I am using Qubes OS, and just installed whonix-workstation-17 from the community templates (Qubes Menu → Qubes Tools → Qubes Template Manager → whonix-workstation-17 → Install → Apply). After installation, I booted up the “whonix-workstation-17 template” and tried to update and upgrade my applications with in xfce terminal:
sudo apt update && sudo apt install myapplication
Here is the output from it:
zsh: permission denied: sudo
zsh: exit 126 sudo su
So it turns out on a freshly installed template, I don’t have permissions to use sudo. sudo su returns the exact same message. I though I might have downloaded a corrupted whonix-workstation-17 image, so I removed it, and then downloaded it again and tried using sudo or sudo su, with the exact same results:
zsh: permission denied: sudo
zsh: exit 126 sudo su
So on a fresh install inside of Qubes, I cannot use sudo in whonix-workstation-17. Why is this happening, and how can I get sudo to work in my whonix-workstation-17?
All I see in the links that’s relative and makes sense is:
The opposite of user-sysmaint-split is Unrestricted Admin Mode, which users can opt in to enable. In case you are wondering how to fix:
permission denied: sudo
So it seems like the answer is (according to the documentation provided in your link) to uninstall user-sysmaint-split to enable “Unrestricted Admin Mode”…
• Qubes R4.2: Open a Qubes Root Console:
dom0 → Terminal → and enter the command:
• In XFCE Terminal of whonix-workstation-17 run: sudo dummy-dependency user-sysmaint-split
• Install qubes-core-agent-passwordless-root to allow the user account to elevate to root. sudo apt install qubes-core-agent-passwordless-root
• Shut down the Template.
• Reboot any AppVMs that are based on the Template.
• Done.
My concern is in the Impact of unrestricted admin mode section in the documentation here: Unrestricted Admin Mode
The reason I need sudo is to install Applications, so my follow-up questions would be:
Is the above method that I demonstrated CORRECT?And is it the Whonix recommended way of enabling sudo or root to install applications?
Why can I not keep user-sysmaint-split mode enabled, and instead just install applications using the root console (qvm-run -u root whonix-workstation-17 xfce4-terminal) for the corresponding qube? Wouldn’t this keep me more secure than uninstalling user-sysmaint-split?
Why can I not log into (su - sysmaint) the “sysmaint” user account from the root console, and then install and or update applications from there? Thus again, keeping the security of the sysmaint user and user-sysmaint-split application? Wouldn’t this keep me more secure than uninstalling user-sysmaint-split?
Please help with real responses instead of posting links to confusing documentation.
In Qubes OS R4.2 and earlier: Kicksecure for Qubes cannot be booted into sysmaint session. However, user-sysmaint-split is useful in Qubes VMs too because it makes SUID privilege escalation tools (sudo, su, pkexec) inaccessible for account user. You can access the root account by opening a Qubes Root Console.
Thank you for all of this. I think I understand, but I’m not certain. I will first upgrade my Qubes to 4.3, and then upgrade to whonix 18, as it seems it will be easier to solve my problem doing these things first. I will let you know if I have any further questions after the upgrade. Thanks for the helpful answers!
