Install Software Documentation Printing and Scanning Previous page: Install Software Index page: Documentation Next page: Printing and Scanning sysmaint - System Maintenance User

Overview: Whonix specific sysmaint account documentation and default installation status differences.
Default: Whonix LXQt comes with user-sysmaint-split by default.
Accounts: There are two accounts:
- user: For daily activities.
- sysmaint: For system maintenance administrative activities, such as installing software or upgrading.
Security rationale: This is a security feature. ( rationale)
Administrative access: Boot into the sysmaint session. This is the recommended way to perform administrative tasks, to run tools such as sudo or pkexec.
Troubleshooting: If you see the following errors, you are most likely in the user session:

permission denied: sudo

permission denied: pkexec

Fix: Reboot into the sysmaint session and run administrative commands there.
Unrestricted Admin Mode: The opposite of user-sysmaint-split is Unrestricted Admin Mode, which users can opt in to enable. This is generally not recommended, because it removes the security benefits of user-sysmaint-split.
Older versions: For older versions, refer to Version Overview for upgrade information.

Screenshot

Non-Qubes-Whonix:

Image: Whonix-Workstation - sysmaint Boot Option in GRUB boot menu

Qubes-Whonix:

Image: Whonix-Workstation - sysmaint Boot Option in Qubes VM Manager (QVMM)

Version Overview

Feature	Whonix-Workstation LXQt (GUI)	Whonix-Gateway LXQt (GUI)	Whonix-Workstation CLI	Whonix-Gateway CLI
`user-sysmaint-split`	Yes, default in new images.	Yes, default in new images.	No, not default.	No, not default.
Old Versions	No, not auto-installed (to avoid breaking workflows).	No, not auto-installed (to avoid breaking workflows).	No, not applicable (remains `sudo` passwordless by default).	No, not applicable (remains `sudo` passwordless by default).
New Images	Yes, includes `user-sysmaint-split` by default.	Yes, includes `user-sysmaint-split` by default.	No, does not include `user-sysmaint-split`.	No, does not include `user-sysmaint-split`.
17 to 18 Release Upgrade	No, does not auto-install `user-sysmaint-split`.	No, does not auto-install `user-sysmaint-split`.	No, does not include `user-sysmaint-split`.	No, does not include `user-sysmaint-split`.
Opt-Out	Yes, via Unrestricted Admin Mode.	Yes, via Unrestricted Admin Mode.	Yes	Yes
Opt-In	Yes, can be installed anytime.	Yes, can be installed anytime.	Yes	Yes

user-sysmaint-split - Whonix-Workstation versus Whonix-Gateway - Default Installation Status Differences

In the past, in earlier versions, there have been differences between Whonix-Workstation and Whonix-Gateway. ^[1] There are no more differences since Whonix 18. ^[2]

user-sysmaint-split - GUI vs CLI - Default Installation Status Differences

Default installation status: user-sysmaint-split default installation status (installed by default versus not installed by default) differs between the graphical user interface (GUI) and command line interface (CLI) versions.
Future direction: In the future, the CLI version will be improved to be more suitable for servers.
- Server support: Server support for user-sysmaint-split is not yet as sophisticated as it is for the GUI version.
- Server use cases: For some server use cases, user-sysmaint-split may be less needed or unnecessary.
- Further reading: This topic is elaborated in the development chapter user-sysmaint-split Server Support.

Upstream

Redirection to Kicksecure Documentation

NOT-SELFCONTAINED: This wiki page is not self-contained by design. This It only includes details specific to Whonix. For full understanding, please follow the link below to the Kicksecure wiki, which provides more complete background and instructions.

Introduction: Whonix Documentation Introduction, User Expectations, Footnotes and References, User Expectations - What Documentation Is and What It Is Not
Whonix is based on Kicksecure^™: Whonix is built on top of Kicksecure. This means it uses many of the same security tools, design concepts, and configurations.
Kicksecure is based on Debian: Kicksecure is developed using Debian as its base. Debian is a widely used, stable, and free Linux operating system.
Inheritance: As a result, Whonix is also based on Debian.
Debian is GNU/Linux-based: Debian is built using the GNU/Linux operating system. GNU provides essential tools and Linux is the system’s kernel (core).
Shared documentation benefits: Since each system is based on the one below it, a lot of documentation and guides are shared. This reduces the need to duplicate information.
Inherited documentation: Most instructions and explanations are inherited from Kicksecure or Debian, unless otherwise specified.
Shared principles: The systems share similar security goals and setup instructions. In most cases, users can follow Kicksecure documentation when using Whonix.
Keep using Whonix: This does not mean users should switch to Kicksecure. This page only points to related, helpful information.
Where to apply the instructions: Follow the instructions inside Whonix unless specifically stated otherwise.
Wiki editors notice: This information is pulled from a reusable wiki template: upstream_wiki. (See which pages use this.)
Comparison: Whonix versus Kicksecure
Documentation compatibility: Because Whonix is based on Kicksecure, you can often follow Kicksecure’s instructions as long as you apply them in the right place.
Summary: Whonix is built on top of Kicksecure, which itself is based on Debian. Debian is a GNU/Linux operating system. This layered design means Whonix inherits many features, tools, and documentation from both Kicksecure and Debian.
Click here: Visit the related page in the Kicksecure wiki for full documentation and background:

Sysmaint

Note: Re-interpretation...

Apply the instructions inside Whonix, not inside Kicksecure.

Kicksecure: Perform these steps inside Kicksecure.

Instead, apply the steps inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-18 Template.

Instead, use the whonix-workstation-18 Template for these steps.

Footnotes

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] Whonix Forums Discussion on the usefulness of user-sysmaint-split inside Whonix-Gateway

[2] Whonix Forums post about restricting root access

[1]

[2]

sysmaint - System Maintenance User

Contents

Screenshot

Version Overview

user-sysmaint-split - Whonix-Workstation versus Whonix-Gateway - Default Installation Status Differences

user-sysmaint-split - GUI vs CLI - Default Installation Status Differences

Upstream

Footnotes

Navigation menu

sysmaint - System Maintenance User

Screenshot

Version Overview

user-sysmaint-split - Whonix-Workstation versus Whonix-Gateway - Default Installation Status Differences

user-sysmaint-split - GUI vs CLI - Default Installation Status Differences

Upstream

Footnotes

Navigation menu

Search