{{Header}}
{{Title|
title=sysmaint - System Maintenance User
}}
{{#seo:
|description=sysmaint
|image=Usersysmaint-clipart.svg
}}
{{passwords_mininav}}
[[File:Usersysmaint-clipart.svg|thumb|200px]]
{{intro|
Sysmaint, or system maintenance, is an account created by the [[sysmaint|user-sysmaint-split]] feature. It increases security. Read about this new feature, how to use it and about our rationale on this page.
}}
= Overview: What is sysmaint and Why Should I Care? =
{{Testers-Only}}
Starting from version 17.3.0.5, {{project_name_short}} comes with a security feature called [[sysmaint|user-sysmaint-split]] enabled by default (in Xfce and above). This feature creates two separate user accounts:
* user - for daily activities like browsing, writing documents, etc.
* sysmaint - short for '''system maintenance'''; used for tasks that require administrative rights such as installing or updating software.
This separation improves security. For example, if malware compromises your web browser in the user session, it won't have permission to make critical system changes or install rootkits (malicious software that can hide in the system).
You only use the sysmaint account when you want to change system behavior - such as adding new programs, applying updates, or performing administrative tasks.
The opposite of user-sysmaint-split is [[unrestricted_admin_mode|Unrestricted Admin Mode]], which allows the user account to use administrative tools like sudo directly. This is less secure and not enabled by default, but it can be configured if it better suits your use case.
([[Root#Rationale_for_Separate_sysmaint_Account|Read our rationale here]].)
= Real-World Example Use Cases =
* '''You want to install a new application:'''
** Reboot into the sysmaint account to perform the installation.
** Once done, reboot back into your regular desktop account.
* '''You want to install system updates:'''
** Boot into sysmaint mode and run the updates from the System Maintenance Panel.
* '''You want to avoid malware affecting system settings:'''
** Use your regular user account for browsing and daily work. Since it doesn’t have admin access, it's harder for malware to deeply damage your system.
= Default Installation Status =
* '''Old versions:''' {{project_name_short}} builds up to version 17.2.8.5 will not automatically include user-sysmaint-split. However, users can choose to install it manually (see [[#Installation]]). It will likely be included by default when upgrading to a new major version (e.g., version 18).
* '''New versions:'''
** '''host:''' Includes user-sysmaint-split by default.
** '''{{cli}}:''' The kicksecure-host-cli meta package does not include user-sysmaint-split by default.
** '''servers:''' user-sysmaint-split is not installed by default on servers.
** '''[[Distribution Morphing]]:''' Not installed by default. Will be instaleld by default for GUI version starting from version 18.
= Version Overview =
{{gui}} versus {{cli}}.
{| class="wikitable"
! Feature
! [[Kicksecure]] Xfce (GUI)
! [[Kicksecure]] CLI
|-
! user-sysmaint-split
| {{Yes}}, installed by default in new images.
| {{No}}, not installed by default.
|-
! Old Versions
| {{No}}, will not be automatically installed during the Kicksecure 17 release cycle to avoid breaking existing user workflows.
| {{No}}, not applicable, will remain sudo passwordless by default.
|-
! New Images
| {{Yes}}, will come with user-sysmaint-split installed by default.
| {{No}}, user-sysmaint-split will not be included.
|-
! [[Release Upgrade]]
| {{Yes}}, user-sysmaint-split will be installed by default.
| {{No}}, user-sysmaint-split will not be included.
|-
! Opt-Out
| {{Yes}}, supported via custom configurations.
| {{Yes}}
|-
! Opt-In
| {{Yes}}, user-sysmaint-split can be installed at any time.
| {{Yes}}
|-
|}
= Installation =
{{Install Package
|package=user-sysmaint-split sysmaint-panel
}}
= Usage =
{{IconSet|h2|1}} Platform specific.
Select your platform.
{{Tab
|type=controller
|linkid=os
|content=
{{Tab
|type=section
|title= == {{project_name_short}} ==
|image=[[File:{{project_name_short}}-logo-icon.svg]]
|content=
[[File:System-maintenance-panel.png|thumb|The sysmaint desktop session.]]
[[File:Sysmaint-tty.png|thumb|The sysmaint console session.]]
When user-sysmaint-split is installed, the account user will no longer be able to use privilege escalation tools (sudo, su, pkexec) when logged into any account other than sysmaint.
This change takes effect immediately.
To perform system maintenance tasks such as checking for software updates, installing updates, etc, the user will have to reboot into the sysmaint account. To do this, restart the system normally, then select {{BootEntries|key=syspers}} from the boot menu. The system will boot into a minimal desktop session with the System Maintenance Panel running. To reduce attack surface, most superfluous background services are suppressed while booted into the sysmaint account.
