sysmaint - System Maintenance User

From Whonix
Jump to navigation Jump to search

Whonix specific sysmaint account documentation. Default Installation Status Differences:

  • Whonix-Workstation versus Whonix-Gateway;
  • GUI (Xfce) versus CLI;
  • Older versions versus new images.

Starting from Whonix-Workstation version 17.3.0.5 Xfce and above, Whonix comes with user-sysmaint-split by default.

There are two accounts:

  • user - For daily activities.
  • sysmaint - For system maintenance administrative activities, such as installing software or upgrading.

This is a security feature. (Kicksecure logo rationale Onion Version )

The opposite of user-sysmaint-split is Kicksecure logo Unrestricted Admin Mode Onion Version , which users can opt in to enable.

Version Overview[edit]

Feature Whonix-Workstation Xfce (GUI) Whonix-Gateway Xfce (GUI) Whonix-Workstation CLI Whonix-Gateway CLI
user-sysmaint-split Yes, installed by default in new images. No, not installed by default. No, not installed by default. No, not installed by default.
Old Versions No, will not be automatically installed during the Whonix 17 release cycle to avoid breaking existing user workflows. No, will remain sudo passwordless by default for better usability. No, not applicable, will remain sudo passwordless by default. No, not applicable, will remain sudo passwordless by default.
New Images Yes, will come with user-sysmaint-split installed by default. No, will remain sudo passwordless by default and user-sysmaint-split will not be included. No, user-sysmaint-split will not be included. No, user-sysmaint-split will not be included.
17 to 18 Release Upgrade Yes, user-sysmaint-split will be installed by default. No change. Will remain sudo passwordless by default. No, user-sysmaint-split will not be included. No, user-sysmaint-split will not be included.
Opt-Out Yes, supported via custom configurations. Yes Yes Yes
Opt-In Yes, user-sysmaint-split can be installed at any time. Yes Yes Yes

user-sysmaint-split - Whonix-Workstation versus Whonix-Gateway - Default Installation Status Differences[edit]

This is because, according to the threat model and usage instructions, the user should not use Whonix-Gateway for anything other than running and configuring Tor. End-user applications, such as a browser, should be run inside Whonix-Workstation. Therefore, according to our current understanding, user-sysmaint-split would have no security benefit for Whonix-Gateway. As a result, Whonix-Gateway will remain sudo passwordless by default for better usability. Whonix-Workstation will come with user-sysmaint-split installed by default. [1]

user-sysmaint-split - GUI vs CLI - Default Installation Status Differences[edit]

user-sysmaint-split is different for the graphical user interface (GUI) versus the command line interface (CLI) version.

In the future, the CLI version will be improved to be more suitable for servers.

Server support for user-sysmaint-split, however, isn't as sophisticated yet as it is for the GUI version. For some server use cases, user-sysmaint-split may be less needed or unneeded. This topic is elaborated in the development chapter Kicksecure logo user-sysmaint-split Server Support Onion Version .

Upstream[edit]

Kicksecure seal
Kicksecure Hardened

Redirection to Kicksecure Documentation

Incomplete: This wiki page is incomplete. This it by design. It only contains specific information for Whonix. Below is a link to a wiki page in the Kicksecure wiki with more general information. Reading it is mandatory for full information.

  • Note: Re-interpretation...
Apply the instructions inside Whonix, not Kicksecure.

Kicksecure: Perform these steps inside Kicksecure.

Instead the user should apply the instructions inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-17 Template.

Instead the user should apply the instructions inside whonix-workstation-17 Template.

Footnotes[edit]

  1. No user applications are running there, besides: See also: Whonix Forums Discussion on the usefulness of user-sysmaint-split inside Whonix-Gatewayarchive.org

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!