Anon Connection Wizard (optional, manual start only)
- Tor-control-panel (optional, manual start only)
- sdwdate-gui (runs by default, can be disabled.)
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!