{{Header}}
{{Title|
title=sysmaint - System Maintenance User
}}
{{#seo:
|description=Sysmaint, or system maintenance, is an account created by the [[sysmaint|user-sysmaint-split]] feature. It increases security. Read about this feature, how to use it, and our rationale on this page. "permission denied: sudo"
|image=Usersysmaint-clipart.svg
}}
{{passwords_mininav}}
[[File:Usersysmaint-clipart.svg|thumb|200px]]
{{intro|
* Overview: Sysmaint, or system maintenance, is an account created by the [[sysmaint|user-sysmaint-split]] feature. It increases security by separating daily activities from administrative tasks.
* Default: {{project_name_short}}-LXQt and {{project_name_short}}-Qubes comes with [[sysmaint|user-sysmaint-split]] by default.
* Accounts: There are two accounts:
** user: For daily activities.
** sysmaint: For system maintenance administrative activities, such as installing software or upgrading.
* Recommended administrative access: For administrative tasks (for example, using sudo or pkexec), reboot into the sysmaint session ({{BootEntries|key=syspers}}) and run the command there.
* Troubleshooting: If you see the following errors, you are most likely in the user session:
permission denied: sudo
permission denied: pkexec
* Fix: Reboot into the sysmaint session and retry the command.
* Advanced opt-out: {{kicksecure_wiki
|wikipage=unrestricted_admin_mode
|text=Unrestricted Admin Mode
}} disables user and sysmaint separation and restores a more traditional setup where the user account can use administrative tools such as sudo or pkexec without using a sysmaint session. This is generally not recommended, because it removes the security benefits of user-sysmaint-split.
* Older versions: For older versions, refer to [[Sysmaint#Version_Overview|Version Overview]] for upgrade information.
}}
= Screenshot =
[[Kicksecure]]:
'''Image:''' ''Kicksecure - sysmaint Boot Option in [[Grub|GRUB]] Boot Menu''
[[File:kicksecure-persistent-mode-sysmaint-session.png|Persistent Mode - Sysmaint Session - GRUB Boot Menu Option]]
[[Qubes|Kicksecure for Qubes]]:
'''Image:''' ''Kicksecure - sysmaint Boot Option in Qubes VM Manager (QVMM)''
[[File:Kicksecure-persistent-mode-sysmaint-session-qubes.png|Persistent Mode - Sysmaint Session - Qubes Boot Mode]]
= Overview: What is sysmaint and Why Should I Care? =
{{project_name_short}} comes with a security feature called [[sysmaint|user-sysmaint-split]] enabled by default (in {{gui}} (LXQt) version and Qubes version). This feature creates two separate user accounts:
* user - for daily activities like browsing, writing documents, etc.
* sysmaint - short for '''system maintenance'''; used for tasks that require administrative rights such as installing or updating software.
This separation improves security. For example, if malware compromises your web browser in the user session, it will not have permission to make critical system changes or install rootkits (malicious software that can hide in the system).
You only use the sysmaint account when you want to change system behavior, such as adding new programs, applying updates, or performing administrative tasks.
* Recommended: For administrative actions, boot into the sysmaint session and run the command there.
* Advanced opt-out: The opposite of user-sysmaint-split is [[unrestricted_admin_mode|Unrestricted Admin Mode]], which disables user and sysmaint separation and restores a more traditional setup where the user account can use administrative tools like sudo, su, lxsudo, pkexec directly. This is less secure and not enabled by default, but it can be configured if it better suits your use case.
([[Root#Rationale_for_Separate_sysmaint_Account|Read our rationale here]].)
= Real-World Example Use Cases =
* '''You want to install a new application:'''
** Reboot into the sysmaint account to perform the installation.
** Once done, reboot back into your regular desktop account.
* '''You want to install system updates:'''
** Boot into sysmaint mode and run the updates from the System Maintenance Panel.
* '''You want to avoid malware affecting system settings:'''
** Use your regular user account for browsing and daily work. Since it does not have admin access, it is harder for malware to deeply damage your system.
