adm removal (I will research that too but also speculate pretty sure it will not cause issues - why would it be “standard to be expected” that a linux user is in that group) - If you like please send pull requests:
- https://github.com/Whonix/anon-base-files/blob/master/debian/anon-base-files.postinst#L67
- https://github.com/Whonix/whonix-legacy/blob/master/debian/whonix-legacy.preinst
Running journalctl as with root/sudo is fine. No need to run as user user.
That might be a typo?
Please create a separate forum thread for that.
Ideally, address for added motivation:
- Strong Linux User Account Isolation
- The Linux Security Circus: On GUI isolation | The Invisible Things Blog
- Passwordless root access in qubes | Qubes OS
Some or even all of above could get invalid with the inception of wayland and/or not apply for CLI or non-gui linux users such as user sdwdate.
Updating, you mean apt-get dist-upgrade?
I am not sure I understand that one. Difficult to use since one would require another login session to run commands as root (indeed) or use su or something like that?
This would also kinda be a prerequisite for something I am sometimes briefly wondering about:
walled garden, firewall whitelisting, application whitelisting, sudo lockdown, superuser mode, protected mode - in essence: can a VM be restricted to be running “a single application and nothing else let alone sudo”?