We ended up not using doas. Instead, GitHub - Kicksecure/privleap: Limited Privilege Escalation Framework has been invented thanks to @arraybolt3. privleap has been written in memory-safe language Python. privleap does not have SUID attack surface because it has been implemented without SUID.
All uses of sudo by account user in Kicksecure, Whonix source code have been ported to to privleap. past notes: sudo / doas / sudoless / privleap
No Access to Privilege Escalation Tools (such as sudo or pkexec) for Limited Accounts (such as for account user) has been implemented as part of:
With user-sysmaint-split installed, there is no sudo SUID attack surface even if account user gets compromised. This is because account user can no longer use sudo by default. [1]
Example sudo command.
sudo nano
Example error message.
zsh: permission denied: sudo
zsh: exit 126 sudo nano
User documentation:
This has been available at least since 17.3.5.3 and above. (Unreleased at time of writing.)
Written about this also here:
Why passwordless sudo by default? - #5 by Patrick - Support - Kicksecure Forums
[1] opt-out: Unrestricted Admin Mode