Qubes had pushed fixation to the package qubes-core-agent-passwordless-root that if user want to remove it he can be removed safely without any other packages. Doing this in whonix gonna give this error message on every boot:
msgdispatcher script bug.
No panic. Nothing is broken. Just some rare condition has been hit.
Try again later. There is likely a solution for this problem.
Please see Whonix News, Whonix Blog and Whonix User Help Forum.
Please report this bug!
who_ami: 'user'
msgdisptacher_username: 'whonixcheck'
msgdispatcher_identifier: 'whonixcheck'
msgdispatcher_appendix: 'messagex_done'
delete_wrapper: '/usr/lib/msgcollector/msgdispatcher_delete_wrapper'
msgdispatcher_sudo_wrapper_command: 'sudo --non-interactive msgdisptacher_username=whonixcheck msgdispatcher_identifier=whonixcheck msgdispatcher_appendix=messagex_done /usr/lib/msgcollector/msgdispatcher_delete_wrapper'
output_msgdispatcher_sudo_wrapper: 'sudo: a password is required'
error_text: 'output_msgdispatcher_sudo_wrapper="$(sudo --non-interactive msgdisptacher_username="$msgdisptacher_username" msgdispatcher_identifier="$msgdispatcher_identifier" msgdispatcher_appendix="$msgdispatcher_appendix" "$delete_wrapper" 2>&1)"'
last_exit_code: '1'
I think the issue which need to be fixed with this line:
output_msgdispatcher_sudo_wrapper: 'sudo: a password is required'
To emulate that change before it reaches package upgrades, I recommend running visudo -f /etc/sudoers.d/msgcollector as root to make the changes as invalid changes (syntax errors) in sudoers configuration files result in broken sudo.
I added the following to /etc/sudoers.d/msgcollector in whonix-ws-15:
%user ALL=NOPASSWD: /usr/lib/msgcollector/msgdispatcher_delete_wrapper
user ALL=NOPASSWD: /usr/lib/msgcollector/msgdispatcher_delete_wrapper
I update it regularly.
Before that (long time ago) I followed qubes-os org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt (replace space with “.”, section “Configuring Debian/Whonix TemplateVM to prompt Dom0 for any authorization request”) and started getting the error. I didn’t realize the error was caused by removing passwordless sudo until recently read what it says in the middle more carefully. Then found this thread.
you need to reverse the long time ago changes and just stick to the
simple solution now provided by removing the passwordless package,
otherwise im not sure anything would solve that except if you for e.g
enable tester repository of whonix and try to update/upgrade and see if
it solve anything or remove/reinstall whonix template and if that didnt
work then backup and reinstall qubes again.
root@host:~# sdwdate-log-viewer
+ set -e
+ true 'INFO /usr/bin/sdwdate-log-viewer: START'
+ /bin/journalctl --boot --output cat -n 10000 -f _SYSTEMD_UNIT=qubes-sync-time.service + _SYSTEMD_UNIT=qubes-sync-time.timer + _SYSTEMD_UNIT=timesanitycheck.service + _SYSTEMD_UNIT=bootclockrandomization.service + _SYSTEMD_UNIT=sdwdate.service + _SYSTEMD_UNIT=whonix-firewall.service + SYSLOG_IDENTIFIER=suspend-pre + SYSLOG_IDENTIFIER=suspend-post + SYSLOG_IDENTIFIER=anondate + _AUDIT_TYPE_NAME=SECCOMP
2023-07-26 16:34:49 - /usr/bin/whonix-gateway-firewall - OK: Loading Whonix firewall...
2023-07-26 16:34:49 - /usr/bin/whonix-gateway-firewall - OK: Skipping firewall mode detection since already set to 'full'.
2023-07-26 16:34:49 - /usr/bin/whonix-gateway-firewall - OK: (Full torified network access allowed.)
Within minimum time 'Mon Jun 12 00:00:00 UTC 2023' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
2023-07-26 16:34:50 - /usr/bin/whonix-gateway-firewall - OK: Whonix firewall loaded.
Boot Clock Randomization
https://www.kicksecure.com/wiki/Boot_Clock_Randomization
- 147 570260621
Changed time from Wed Jul 26 04:34:50 PM UTC 2023 (1690389290.374085070)
to Wed Jul 26 04:32:23 PM UTC 2023 (1690389143.577910703).
2023-07-26 16:32:25 - sdwdate - INFO - sdwdate (Secure Distributed Web Date) started. PID: 993
2023-07-26 16:32:25 - sdwdate - INFO - sdwdate (Secure Distributed Web Date) started. PID: 993
2023-07-26 16:32:26 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9108
2023-07-26 16:32:26 - sdwdate - INFO - Running sdwdate main loop. iteration: 1
2023-07-26 16:32:26 - sdwdate - INFO - PREPARATION: running onion-time-pre-script...
2023-07-26 16:32:26 - sdwdate - INFO -
__ ### START: ### /usr/libexec/helper-scripts/onion-time-pre-script
__ Status: First run after boot. (Creating file '/run/sdwdate/onion-time-script-after-boot'.)
__ Static Time Sanity Check: Within minimum time 'Mon Jun 12 00:00:00 UTC 2023' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
__ Tor enabled check: Tor is disabled. Please enable Tor using Anon Connection Wizard or setup-dist. Start Menu -> System -> Anon Connection Wizard or in Terminal: sudo setup-dist
__ ### END: ### Exiting with exit_code '1' indicating 'wait, show error icon and retry.'.
2023-07-26 16:32:26 - sdwdate - INFO - PREPARATION RESULT: onion-time-pre-script detected a known permanent (until the user fixes it) error status. Consider running systemcheck for more information.
2023-07-26 16:32:26 - sdwdate - INFO -
2023-07-26 16:32:27 - sdwdate - INFO - PREPARATION: running onion-time-pre-script...
2023-07-26 16:32:27 - sdwdate - INFO -
__ ### START: ### /usr/libexec/helper-scripts/onion-time-pre-script
__ Status: Subsequent run after boot.
__ Static Time Sanity Check: Within minimum time 'Mon Jun 12 00:00:00 UTC 2023' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
__ Tor enabled check: Tor is disabled. Please enable Tor using Anon Connection Wizard or setup-dist. Start Menu -> System -> Anon Connection Wizard or in Terminal: sudo setup-dist
__ ### END: ### Exiting with exit_code '1' indicating 'wait, show error icon and retry.'.
2023-07-26 16:32:27 - sdwdate - INFO - PREPARATION RESULT: onion-time-pre-script detected a known permanent (until the user fixes it) error status. Consider running systemcheck for more information.
2023-07-26 16:32:27 - sdwdate - INFO -
The issue is that setup-wizard-dist (which starts ACW) cannot start because passwordless sudo was disabled. Since ACW didn’t autostart and since the user didn’t enable Tor, sdwdate didn’t proceed because it cannot without Tor being enabled.
I added a comment on how to accomplish autostart of setup-wizard-dist but I won’t enable it by default since that would be counter to the user original goals, which is sudo hardening.
While the Qubes developers support the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway. We do not support it in any of our packages, but of course nothing is preventing the user from modifying his or her own system. A list of steps to do so is provided here without any guarantee of safety, accuracy, or completeness. Proceed at your own risk. Do not rely on this for extra security.