{{Header}}
{{title|title=
Role-Based Boot Modes (user versus admin) for Enhanced Security
}}
{{#seo:
|description=Persistent User / Live user / Persistent Admin / Persistent Recovery Mode
}}
[[File:Grub-boot-icon.jpg|300px|thumb]]
{{intro|
GRUB boot menu options Persistent User / Live user / Persistent Admin / Persistent Recovery Mode and their use cases.
}}
{{mbox
|icon=fa-solid fa-exclamation cs-yellow
|text=This is a concept still in development. Waiting for implementation. Help welcome!
}}
= Introduction =

This page discusses different boot modes in the {{project_name_long}} operating system, aimed at improving security through role-based boot options. It describes modes like "Persistent User" for daily activities and "Persistent Admin" for updates, software installation, and full system control. The goal is to isolate user activities and reduce security risks by restricting what each boot mode can access and modify. The page also explains potential opt-outs for users who prefer traditional root access.

These schemes are generic and work for both hosts and VMs. This applies to {{project_name_long}} and derivatives of {{project_name_long}}, such as (non-Qubes) {{whonix}}.

= Development Goals =
{{Anchor|Goals}}

These goals guide the boot modes implementation:

* [[Login spoofing|Defeat login spoofing]]
* [[Root#Prevent_Malware_from_Sniffing_the_Root_Password|Prevent Malware from Sniffing the Root Password]]
* [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
* [[Noexec]]
* [[Verified Boot]]

= Grub Default Boot Menu Entries =

The default GRUB boot menu entries are:

* <code>PERSISTENT mode USER (For daily activities.)</code>
* <code>LIVE mode USER (For daily activities.)</code>
* <code>PERSISTENT mode ADMIN (For software installation.)</code>
* <code>Recovery PERSISTENT mode ADMIN</code>

= Boot Modes Considered Too Unimportant to Be Added to GRUB Default Boot Menu =

'''Currently, we don’t see good use cases to include these modes as default, but user feedback could change this in the future.'''

* <code>LIVE mode ADMIN</code>
* <code>Recovery LIVE mode ADMIN</code>

'''DIY Methods to Include These and Other Entries in the GRUB Boot Menu'''

{{IconSet|h2|A}} Files in the <code>/etc/grub.d/</code> folder could add these entries, but they could be non-executable by default. To opt-in, users could run <code>sudo chmod +x /etc/grub.d/somenumber_name-of-boot-mode</code>.

{{IconSet|h2|B}} Users wanting custom entries can add them directly to the <code>/etc/grub.d/</code> folder or GRUB boot menu.

{{IconSet|h2|C}} Using GRUB boot menu editing (key <code>e</code>) at boot, kernel parameters can be adjusted for any combination.

= Use Cases for the Different Boot Modes =

Common use cases tailored to the available boot modes:

* <code>PERSISTENT mode USER (For daily activities.)</code>: Ideal for browsing, email, chat, or running a pre-configured server. Includes upgrading through <code>upgrade-nonroot</code>.
* <code>LIVE mode USER (For daily activities.)</code>: Similar to Persistent User but without persistence.
* <code>PERSISTENT mode ADMIN (For administrative tasks.)</code>: Allows running <code>sudo apt install [package]</code>, editing <code>/etc/apt/sources.list.d</code>, and similar tasks. Reboot into USER mode afterward.
* <code>Recovery PERSISTENT mode ADMIN</code>: Standard recovery mode.

= Opt-Out to Get the Same Behavior as Old {{project_name_short}} =
Users who wish "the old {{project_name_short}}" "with unrestricted sudo for user <code>user</code>" back, who don't want to see any of the new options [A], [B], [C] could delete these <code>/etc/grub.d</code> grub menu entries by running <code>sudo chmod -x /etc/grub.d/somenumber_name-of-boot-mode</code>. (There could be a script to simplify that.)

Users preferring the traditional {{project_name_short}} behavior with unrestricted <code>sudo</code> for <code>user</code> can remove the new options:

* <code>PERSISTENT mode USER (For daily activities.)</code> [A]
* <code>LIVE mode USER (For daily activities.)</code> [B]
* <code>PERSISTENT mode ADMIN (For administrative tasks.)</code> [C]

= /etc/grub.d File Names =

Details about <code>/etc/grub.d</code> files:

<pre>
filename                                     purpose
---------------------------------------      -----------------------------
/etc/grub.d/10_linux                         PERSISTENT mode USER
/etc/grub.d/11_linux_live                    LIVE mode USER
/etc/grub.d/12_linux_admin                   PERSISTENT mode ADMIN
/etc/grub.d/13_linux_admin_live              LIVE mode ADMIN
/etc/grub.d/16_linux_recovery_mode           PERSISTENT mode ADMIN
/etc/grub.d/17_linux_recovery_mode_live      Recovery LIVE mode ADMIN
</pre>

Files should remain in lexical order below <code>/etc/grub.d/20_</code> to avoid conflicts with existing scripts.

Note: Some files may not be created initially (or at all), as outlined in the "Boot Modes Considered Too Unimportant to Be Added to GRUB Default Boot Menu" section.

= Server Support =

GRUB boot menus aren’t easily accessible on many servers. A solution for making these boot modes available on servers is yet to be determined. See the forum discussion: https://forums.whonix.org/t/multiple-boot-modes-for-better-security-persistent-user-live-user-persistent-admin-persistent-superadmin-persistent-recovery-mode/7708/50

= Implementation =

Outdated:

* https://github.com/{{project_name_short}}/apparmor-profile-everything/tree/master/etc/grub.d

= Prior Versions =

[https://www.kicksecure.com/w/index.php?title=Dev/boot_modes&oldid=87353 Older concept version still containing "SUPERADMIN" and "SECUREADMIN".]

= Tickets =
* [https://github.com/QubesOS/qubes-issues/issues/9519 Create user admin by default and add user admin to group sudo by default]
* [https://github.com/QubesOS/qubes-issues/issues/9512 Selective sudo Access Enabling in VMs Without qubes-core-agent-passwordless-root via qvm-service]

= Related =

* [https://forums.whonix.org/t/disable-newly-all-installed-services-by-default/9381/2 Disable newly (all) installed services by default]
* [[Verified Boot]]
* <s>Forum discussion: [https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339 AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy]</s>
* <s>[https://github.com/{{project_name_short}}/apparmor-profile-everything AppArmor for everything: APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening.]</s>
* <s>[https://forums.whonix.org/t/untrusted-root-improve-security-by-restricting-root/7998 Untrusted Root - Improve Security by Restricting Root]</s>

= Footnotes =
<references/>
{{Footer}}
[[Category: Design]]
[[Category: Development]]