Kicksecure and Whonix Host are independent projects.
Well, Whonix Host and Whonix VMs are based on Kicksecure, but that’s about it.
Kicksecure doesn’t focus on Tor / Whonix integration at all. It might come with Tor installed by default for secure network time synchronization, i.e. sdwdate. The ultimate goal is to move Kicksecure on its own domain name. This may or may never happen due to lack of resources. Depends on how much traction the project will get.
Therefore, no.
I think no - because then the user needs to have two different passwords.
sudo/root is now nicely sorted and documented here:
root login can be enabled by the user as per:
Safely Use Root Commands
But why root login? Why not login as user and sudo su? What advantage does root login on virtual console give?
Settings disks to read-only when booted in live mode (i.e. ConditionKernelCommandLine=|boot=live) is actually implemented as per ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on
It might not work though. To debug also see that ticket. Also perhaps run manually to see what the script does not or does wrong.
sudo /usr/lib/whonix-libvirt/live-mode-to-read-only
This could be done during the boot process. Another systemd unit file. Similar to that commit enable readonly for KVM disks if kernel command line includes boot=live · Kicksecure/libvirt-dist@bb7773e · GitHub
Using ConditionKernelCommandLine=!boot=live - i.e. do not do that in when kernel boot parameter includes boot=live.
Or we drop ConditionKernelCommandLine from the systemd unit file and let the script handle chmod change depending on
if grep -qs "boot=live" /proc/cmdline; then
## live mode
true "do things for live mode"
else
## persistent mode
true "do things for persistent mode"
fi
I can implement that if you like.
But are you sure chmod permissions from 0444 to 0644 is really useful? Once ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on is fully working, is that still required?
Not passwordless sudo since that circumvnets the security enhancements made through Restrict root access / Safely Use Root Commands.
Yes, why not.