{{Header}}
{{title|title=
Unrestricted Admin Mode
}}
{{#seo:
|description={{project_name_short}} allows configuration for unrestricted admin mode, enabling the default user account to access privilege escalation tools like sudo and pkexec.
}}
{{passwords_mininav}}
{{intro|
In {{project_name_short}}, admin access is restricted by default for greater security. However, '''unrestricted admin mode can be configured'''. Read more about unrestricted admin mode and how to configure {{project_name_short}} to suit your needs.
}}
__FORCETOC__
= Overview =

'''Unrestricted admin mode''' is, in some regards, the opposite of [[sysmaint|<code>user-sysmaint-split</code>]]. In unrestricted admin mode, standard methods to perform tasks that require administrative rights, such as <code>sudo</code> and <code>pkexec</code>, are available for the {{project_name_short}} default limited account <code>user</code>.

Most other operating systems do not include <code>user-sysmaint-split</code> by default, so they do not refer to this as "unrestricted admin mode". In such systems, unrestricted admin mode is implied. However, {{project_name_short}} provides the flexibility to switch between <code>user-sysmaint-split</code> and unrestricted admin mode based on your needs.

Starting from {{project_name_short}} version <code>TODO</code> Xfce and above, {{project_name_short}} includes [[sysmaint|<code>user-sysmaint-split</code>]] by default.

= Uninstalling user-sysmaint-split and Enabling Unrestricted Admin Mode =

As the new default for {{project_name_short}} is [[sysmaint|<code>user-sysmaint-split</code>]], '''unrestricted admin mode''' must be specifically enabled. This section documents how to disable <code>user-sysmaint-split</code> and switch to unrestricted admin mode, where the user <code>user</code> can use <code>sudo</code>.

{{Box|text=
{{Icon|fa-solid fa-exclamation cs-yellow}} '''Optional. Discouraged.'''

<u>Warnings:</u>

* Reverting to unrestricted admin mode increases the risk of privilege escalation attacks and may weaken system security.
* It is discouraged to use <code>apt</code> for this purpose to avoid meta package removal issues. (Problems that can occur when important packages are removed together. For elaboration, see [[Debian Packages]].) Instead, it is recommended to proceed as per the instructions below.
}}

Platform specific. Select your platform.

{{Tab
|type=controller
|content=

{{Tab
|title= == {{project_name_short}} ==
|image=[[File:{{project_name_short}}-logo-icon.svg]]
|content=
{{Box|text=
If the <code>user-sysmaint-split</code> package is installed by default, the easiest way to remove it is by using the {{BootEntries|key=sysremove}} boot option on the GRUB screen.

'''1.''' Reboot the machine.

'''2.''' Select {{BootEntries|key=sysremove}} from the list of boot options.

'''3.''' Authenticate as necessary to log in as the <code>sysmaint</code> account. You may have to provide a disk encryption passphrase and/or the user password for the <code>sysmaint</code> account, if either or both passwords are set.

'''4.''' Type the word <code>yes</code> into the dialog box confirming that you really do want to uninstall <code>user-sysmaint-split</code>.

'''5.''' Click "OK". A terminal window will appear, showing the logs generated while uninstalling <code>user-sysmaint-split</code>.

'''6.''' When the text <code>Command exited. You may close this window safely</code> appears, close the terminal window. The system will automatically reboot.

'''7.''' Done.

The process of removing <code>user-sysmaint-split</code> is now complete.
}}

Alternatively, you can use [[Debian_Packages#dummy-dependency|<code>dummy-dependency</code>]] to remove the <code>user-sysmaint-split</code> package while booted in {{BootEntries|key=syspers}} (a special startup mode used for system changes). <ref>
The <code>--purge</code> option is optional and not required in this case when using <code>dummy-dependency</code>, because <code>user-sysmaint-split</code> has been designed without configuration files in the <code>/etc</code> folder. Instead, <code>user-sysmaint-split</code> uses symlinks, which are deleted upon removal. This design ensures that a standard <code>apt remove user-sysmaint-split</code> will not result in unexpected functionality, such as parts of <code>user-sysmaint-split</code> (e.g., boot menu entries) still being active.
</ref>

{{CodeSelect|code=
sudo dummy-dependency user-sysmaint-split
}}

}} <!-- close tab -->

{{Tab
|title= == {{q_project_name_long}} ==
|image=[[File:Qubes-logo-icon.png]]
|content=
{{Box|text=
'''1.''' Qubes version specific.

* Qubes R4.2: Open a [[Root#Qubes_Root_Console|Qubes Root Console]].
* Qubes R4.3 and above: Ensure that the <code>{{project_name_workstation_template}}</code> Template is booted in {{BootEntries|key=syspers}} (a special startup mode used for system changes).

'''2.''' Run:

{{CodeSelect|code=
sudo dummy-dependency user-sysmaint-split
}}

'''3.''' Install <code>qubes-core-agent-passwordless-root</code> to allow the <code>user</code> account to elevate to root.

{{CodeSelect|code=
sudo apt install qubes-core-agent-passwordless-root
}}

'''4.''' Shut down the Template.

'''5.''' Reboot any AppVMs that are based on the Template.

'''6.''' Done.

The process of removing <code>user-sysmaint-split</code> is now complete.
}}
}} <!-- close tab -->

}} <!-- close tab controller -->

= Impact of unrestricted admin mode =
Uninstalling <code>user-sysmaint-split</code> removes the sysmaint mode-related [[Grub|GRUB]] boot menu modifications and reverts back to a "normal" boot menu. Unrestricted admin mode is now the default.

Security impact? This is hard to quantify. It is important to understand that <code>user-sysmaint-split</code> is an additional security feature, not a silver bullet.

The security concept of user versus administrative account isolation, implemented by the <code>user-sysmaint-split</code> package, is a standard feature on mainstream mobile operating systems such as Android and iOS. These mobile operating systems limit the rights of the device owner and reserve full administrative access for the device manufacturer (OEM). The purpose of this, among other security aspects, is to enforce [[Miscellaneous_Threats_to_User_Freedom#mobile_devices_restrictions|mobile device restrictions]], prioritizing the wishes of OEMs and application developers over user preferences. See also the [[Miscellaneous_Threats_to_User_Freedom|General Threats to User Freedom]] wiki chapter [[Miscellaneous_Threats_to_User_Freedom#Administrative_Rights|Administrative Rights]].

<code>user-sysmaint-split</code> improved security in many contexts. For example, if a user is using a dedicated {{VM}} in a session only for web browsing, then there is no need for that VM to ever gain root rights. However, in other contexts such as on a server or development environment, <code>user-sysmaint-split</code> might offer little or no additional security, or degrade usability to unproductive levels.

There have been times when <code>user-sysmaint-split</code> was unavailable and nothing catastrophic occurred. At worst, this reduces the security level to {{project_name_short}} versions equal to or lower than version <code>17.2.8.5</code>.

See also [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]].

= Optional Restrictions =
After removal, the user can configure <code>sudo</code> and/or other privilege escalation tools as usual.

= Footnotes =
<references/>
{{Footer}}
[[Category: Design]]
[[Category: Development]]