sysmaint - System Maintenance User

From Kicksecure
Jump to navigation Jump to search

Starting from Kicksecure version 17.3.0.5 Xfce and above, Kicksecure comes with user-sysmaint-split by default.

There are two accounts:

  • user - For daily activities.
  • sysmaint - For system maintenance administrative activities, such as installing software or upgrading.

This is a security feature. (rationale)

The opposite of user-sysmaint-split is Unrestricted Admin Mode, which users can opt in to enable.

Introduction[edit]

sysmaint - system maintenance

Status[edit]

Warning: This is for testers-only!

Default Installation Status[edit]

  • Old versions: Kicksecure build versions up to 17.2.8.5 will not be upgraded to install user-sysmaint-split by default. Users however can opt-in to install it, see #Installation. The package will likely get installed by default when major Release Upgrade to version 18 is performed.
  • New versions:
    • host: Meta package kicksecure-host-xfce will come with user-sysmaint-split by default.
    • CLI: Meta package kicksecure-host-cli will not come with user-sysmaint-split by default.
    • servers: user-sysmaint-split will not be installed by default on servers.
    • Distribution Morphing: Depending on chosen meta package.

Version Overview[edit]

graphical user interface (GUI) versus command line interface (CLI).

Feature Kicksecure Xfce (GUI) Kicksecure CLI
user-sysmaint-split Yes, installed by default in new images. No, not installed by default.
Old Versions No, will not be automatically installed during the Kicksecure 17 release cycle to avoid breaking existing user workflows. No, not applicable, will remain sudo passwordless by default.
New Images Yes, will come with user-sysmaint-split installed by default. No, user-sysmaint-split will not be included.
Release Upgrade Yes, user-sysmaint-split will be installed by default. No, user-sysmaint-split will not be included.
Opt-Out Yes, supported via custom configurations. Yes
Opt-In Yes, user-sysmaint-split can be installed at any time. Yes

Installation[edit]

Install package(s) user-sysmaint-split sysmaint-panel following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the user-sysmaint-split sysmaint-panel package(s).

Using apt command line --no-install-recommends optionOnion Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends user-sysmaint-split sysmaint-panel

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion Logo.

5 Done.

The procedure of installing package(s) user-sysmaint-split sysmaint-panel is complete.

Usage[edit]

Platform specific. Select your platform.

Kicksecure

The sysmaint desktop session.
The sysmaint console session.

When user-sysmaint-split is installed, the account user will no longer be able to use privilege escalation tools (sudo, su, pkexec) when logged into any account other than sysmaint.

This change takes effect immediately.

To perform system maintenance tasks such as checking for software updates, installing updates, etc, the user will have to reboot into the sysmaint account. To do this, restart the system normally, then select PERSISTENT mode SYSMAINT (For system maintenance.) from the boot menu. The system will boot into a minimal desktop session with the System Maintenance Panel running. To reduce attack surface, most superfluous background services are suppressed while booted into the sysmaint account.

The sysmaint desktop session is intentionally minimal and not suited for normal desktop use. This is to discourage using it for work that has a higher risk of causing a difficult-to-avoid system compromise (such as web browsing). Quick shortcuts are provided for simple software management and system administration tasks, while more advanced tasks can be performed from a terminal. The sudo and pkexec commands will be usable here.

Once you are done with system maintenance tasks, click "Reboot" to reboot the system. Then boot into PERSISTENT mode USER (For daily activities.) or LIVE mode USER (For daily activities.). This will provide you with a standard desktop session.

When booted in PERSISTENT mode SYSMAINT, you can also log into the sysmaint account from a virtual consoles (tty). Simply input the account name sysmaint at the login prompt. This session behaves identically to a typical virtual console session. A short informational message will be printed after login reminding you that the sysmaint account must be used with caution.

Kicksecure for Qubes

Qubes version specific.