The sysmaint desktop session is intentionally minimal and not suited for normal desktop use. This is to discourage using it for work that has a higher risk of causing a difficult-to-avoid system compromise (such as web browsing). Quick shortcuts are provided for simple software management and system administration tasks, while more advanced tasks can be performed from a terminal. The sudo and pkexec commands will be usable here.
Once you are done with system maintenance tasks, click "Reboot" to reboot the system. Then boot into {{BootEntries|key=userpers}} or {{BootEntries|key=userlive}}. This will provide you with a standard desktop session.
When booted in {{BootEntries|key=syspers}}, you can also log into the sysmaint account from a [[Desktop#Virtual_Consoles|virtual consoles]] (tty). Simply input the account name sysmaint at the login prompt. This session behaves identically to a typical virtual console session. A short informational message will be printed after login reminding you that the sysmaint account must be used with caution.
}}
{{Tab
|type=section
|title= == {{q_project_name_long}} ==
|image=[[File:Qubes-logo-icon.png]]
|content=
{{IconSet|h2|2}} Qubes version specific.
Select your Qubes version.
{{Tab
|type=controller
|content=
{{Tab
|type=section
|title= === Qubes R4.2 ===
|content=
In Qubes OS R4.2 and earlier: {{q_project_name_long}} cannot be booted into sysmaint mode. However, user-sysmaint-split is useful in Qubes VMs too because it makes SUID privilege escalation tools (sudo, su, pkexec) inaccessible for account user. You can access the root account by opening a [[Root#Qubes_Root_Console|Qubes Root Console]].
}}
{{Tab
|type=section
|title= === Qubes R4.3 ===
|content=
Qubes OS R4.3 and later:
* Boot modes support: Support [https://github.com/QubesOS/qubes-issues/issues/9750 boot modes].
** Usage of boot modes: {{q_project_name_long}} uses these to allow {{project_name_short}} any Qube to be booted in either {{BootEntries|key=userpers}} or {{BootEntries|key=syspers}}.
* Template: {{project name workstation template}} Template will boot in {{BootEntries|key=syspers}}.
* App Qubes: {{project name workstation short}} App Qubes and Disposables will boot in {{BootEntries|key=userpers}}.
* Comparison with non-Qubes:
** {{BootEntries|key=userpers}} and {{BootEntries|key=syspers}} are mostly functionally identical under Qubes OS. {{BootEntries|key=syspers}} differs in the following ways:
** The default user account for most actions is changed to sysmaint.
** User-specific system services such as the X11 server run as account sysmaint.
** Potentially dangerous operations such as opening URLs are disabled.
** The [[System Maintenance Panel]] is usable.
** Privilege escalation tools are easily usable, since the sysmaint account will be provided rather than the user account.
It is possible to boot a {{project_name_short}} Qube in a non-standard boot mode (i.e. booting a Template in {{BootEntries|key=userpers}}, or booting an AppVM in {{BootEntries|key=syspers}}). To do so, change the boot mode of the Qube before starting it.
{{Box|text=
'''1.''' Ensure the Qube is shut down.
'''2.''' Open Qube Manager.
Start menu → Gear icon → Qubes Tools → Qube Manager
'''3.''' Click on the VM you wish to change the boot mode of.
'''4.''' Click "Settings" in the toolbar.
'''5.''' Click the "Advanced" tab in the Settings window.
'''6.''' In the "Kernel" section, change "Boot mode" to your desired boot mode.
'''7.''' Click "OK" in the Settings window.
'''8.''' Start the Qube. It will boot in the selected boot mode.
'''9.''' Done.
The procedure of switching the boot mode for a Qube is now complete.
}}
}}
}}
}}
}}
= Fast User Switching =
Platform specific. Select your platform.
{{Tab
|type=controller
|linkid=os
|content=
{{Tab
|type=section
|title= == {{project_name_short}} ==
|image=[[File:{{project_name_short}}-logo-icon.svg]]
|content=
'''Reboot into sysmaint session is required, as documented above.'''
NOTE: It is not possible to switch from account user to sysmaint using:
* Start Menu → logout
* Start Menu → switch user
This is a security feature. [
[[Dev/user-sysmaint-split#Fast_User_Switching|]user-sysmaint-split (developers), Fast User Switching]]
}}
{{Tab
|type=section
|title= == {{q_project_name_long}} ==
|image=[[File:Qubes-logo-icon.png]]
|content=
Not applicable.
}}
}}
= Notes =
* ''' sysmaint account restrictions''': Several restrictions are imposed to reduce the risk of the sysmaint account becoming compromised:
** '''Locked access depending on boot mode''': The sysmaint account is locked and cannot be logged into when booted into modes other than {{BootEntries|key=syspers}}.
** '''Session limitation''': Logging into the sysmaint account using anything other than the special sysmaint desktop session is prohibited.