= Default Installation Status =
* '''Old versions:''' {{project_name_short}} [[Systemcheck#Build_Version|build version]] up to version 17.2.8.5 will not automatically include user-sysmaint-split. However, users can choose to install it manually (see [[#Installation]]).
* '''New versions:'''
** '''{{gui}}:''' Includes user-sysmaint-split by default.
** '''{{cli}}:''' The kicksecure-*-cli meta packages do not include user-sysmaint-split by default.
** '''servers:''' user-sysmaint-split is not installed by default on servers.
** '''[[Distribution Morphing]]:''' Not installed by default. Might be installed by default for the GUI version in a future [[Release Upgrade]].
= Version Overview =
{{gui}} versus {{cli}}.
{| class="wikitable"
! Feature
! [[Kicksecure]] LXQt (GUI)
! [[Kicksecure]] CLI
|-
! user-sysmaint-split
| {{Yes}}, installed by default in new images.
| {{No}}, not installed by default.
|-
! Old Versions
| {{No}}, will not be automatically installed to avoid breaking existing user workflows.
| {{No}}, not applicable, will remain sudo passwordless by default.
|-
! New Images
| {{Yes}}, will come with user-sysmaint-split installed by default.
| {{No}}, user-sysmaint-split will not be included.
|-
! [[Release Upgrade]]
| {{No}}, user-sysmaint-split will not be included.
| {{No}}, user-sysmaint-split will not be included.
|-
! Opt-Out
| {{Yes}}, supported via {{kicksecure_wiki
|wikipage=unrestricted_admin_mode
|text=Unrestricted Admin Mode
}}.
| {{Yes}}
|-
! Opt-In
| {{Yes}}, user-sysmaint-split can be installed at any time.
| {{Yes}}
|-
|}
= Installation =
{{Install Package
|package=user-sysmaint-split sysmaint-panel
}}
= Usage =
{{IconSet|h2|1}} Platform specific.
Select your platform.
{{Tab
|type=controller
|linkid=os
|content=
{{Tab
|type=section
|title= == {{project_name_short}} ==
|image=[[File:{{project_name_short}}-logo-icon.svg]]
|content=
{{IconSet|h2|2}} Notices.
[[File:System-maintenance-panel.png|thumb|The sysmaint desktop session.]]
[[File:Sysmaint-tty.png|thumb|The sysmaint console session.]]
{{Box|text=
* Privilege escalation tools restricted: When user-sysmaint-split is installed, the account user can no longer use privilege escalation tools (sudo, su, pkexec) when logged into any account other than sysmaint.
* Immediate effect: This change takes effect immediately.
* System maintenance workflow: To perform system maintenance tasks such as checking for software updates or installing updates, reboot into the sysmaint account.
* Reduced attack surface: To reduce attack surface, most superfluous background services are suppressed while booted into the sysmaint account.
* Minimal session by design: The sysmaint desktop session is intentionally minimal and not suited for normal desktop use. This is to discourage using it for work that has a higher risk of causing a difficult-to-avoid system compromise (such as web browsing). Quick shortcuts are provided for simple software management and system administration tasks, while more advanced tasks can be performed from a terminal. The sudo and pkexec commands will be usable here.
* Virtual console login: When booted in {{BootEntries|key=syspers}}, you can also log into the sysmaint account from a [[Desktop#Virtual_Consoles|virtual console]] (tty) by entering sysmaint at the login prompt. This session behaves identically to a typical virtual console session. A short informational message will be printed after login reminding you that the sysmaint account must be used with caution.
}}
{{IconSet|h2|3}} Restart the system normally.
{{IconSet|h2|4}} Select {{BootEntries|key=syspers}} from the boot menu.
'''Figure:''' ''Persistent Mode - Sysmaint Session - GRUB Boot Menu Option''
[[File:kicksecure-persistent-mode-sysmaint-session.png|Persistent Mode - Sysmaint Session - GRUB Boot Menu Option|600px]]
{{IconSet|h2|5}} The system will boot into a minimal desktop session with the [[System_Maintenance_Panel|System Maintenance Panel]] running.