  • In Qubes OS R4.2 and earlier: Kicksecure for Qubes cannot be booted into sysmaint mode. However, user-sysmaint-split is useful in Qubes VMs too because it makes SUID privilege escalation tools (sudo, su, pkexec) inaccessible for account user. You can access the root user account by opening a Qubes Root Consolearchive.org iconarchive.today icon.
  • Qubes OS R4.3 and later: Support boot modesarchive.org iconarchive.today icon. Kicksecure for Qubes uses these to allow Kicksecure any Qube to be booted in either PERSISTENT mode USER or PERSISTENT mode SYSMAINT. By default, kicksecure-17 Template will boot in PERSISTENT mode SYSMAINT, while Kicksecure AppVMs and DispVMs will boot in PERSISTENT mode USER.

PERSISTENT mode USER and PERSISTENT mode SYSMAINT are mostlly functionally identical under Qubes OS. PERSISTENT mode SYSMAINT differs in the following ways:

  • The default user account for most actions is changed to sysmaint.
  • User-specific system services such as the X11 server run as account sysmaint.
  • Potentially dangerous operations such as opening URLs are disabled.
  • The System Maintenance Panel is usable.
  • Privilege escalation tools are easily usable, since the sysmaint account will be provided rather than the user account.

It is possible to boot a Kicksecure Qube in a non-standard boot mode (i.e. booting a Template in PERSISTENT mode USER, or booting an AppVM in PERSISTENT mode SYSMAINT). To do so, change the boot mode of the Qube before starting it.

1. Ensure the Qube is shut down.

2. Open Qube Manager.

Start menuGear iconQubes ToolsQube Manager

3. Click on the VM you wish to change the boot mode of.

4. Click "Settings" in the toolbar.

5. Click the "Advanced" tab in the Settings window.

6. In the "Kernel" section, change "Boot mode" to your desired boot mode.

7. Click "OK" in the Settings window.

8. Start the Qube. It will boot in the selected boot mode.

9. Done.

The procedure of switching the boot mode for a Qube is now complete.

Fast User Switching[edit]

Platform specific. Select your platform.

Kicksecure

It is not possible to switch from account user to sysmaint using:

  • Start Menu → logout
  • Start Menu → switch user

This is a security feature. [1]

Instead, reboot into sysmaint mode is required, as documented above.

Kicksecure for Qubes

Not applicable.

Notes[edit]

  • sysmaint account restrictions: Several restrictions are imposed to reduce the risk of the sysmaint account becoming compromised:
    • Locked access depending on boot mode: The sysmaint account is locked and cannot be logged into when booted into modes other than PERSISTENT mode SYSMAINT.
    • Session limitation: Logging into the sysmaint account using anything other than the special sysmaint desktop session is prohibited.
    • Discouragement of other logins: When booted in PERSISTENT mode SYSMAINT, you will be discouraged (but not entirely prevented) from logging into accounts other than sysmaint. Locking accounts such as account user is not implemented, since doing so would make it very tricky or even impossible for the user to permanently lock accounts themselves.
    • Inhibition of non-critical services: When booted in PERSISTENT mode SYSMAINT, only the minimum services needed for the session to be usable are started by default. New services are prevented from automatically starting during APT software upgrades.

Questions and Answers[edit]

user-sysmaint-split - GUI vs CLI - Default Installation Status Differences[edit]

user-sysmaint-split is different for the graphical user interface (GUI) versus the command line interface (CLI) version.

In the future, the CLI version will be improved to be more suitable for servers.

Server support for user-sysmaint-split, however, isn't as sophisticated yet as it is for the GUI version. For some server use cases, user-sysmaint-split may be less needed or unneeded. This topic is elaborated in the development chapter user-sysmaint-split Server SupportOnion Logo.

Uninstallation[edit]

See Uninstalling user-sysmaint-split and enabling Unrestricted Admin Mode.

Developers[edit]

Footnotes[edit]

  1. user-sysmaint-split (developers), Fast User Switching
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Sysmaint&oldid=93022"