Running X on Workstation-CLI

Running X on Workstation-CLI

I installed Whonix-CLI. For the Workstation, if I just install a window manager and whatever packages I actually use, would I be missing anything important?
I realize this is unsupported but I just want to avoid breaking something without realizing it.
One concern is msgcollector-gui but it looks like everything gets logged to /run/msgcollector/user/.
The package msgcollector (and libgtk*) requires gvfs be installed, but does disabling it via /usr/lib/systemd/user/ break anything in non-obvious ways?
I looked through the list of metapackages. In particular, all the dependencies of non-qubes-whonix-workstation-xfce I don’t have are ‘Safe to remove, if you know what you are doing’. (The question of how do I know if I know what I’m doing is not Whonix specific unfortunately.)
Most are recommended because they’re ‘useful’ but I don’t know if any are needed to improve security/privacy. I like my computer to do as little as possible but of course this first requires being secure.
For example I installed tb-starter for the firejail wrapper, but tb-updater wants 33 additional packages even with --no-install-recommends.

In any case, after removing ‘user’ from group ‘sudo’ on Workstation, on login I get from whonixcheck:

msgdispatcher: BASH_COMMAND: sudo --non-interactive msgdisptacher_username="$msgdisptacher_username" msgdispatcher_identifier="$msgdispatcher_identifier" msgdispatcher_appendix=“messagecli_done” “$delete_wrapper” | exit_code: 1

Actually I get an error because ~/.msgcollector/ was not executable for some reason. After fixing it I get that message in the log.

…more answers next week.

https://www.whonix.org/wiki/Other_Desktop_Environments otherwise I don’t know since untested.

gvfs: Not sure if we still need that dependency anyhow.

In worst case: broken msgcollector notifications.

Better use non-qubes-whonix-workstation-cli

Unresolved. Just now posted here: msgcollector security hardening

Ok thanks for the reply. My question is more how not to make it work than how to make it work.
My intention is to have only one user with network access to run Tor Browser, and another for file management, and I guess at least a third to move files between them. So I don’t really want a desktop environment or display manager since I’m using different X servers as different users on different tty.
But maybe separate VMs or Qubes is better for this.

That sounds interesting. However, I think it’s too difficult a question as in I doubt someone can invent documentation for that.

I was having similar thoughts lately. Voluntarily (as an option, not restricting user freedom) booting into a restricted mode for better security. See also walled garden, firewall whitelisting, application whitelisting, sudo lockdown, superuser mode, protected mode.

We might have this in future.

Progress has been made in that direction.

This is a list of my favorite security enhancement development discussions:


Help welcome.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]