Could you try please setRootPassword: false? We don’t want to ask for or set a root password. That is because root account is locked by Whonix default. (Details: Strong Linux User Account Isolation)
I would like to not set defaultGroups there too (minimal use of calamares) and leave that to some package too. Though, not too important. I wonder if anon-base-files gets installed before whonix-libvirt. If so, that group config could be done in anon-base-files config too.
Actually, we don’t use this file anymore in our current Calamares install sequence (module users is skipped), thus I guess no need to change it.
Currently when booting 15.0.0.9.5 Whonix-Host iso (and all previous recent successful builds), user user has full sudo rights (although not in sudo group). This behavior is then reproduced in the Whonix-Host installed version. I gather this not the expected behavior as per current “restricted root” policy? What should be the default expected behavior regarding sudo/root/admin rights in Kicksecure/Whonix GW-WS?
Regarding last merged pull requests (branding), everything seems to work as intended (see screenshots below).
Still needs fixing/considering
Whonix VM disk images are still not set in ro mode
We should have auto-login enabled for user user (unpractical to log in when booting an ISO file)
We need to replace Kicksecure references by Whonix-Host everywhere (I am thinking /etc/motd, grub, anything else?).
Test on real hardware (both EFI/BIOS)…
Get rid of the default XFCE4 desktop image (replace with simple color?), add some Desktop icons (cosmetic changes, not urgent)
Some screenshots:
Booting on Whonix-Host Live ISO 15.0.0.9.5, showing desktop, Install Whonix-Host icon, as well as a terminal displaying user user root access
Alright. Let’s change that anyhow please to avoid confusion and maybe just in case?
This is expected. To elaborate, when user user runs “sudo something” the user should be prompted for the password. If the password is correct, the command would run as root.
Makes me wonder if whonix-libvirt is the correct place to implement Whonix calamares settings.
whonix-libvirt.hide currently hides /etc/lightdm/lightdm.conf.d/whonix-autologin.conf. Therefore disables autologin.
Whonix-Host installed should not have autologin. That’s why above line.
Whonix-Host iso should have autologin.
These are somewhat conflicting goals. Debian solves that by uninstalling package calamares-settings-debian at the end of calamares. We can’t do that because whonix-libvirt does other things which still need to be done in Whonix-Host installed.
Solution 1) Have a systemd unit file that detects being run from iso that creates the required file to auto login.
Solution 2) a separate package calamares-settings-whonix which is only installed on Whonix-Host iso but not in Whonix-Host installed.
What do you think?
There’s a package whonix-base-files for that already. That’s likely missing in Whonix-Host.
That’s because Whonix-Host does not depend yet on whonix-shared-packages-dependencies-cli
OK, let me investigate this. I’ll follow your instructions.
I think that the best option would be probably to have our own package calamares-settings-whonix and put there only the Calamares config files that we need. BUT: I have no idea how hard and sustainable it is in terms of maintainability, etc. I couldn’t do it myself.
But anyway where did you see that calamares-settings-debian took care of auto-login? My understanding is that it was taken care of by live-config default settings, and broke when we removed that package. We could however add /etc/lightdm/lightdm.conf.d/whonix-autologin.conf in our hypothetical calamares-settings-whonix package which would be uninstalled at the end of calamares installer.
Done: GitHub - Kicksecure/live-config-dist
(Used a more generic package name so this package can be used for both Whonix, Kicksecure, Calamares and anything else that should only be done when booting the ISO.)
Highlights:
install live-config-dist during build process
uninstall live-config-dist package by calamares at the end
Whonix-Host ISO autologin
Whonix-Host installed no-autologin
allow running calamares without sudo password entry
Untested. Could you please have a look at the commit history?
OK!
In the meantime I launched a new build 15.0.0.9.6
Breaks at 1700 install packages:
The following packages have unmet dependencies:
whonix-host-xfce-kvm-nonfreedom : Depends: whonix-host-xfce-kvm-freedom but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
Build seems fine. I was tagged Whonix-Host-XFCE-15.0.1.0.0-3-ga2e3ae6bf4cf48b4a9277de39c9e538da1e186ff I don’t know why?
Juste a small fix for the installer desktop icon:
I will try to investigate this read-only bug with the VMs later.
I deliberately removed as many mentions of hardcoded Whonix strings. Maybe we could re-name the file instead? The idea is that some Kicksecure package needs to modify only a minimal amount of files and voila, we have a Kicksecure installer too.
Most likely you build from git master in that case. If you git fetch/merge Whonix/Whonix then you’re a few commits ahead of the latest git tag. I deliberately added years ago the resulting files to contain the git commit in such cases to distinguish between builds from “real git tags” vs “something not git tagged”. Try running git describe in Whonix main source code folder. Similar to usual VM build instruction son how to checkout a specific tag and make sure it’s really used (git describe).