Excluding user/developer documentation, program output (suggestions to run commandos including sudo) we are down to just 208 uses of sudo.
sudo | \
grep --invert-match '\#' | \
grep --invert-match '<blockquote>' | \
grep --invert-match '<code>' | \
grep --invert-match 'echo "' | \
grep --invert-match 'true "'
grep non-interactive (because Whonix source code uses
sudo with parameter
--non-interactive whenever possible for better reliability/spotting bugs easier) getting rid of sudo entirely or most uses of it might be possible.
Some examples how sudo is used:
sudo --non-interactive -u "$user_name" mkdir -p "/home/$user_name/.local/share/Bisq/btc_mainnet/tor" || true
root uses sudo to never create files with the wrong access rights.
anon-connection-wizard runs as user
user but has to edit Tor configuration which is owned by root. Hence, uses sudo to make modifications. Also has to restart or reload Tor which also requires root, hence uses sudo.
How would we solve that? Maybe Whonix-Gateway doesn’t need a boot mode to boot into user? Perhaps Whonix-Gateway should always boot into admin mode? Because booting into user mode (no sudo possible) is mostly useful when running untrusted applications such as Tor Browser. But on Whonix-Gateway the user shouldn’t run applications much (anything?) that does not require sudo.
onioncircuits can be started from tor-control-panel. onioncircuits needs to run under user
debian-tor. Therefore sudo is used to run onioncircuits nder user
On Whonix-Gateway it’s also allowed for user
user to restart Tor / whonix-firewall without sudo password. Maybe another reason for Whonix-Gateway to not provide a limited user but only admin boot mode.
whonixcheck can be run by user
user to make it as simple as possible to run the tests. whonixcheck runs under user
whonixcheck for better security. whonixcheck has preconfigured sudoers.d exceptions so it can test things which require root.
Maybe “full whonixcheck” should only be possible as user
admin (sudo allowed)? Some tests maybe even only possible as user
superadmin? When whonixcheck is run as user
user (in future no sudo possible) it would check very little?
Currently whonix repository tool GUI can be started by user
user and them modifies file /etc/apt/souces.list.d/whonix.list. Therefore it is started with lxsudo (which is a GUI frontend, internally uses sudo). Requires sudo password. In future this would only be possible in admin mode. But I don’t see how to get rid of sudo entirely. Some applications are started by limited, non-root users but require root privileges to make changes.
Restarting sdwdate can be done by user
user. Currently has a sudoers.d exception.
By getting rid of whonixcheck GUI output (CLI only) we would be one step closer to deprecating msgcollector (or at least msgcollector sudo wrapper / msgdispatcher). By deprecating tb-updater and replacing that with Tor Browser archive in binaries-freedom package + automated extraction on first Tor Browser start we might be able to get rid of msgcollector entirely.
In conclusion, I think getting rid of user
user being a member of group
sudo might be very possible and worthwhile but getting rid of sudo entirely might not be possible on a desktop system unless perhaps requires functionality is ported to pkexec.