Hello, I’m really desperate because I can’t find a solution.
Sudo: permission deneid.
I only want to work in live mode, but I don’t have sudo rights there, which I need to install a program.
Should I boot from “REMOVE user-system-split | enable unrestricted admin mode” so that my live mode gets sudo rights?
Or is there a safer solution? Because I’ve heard that this would put me in a very dangerous position and hackers would have an easy time.
Thanks for your message, but unfortunately that doesn’t help me at all. I’ve already been on those pages 10 times.
What should I do in the system maintenance user?
In sysmaint session - whether in persistent mode or live mode - sudo/root access is available.
For instance, you can perform actions that require sudo/root (such as Debian package installation) in persistent mode - sysmaint session and the reboot into either into persistent mode - user session or live mode - user session.
If that workflow doesn’t suit your needs, if you need sudo/root frequently in a full desktop session or have applications incompatible with the user-sysmaint-split model, your only other options are listed here:
Applications requiring Administrative Rights during User Session
One of these options is:
- B) Unrestricted admin mode: This mode disables the separation between the user and system maintenance roles, allowing the user to directly perform administrative tasks without needing to switch contexts. It provides more flexibility for tasks requiring elevated privileges but at the cost of reduced compartmentalization and security. This approach might be more suitable in environments where usability or workflow requirements outweigh the benefits of strict privilege separation. See Uninstalling user-sysmaint-split and Enabling Unrestricted Admin Mode.
With the Impact of unrestricted admin mode.
There are no functionality restrictions.
Security-wise, there are no other / more secure options than what’s documented on these wiki pages.
Patrick, thank you for the detailed answer.
So, in short, if I want to install a .deb file (for which I need sudo privileges) in live mode (because I want all files and programs to be deleted after every shutdown) then I boot from one of the following:
LIVE Mode | SYSMAINT Session | maintenance testing
Advanced options for LIVE Mode | USER Session | For disposable use
Advanced options for LIVE Mode | SYSMAINT Session maintenance testing
Correct?
This model isn’t compatible with user-sysmaint-split.
Deb files can be installed in sysmaint session you’re not supposed to use installed applications in sysmaint session except if these are for sysmaint maintenance. You could but you’d be breaking the user-sysmaint-split security model and no longer benefit from it.
Using user-sysmaint-split in this case is unsupported.
If you insist on doing it this way, currently (and I don’t see this changing anytime soon), your only options are listed in wiki chapter Applications requiring Administrative Rights during User Session. Most options are too difficult for most users except Unrestricted Admin Mode.
In most cases, for most users, advanced options can be ignored unless you have reason to use it. And in this case, “Advanced options” isn’t helping at all. It’s only about booting specific kernel versions which is unrelated here.
Ok, i think i understood it now.
I booted from ,REMOVE user-sysmaint-split | enable unrestricted admin mode’’
And now i will start from LIVE Mode | USER Session
THANK YOU!!!
By the way, how can I disable Unrestricted Admin Mode again? (last question)
Install user-sysmaint-split as per sysmaint - System Maintenance User but discouraged. Better to use a fresh installation as the user-sysmaint-split model is broken by previously uninstalling it.
To elaborate slightly on this, uninstalling and then later reinstalling user-sysmaint-split should work (we did quite a bit of work to make it so that the package can be removed and reinstalled without breaking things, though we don’t test it as much as we test other features). On a technical level, you can do this. The model that is “broken” by removing user-sysmaint-split is the security model. That is, once you uninstall user-sysmaint-split, if any malware affects the user account, it can elevate to root, and at that point re-installing user-sysmaint-split will not make your system secure again. However, if user-sysmaint-split had never been removed in the first place, then malware that attacked the user account will have a much harder time elevating to root.
Added to wiki. (Unrestricted Admin Mode)
I enabled Unrestricted Admin Mode and disabled User-System-Split to gain sudo privileges in live mode.
But now i don’t feel safe anymore. Isn’t there a way to install a .deb file (program) in live mode, but manually grant sudo privileges only to that program or for example for 5min and leave User-System-Split enabled?
There is not, this would be much more difficult than you might expect and would provide much less security than you might hope (malware could remount your system’s disk read-write during those five minutes and infect the system persistently).
I would suggest using one Whonix-Workstation VM with user-sysmaint-split installed, and a second one with user-sysmaint-split removed. You can do whatever you need live mode + sudo access for in one VM, and keep data you care about in the other VM.