Whonix Xfce Development

Patrick · November 24, 2020, 2:32pm

sudoers exception for livecheck /etc/sudoers.d/whonix-xfce-desktop-config is insufficient. Currently only works for user user. Does not work for any other user account such as user2.

github.com

Kicksecure/xfce-desktop-config-dist/blob/master/etc/sudoers.d/whonix-xfce-desktop-config

## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## required by /usr/share/livecheck/livecheck.sh
## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618/13
user ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO

## https://forums.whonix.org/t/whonix-xfce-development/6213/102
%staff ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO
%adm ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO
%sudo ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO
%root ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO
%wheel ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO
%console ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO
%console-unrestricted ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO

Would it be an issue if we allowed ALL, i.e.

ALL ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO

?

%sudo would be safe, but that doesn’t help in all cases. I.e.

%sudo ALL=NOPASSWD: /bin/lsblk --noheadings --all --raw --output RO

What other alternatives are there to permit desktop login users too?