sysmaint - System Maintenance User
Starting from Kicksecure version 17.2.8.6
Xfce and above, Kicksecure comes with sysmaint-user-split
by default.
There are two accounts:
user
- For daily activities.sysmaint
- For system maintenance administrative activities, such as installing software or upgrading.
This is a security feature. (rationale)
The opposite of sysmaint-user-split
is Unrestricted Admin Mode, which users can opt in to enable.
Introduction[edit]
sysmaint
- system maintenance
Status[edit]
Default Installation Status[edit]
- Old versions: Kicksecure build versions up to
17.2.8.5
will not be upgraded to installuser-sysmaint-split
by default. Users however can opt-in to install it, see #Installation. The package will likely get installed by default when major Release Upgrade to version 18 is performed. - New versions:
- host: Meta package
kicksecure-host-xfce
will come withuser-sysmaint-split
by default. - CLI: Meta package
kicksecure-host-cli
will not come withuser-sysmaint-split
by default. - servers:
user-sysmaint-split
will not be installed by default on servers. - Distribution Morphing: Depending on chosen meta package.
- host: Meta package
Installation[edit]
Install package(s) user-sysmaint-split sysmaint-panel
following these instructions
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2 Update the package lists and upgrade the system .
sudo apt update && sudo apt full-upgrade
3 Install the user-sysmaint-split sysmaint-panel
package(s).
Using apt
command line
--no-install-recommends
option
is in most cases optional.
sudo apt install --no-install-recommends user-sysmaint-split sysmaint-panel
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification .
5 Done.
The procedure of installing package(s) user-sysmaint-split sysmaint-panel
is complete.
Usage[edit]
When user-sysmaint-split
is installed, the user will no longer be able to use privilege escalation tools (sudo
or pkexec
) when logged into any account other than sysmaint
. Features of Kicksecure that require privilege escalation will also no longer work. (Dev/sudo) This change takes effect immediately.
To perform system maintenance tasks such as checking for software updates, installing updates, etc, the user will have to reboot into the sysmaint
account. To do this, restart the system normally, then select PERSISTENT mode SYSMAINT (For system maintenance.)
from the boot menu. The system will boot into a minimal desktop session with the System Maintenance Panel running. To reduce attack surface, most superfluous background services are suppressed while booted into the sysmaint
account.
The sysmaint
desktop session is intentionally minimal and not suited for normal desktop use. This is to discourage using it for work that has a higher risk of causing a difficult-to-avoid system compromise (such as web browsing). Quick shortcuts are provided for simple software management and system administration tasks, while more advanced tasks can be performed from a terminal. The sudo
and pkexec
commands will be usable here.
Once you are done with system maintenance tasks, click "Reboot" to reboot the system. Then boot into PERSISTENT mode USER (For daily activities.)
or LIVE mode USER (For daily activities.)
. This will provide you with a standard desktop session.
You can also log into the sysmaint
account from a virtual consoles (tty
). Simply input the account name sysmaint
at the login prompt. This session behaves identically to a typical virtual console session. A short informational message will be printed after login reminding you that the sysmaint
account must be used with caution.
Fast User Switching[edit]
It is not possible to switch from account user
to sysmaint
using:
- Start Menu → logout
- Start Menu → switch user
Instead, reboot into sysmaint
mode is required, as documented above.
Notes[edit]
- Several restrictions are imposed to reduce the risk of the
sysmaint
account becoming compromised:- The
sysmaint
account is locked and cannot be logged into when booted into modes other thanPERSISTENT mode SYSMAINT
. - Logging into the
sysmaint
using anything other than the special sysmaint session is prohibited. - When booted in
PERSISTENT mode SYSMAINT
, you will be discouraged (but not entirely prevented) from logging into accounts other thansysmaint
. We don't lock accounts other accounts on the system, since doing so would make it very tricky or even impossible for the user to permanently lock accounts themselves.
- The
Questions and Answers[edit]
- Why is there a separate
sysmaint
account?
- Why is it required to boot into
sysmaint
mode, why not simply use start menu -> switch user?- This is to mitigate login spoofing attacks and to to prevent
sudo
password sniffing.
- This is to mitigate login spoofing attacks and to to prevent
- How to go back to unrestricted admin mode, where user
user
can usesudo
?- See #Uninstallation.
Uninstallation[edit]
See Uninstalling user-sysmaint-split and enabling Unrestricted Admin Mode.
Developers[edit]
- User Account Isolation (developers)
user
-sysmaint
-split (developers)- https://github.com/Kicksecure/user-sysmaint-split
- https://github.com/Kicksecure/sysmaint-panel
Footnotes[edit]
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!