** '''Discouragement of other logins''': When booted in {{BootEntries|key=syspers}}, you will be discouraged (but not entirely prevented) from logging into accounts other than sysmaint. Locking accounts such as account user is not implemented, since doing so would make it very tricky or even impossible for the user to permanently lock accounts themselves.
** '''Inhibition of non-critical services''': When booted in {{BootEntries|key=syspers}}, only the minimum services needed for the session to be usable are started by default. New services are prevented from automatically starting during APT software upgrades.
= Questions and Answers =
* Why is there a separate sysmaint account?
** See [[Root#Rationale_for_Separate_sysmaint_Account|Rationale for Separate sysmaint Account]].
* Why is it required to boot into sysmaint mode, why not simply use start menu → switch user? ([[Sysmaint#Fast_User_Switching|Fast User Switching]])
** This is to mitigate [[login spoofing]] attacks and to to prevent [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]].
* How to go back to [[unrestricted admin mode]], where user user can use sudo?
** See [[#Uninstallation]].
= user-sysmaint-split - GUI vs CLI - Default Installation Status Differences =
user-sysmaint-split is different for the {{gui}} versus the {{cli}} version.
In the future, the CLI version will be improved to be more suitable for servers.
Server support for user-sysmaint-split, however, isn't as sophisticated yet as it is for the GUI version. For some server use cases, user-sysmaint-split may be less needed or unneeded. This topic is elaborated in the development chapter {{kicksecure_wiki
|wikipage=Dev/user-sysmaint-split#Server_Support
|text=user-sysmaint-split Server Support
}}.
= Applications requiring Administrative Rights during User Session =
If it is unsuitable to run some applications in sysmaint session, then this could be difficult. This is because historically, Freedom Software Linux desktop distributions did not have a strong [[Dev/user-sysmaint-split|user-sysmaint-split]].
There might be many cases where applications should be run in user session, but this is not possible because some aspect of the application requires [[root|administrative ("root") rights]].
Options:
* '''A)''' privleap custom actions: If it's possible to do this on the {{cli}}, the [[Advanced Users]] could consider configuring [[Root#privleap_custom_actions|privleap custom actions]].
* '''B)''' [[Unrestricted admin mode]]
* '''C)''' Use multiple {{VMs}}.
= Advanced Topics =
For [[Advanced Users]].
== enable sudo access in USER session ==
{{IconSet|h2|1}} Warnings.
* For debugging or advanced users only.
* Enabling sudo access during USER session can be a security issue.
* This is often unnecessary. [[#Uninstallation|Uninstallation of the user-sysmaint-split package]] might be better.
{{IconSet|h2|2}} Boot into {{BootEntries|key=syspers}}.
Setting this up requires booting into sysmaint session.
{{IconSet|h2|3}} Create file /etc/privleap/conf.d/privleap-debugging.conf.
{{CodeSelect|code=
sudo append-once /etc/privleap/conf.d/privleap-debugging.conf "\
[action:sudo]
Command=chmod o+x /usr/bin/sudo
AuthorizedGroups=sudo
AuthorizedUsers=user
"
}}
{{IconSet|h2|4}} Boot into {{BootEntries|key=userpers}}.
{{IconSet|h2|5}} Enable sudo.
{{CodeSelect|code=
leaprun sudo
}}
{{IconSet|h2|6}} Notice.
Above command can be run whenever required to enable sudo.
sudo access will be automatically disabled after installing or removing a package using APT. This is because this triggers [[SUID Disabler and Permission Hardener]], which will re-disable sudo, unless an /etc/permission-hardener.d configuration folder snippet gets added.
{{IconSet|h2|7}} Use of sudo.
sudo can be used normally. For example:
{{CodeSelect|code=
sudo touch /etc/testfile
}}
{{IconSet|h2|8}} Done.
The process is complete.
= Uninstallation =
See [[Unrestricted_admin_mode#Uninstalling_user-sysmaint-split_and_enabling_Unrestricted_Admin_Mode|Uninstalling user-sysmaint-split and enabling Unrestricted Admin Mode]].
= Known Issues =
* Qubes has potential local privilege escalation issue: [https://github.com/QubesOS/qubes-issues/issues/9717 harden insecure permissions inside /dev/xen folder / research security impact of the Qubes /dev/xen folder permissions #9717] -- This issue is [[unspecific|unspecific to {{project_name_short}}]] and is entirely unrelated to {{project_name_short}}. It equally applies to App Qubes that are not using qubes-core-agent-passwordless-root such as Qubes Debian minimal Template.
= Developers =
* [[Dev/Strong_Linux_User_Account_Isolation|User Account Isolation (developers)]]
* [[Dev/user-sysmaint-split|user-sysmaint-split (developers)]]
* https://github.com/Kicksecure/user-sysmaint-split
* https://github.com/Kicksecure/sysmaint-panel
= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}