Excluding user/developer documentation, program output (suggestions to run commandos including sudo) we are down to just 208 uses of sudo.
grep \
--recursive \
--exclude=README.md \
--exclude=GPLv2 \
--exclude=GPLv3 \
--exclude=COPYING \
--exclude=control \
--exclude=whonix \
--exclude=ci_test \
--exclude=changelog.upstream-old1 \
--exclude=changelog.upstream \
--exclude-dir=.git \
--exclude-dir=sudoers.d \
--exclude-dir=apparmor.d \
--exclude=\*.{mediawiki,md,ronn,8,yml,examples} \
--exclude-dir=whonix-developer-meta-files \
--exclude-dir=lkrg \
--exclude-dir=gateway-shortcuts \
sudo | \
grep --invert-match '\#' | \
grep --invert-match '<blockquote>' | \
grep --invert-match '<code>' | \
grep --invert-match 'echo "' | \
grep --invert-match 'true "'
Adding another grep non-interactive (because Whonix source code uses sudo with parameter --non-interactive whenever possible for better reliability/spotting bugs easier) getting rid of sudo entirely or most uses of it might be possible.
Some examples how sudo is used:
whonix-legacy /usr/lib/whonix-legacy/fixes
sudo --non-interactive -u "$user_name" mkdir -p "/home/$user_name/.local/share/Bisq/btc_mainnet/tor" || true
root uses sudo to never create files with the wrong access rights.
anon-connection-wizard runs as user user but has to edit Tor configuration which is owned by root. Hence, uses sudo to make modifications. Also has to restart or reload Tor which also requires root, hence uses sudo.
How would we solve that? Maybe Whonix-Gateway doesn’t need a boot mode to boot into user? Perhaps Whonix-Gateway should always boot into admin mode? Because booting into user mode (no sudo possible) is mostly useful when running untrusted applications such as Tor Browser. But on Whonix-Gateway the user shouldn’t run applications much (anything?) that does not require sudo.
onioncircuits can be started from tor-control-panel. onioncircuits needs to run under user debian-tor. Therefore sudo is used to run onioncircuits nder user debian-tor.
On Whonix-Gateway it’s also allowed for user user to restart Tor / whonix-firewall without sudo password. Maybe another reason for Whonix-Gateway to not provide a limited user but only admin boot mode.
whonixcheck can be run by user user to make it as simple as possible to run the tests. whonixcheck runs under user whonixcheck for better security. whonixcheck has preconfigured sudoers.d exceptions so it can test things which require root.
Maybe “full whonixcheck” should only be possible as user admin (sudo allowed)? Some tests maybe even only possible as user superadmin? When whonixcheck is run as user user (in future no sudo possible) it would check very little?
Currently whonix repository tool GUI can be started by user user and them modifies file /etc/apt/souces.list.d/whonix.list. Therefore it is started with lxsudo (which is a GUI frontend, internally uses sudo). Requires sudo password. In future this would only be possible in admin mode. But I don’t see how to get rid of sudo entirely. Some applications are started by limited, non-root users but require root privileges to make changes.
Restarting sdwdate can be done by user user. Currently has a sudoers.d exception.
By getting rid of whonixcheck GUI output (CLI only) we would be one step closer to deprecating msgcollector (or at least msgcollector sudo wrapper / msgdispatcher). By deprecating tb-updater and replacing that with Tor Browser archive in binaries-freedom package + automated extraction on first Tor Browser start we might be able to get rid of msgcollector entirely.
Consider also reverse-depends sudo.
In conclusion, I think getting rid of user user being a member of group sudo might be very possible and worthwhile but getting rid of sudo entirely might not be possible on a desktop system unless perhaps requires functionality is ported to pkexec.