Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Kicksecure can be configured for unrestricted admin mode.

In this mode, traditional access to privilege escalation tools such as sudo and pkexec is possible for the Kicksecure default limited account user.

Most other operating systems do not even call this "unrestricted admin mode" because they do not come with user-sysmaint-split by default. In such systems, unrestricted admin mode is implied. However, Kicksecure provides the flexibility to switch between user-sysmaint-split and unrestricted admin mode depending on your needs.

Starting from Kicksecure version TODO Xfce and above, Kicksecure comes with user-sysmaint-split by default.

Uninstalling user-sysmaint-split and Enabling Unrestricted Admin Mode[edit]

This chapter documents how to disable user-sysmaint-split and revert to unrestricted admin mode, where the user user can use sudo.

Optional. Discouraged.

Warnings:

• Reverting to unrestricted admin mode increases the risk of privilege escalation attacks and may weaken system security.
• It is discouraged to use apt for this purpose, to avoid meta-package removal issues (Debian Packages). Instead, it is recommended to proceed as per instructions below.

Platform specific. Select your platform.

Kicksecure

If the user-sysmaint-split package is installed by default, the easiest way to remove it is by using the REMOVE user-sysmaint-split boot option on the GRUB screen.

1. Reboot the machine.

2. Select Kicksecure REMOVE user-sysmaint-split GNU/Linux from the list of boot options.

3. Authenticate as necessary to log in as the sysmaint account. You may have to provide a disk encryption passphrase and/or the user password for the sysmaint account, if either or both passwords are set.

4. Type the word yes into the dialog box confirming that you really do want to uninstall user-sysmaint-split.

5. Click "OK". A terminal window will appear, showing the logs generated while uninstalling user-sysmaint-split.

6. When the text Command exited. You may close this window safely appears, close the terminal window. The system will automatically reboot.

7. Done.

The process of removing user-sysmaint-split is now complete.

Alternatively, you can use dummy-dependency to remove the user-sysmaint-split package while booted in PERSISTENT mode SYSMAINT. ^[1]

sudo dummy-dependency user-sysmaint-split

Kicksecure for Qubes

1. Qubes version specific.

• Qubes R4.2: Open a Qubes Root Console.
• Qubes R4.3 and above: Ensure that the kicksecure-17 Template is booted in PERSISTENT mode SYSMAINT.

2. Run:

sudo dummy-dependency user-sysmaint-split

3. Install qubes-core-agent-passwordless-root to allow the user account to elevate to root.

sudo apt install qubes-core-agent-passwordless-root

4. Shut down the qube template.

5. Reboot any AppVMs that are based on the qube template.

6. Done.

The process of removing user-sysmaint-split is now complete.

Impact[edit]

This removes the sysmaint mode-related GRUB boot menu modifications and reverts back to a "normal" boot menu.

Security impact? This is hard to quantify. It is important to contextualize user-sysmaint-split for what it is: an additional security feature, not magic.

The security concept of user versus administrative account isolation, implemented by the user-sysmaint-split package, is a many-years-old and standard security feature on mainstream mobile operating systems such as Android and iOS. These mobile operating systems degrade device owners to limited rights and provide administrative rights to the device manufacturer (OEM) only. The purpose of this, among other security aspects, is to enforce mobile device restrictions, prioritizing the wishes of OEMs and application developers over user preferences. See also the General Threats to User Freedom wiki chapter Administrative Rights.

user-sysmaint-split improved security in many contexts. For example, if a user is using a dedicated virtual machine (VM) in a session only for the purpose of web browsing, then there is no need for that VM to ever gain root rights. However, in other contexts such as on a server or development environment, user-sysmaint-split might provide less or no security or degrade usability to unproductive levels.

There have been times where user-sysmaint-split was unavailable and nothing catastrophic took place. At worst, this reduces the security level to Kicksecure versions equal to or lower than version 17.2.8.5.

See also Rationale for Protecting the Root Account.

Optional Restrictions[edit]

After removal the user can configure sudo and/or other privilege escalation tools etc as per usual.

Footnotes[edit]

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!