'''Figure:''' ''System Maintenance Panel''
[[File:Sysmaint-panel.png|System Maintenance Panel|600px]]
{{IconSet|h2|6}} Perform your system maintenance tasks.
{{IconSet|h2|7}} Once you are done, click "Reboot" to reboot the system.
{{IconSet|h2|8}} Boot into {{BootEntries|key=userpers}} or {{BootEntries|key=userlive}}. This will provide you with a standard desktop session.
{{IconSet|h2|9}} Done.
The procedure is now complete.
}}
{{Tab
|type=section
|title= == {{q_project_name_long}} ==
|image=[[File:Qubes-logo-icon.png]]
|content=
{{IconSet|h2|2}} Qubes version specific.
Select your Qubes version.
{{Tab
|type=controller
|content=
{{Tab
|type=section
|title= === Qubes R4.2 ===
|content=
{{IconSet|h2|3}} Notice.
{{Box|text=
* In Qubes OS R4.2 and earlier:
** Status: {{q_project_name_long}} cannot be booted into sysmaint session.
** Benefit: user-sysmaint-split is still useful in Qubes VMs because it makes SUID privilege escalation tools (sudo, su, pkexec) inaccessible for account user.
** Upgrade recommended: See [https://forums.kicksecure.com/t/kicksecure-18-for-qubes-released-major-release-upgrade/1377 Kicksecure 18 for Qubes Released! Major Release Upgrade!] (Similar to derivatives such as [https://forums.whonix.org/t/qubes-whonix-18-released-major-release-upgrade/22517 Qubes-Whonix 18 Released! Major Release Upgrade!])
** Administrative actions: Follow the instructions below to perform administrative actions and to use sudo, su, pkexec.
}}
{{IconSet|h2|4}} Administrative actions.
You can access the root account by opening a [[Root#Qubes_Root_Console|Qubes Root Console]].
}}
{{Tab
|type=section
|title= === Qubes R4.3 ===
|content=
{{IconSet|h2|3}} Notices.
{{Box|text=
Qubes OS R4.3 and later:
* Boot modes support: Supports [https://github.com/QubesOS/qubes-issues/issues/9750 boot modes].
** Boot modes usage: {{q_project_name_long}} uses boot modes to allow any {{project_name_short}} Qube to be booted in either {{BootEntries|key=userpers}} or {{BootEntries|key=syspers}}.
* Template: The {{project name workstation template}} Template boots in {{BootEntries|key=syspers}} by default.
* App Qubes: {{project name workstation short}} App Qubes and Disposables boot in {{BootEntries|key=userpers}} by default.
* Changing boot modes: Boot modes can be changed. See below.
* Comparison with non-Qubes: Optional reading and comparison notes.
** Definition: non-Qubes means not using Qubes, such as using Kicksecure on hardware.
** Similarity: {{BootEntries|key=userpers}} and {{BootEntries|key=syspers}} are mostly functionally identical under Qubes OS.
** Key differences: Under Qubes OS, {{BootEntries|key=syspers}} differs in the following ways:
*** Default user account: The default user account for most actions is changed to sysmaint.
*** URL opening disabled: Potentially dangerous operations such as opening URLs are disabled.
*** System Maintenance Panel: The [[System Maintenance Panel]] is usable.
*** Privilege escalation usability: Privilege escalation tools are easily usable, since the sysmaint account will be provided rather than the user account.
* Non-standard boot mode: It is possible to boot a {{project_name_short}} Qube in a non-standard boot mode, such as booting a Template in {{BootEntries|key=userpers}} or booting an AppVM in {{BootEntries|key=syspers}}. To do so, change the boot mode of the Qube before starting it.
}}
{{IconSet|h2|4}} Instructions.
{{Box|text=
Qubes R4.3 (and above) boot mode changes.
{{IconSet|h3|1}} Ensure the Qube is shut down.
{{IconSet|h3|2}} Open Qube Manager.
