It looks like on Qubes-Whonix, there is no sudo password prompt. But for KVM, the user has to type the password, whenever she
sudo some commands. I read the Qubes documentation titled “Passwordless root access in Qubes” (I can’t post links), and it looks to me that what’s the same between Qubes-Whonix and KVM Whonix is “all the user data is already accessible from the user account”. But for Qubes-Whonix, “the VM’s root filesystem modifications are lost upon each start of a VM”, and it’s not the case for KVM Whonix.
So I guess there are prompts in KVM Whonix, to prevent persistent malware being installed from a compromiesd user account? If however, I create and maintain “safe snapshots”, upon safe events like VM creation, and VM
upgrade-nonroot, and revert to the latest safe snapshot after each use of the VM?
Compared to Qubes-Whonix, there will be even less persistence in this way, with the user’s home directory also not persistent. Does this mean it will then be safe to disable the sudo password prompt with
user ALL=(ALL) NOPASSWD: ALL in
/etc/sudoers? Or will it cause problems and run afoul with some of the Kicksecure or Whonix hardening, or some other things?