Start menu → Gear icon → Qubes Tools → Qube Manager
{{IconSet|h3|3}} Click on the VM you wish to change the boot mode of.
{{IconSet|h3|4}} Click "Settings" in the toolbar.
{{IconSet|h3|5}} Click the "Advanced" tab in the Settings window.
{{IconSet|h3|6}} In the "Kernel" section, change "Boot mode" to your desired boot mode.
{{IconSet|h3|7}} Click "OK" in the Settings window.
{{IconSet|h3|8}} Start the Qube. It will boot in the selected boot mode.
{{IconSet|h3|9}} Done.
The procedure of switching the boot mode for a Qube is now complete.
}}
}}
{{IconSet|h2|5}} Done.
}}
}}
}}
= Fast User Switching =
{{IconSet|h2|1}} Platform specific.
Select your platform.
{{Tab
|type=controller
|linkid=os
|content=
{{Tab
|type=section
|title= == {{project_name_short}} ==
|image=[[File:{{project_name_short}}-logo-icon.svg]]
|content=
{{IconSet|h2|2}} Notice.
'''Reboot into sysmaint session is required, as documented above.'''
Note: It is [[unsupported]] to switch from account user to sysmaint using Start Menu → Power button → logout.
This is a security feature. [
[[Dev/user-sysmaint-split#Fast_User_Switching|]user-sysmaint-split (developers), Fast User Switching]]
}}
{{Tab
|type=section
|title= == {{q_project_name_long}} ==
|image=[[File:Qubes-logo-icon.png]]
|content=
{{IconSet|h2|2}} Notice.
Not applicable.
}}
}}
= Running services in sysmaint sessions =
When booted in {{BootEntries|key=syspers}}, only the minimum services needed for the session to be usable are started by default. New services are prevented from automatically starting during APT software upgrades.
While enabling additional services within the sysmaint session is generally discouraged, it may be necessary in some situations. Services can be started either temporarily for one sysmaint session, or persistently for all sysmaint sessions.
To start a service for the current sysmaint session:
{{Box|text=
Note: Replace service-name in the below steps with the name of the service you are starting. For instance, if you are configuring openvpn.service, replace all instances of service-name with openvpn.
{{IconSet|h2|1}} Open a terminal by clicking Open Terminal in the System Maintenance Panel.
{{IconSet|h2|2}} Type sudo systemctl start service-name.service
{{IconSet|h2|3}} Done.
The procedure of starting a service for one sysmaint session is complete.
}}
To enable a service persistently, so that it autostarts on every sysmaint session boot:
{{Box|text=
Note: Replace service-name in the below steps with the name of the service you are configuring. For instance, if you are configuring openvpn.service, replace all instances of service-name with openvpn.
{{IconSet|h2|1}} Open a terminal by clicking Open Terminal in the System Maintenance Panel.
{{IconSet|h2|2}} Navigate to the directory containing the systemd unit for the service you wish to enable. Usually, this will be /usr/lib/systemd/system or /etc/systemd/system.
{{IconSet|h2|3}} Create a new configuration directory for the service by running sudo mkdir -p service-name.service.d.
{{IconSet|h2|4}} Enter the directory you just created by running cd service-name.service.d.
{{IconSet|h2|5}} Create a new configuration file for the service by running sudo nano 99_sysmaint-enable.conf.
{{IconSet|h2|6}} Type the following lines into the configuration file:
{{CodeSelect|code=
[Install]
WantedBy=sysmaint-boot.target
}}
{{IconSet|h2|7}} Press Ctrl+S to save the file, then press Ctrl+X to exit the text editor.
{{IconSet|h2|8}} Reload systemd unit configuration files by running sudo systemctl daemon-reload.
{{IconSet|h2|9}} Fully enable the service by running sudo systemctl enable service-name.service.
{{IconSet|h2|10}} Ensure the systemctl enable command outputs the following notice. If you see this, it indicates that the service has been successfully enabled.
Created symlink /etc/systemd/system/sysmaint-boot.target.wants/service-name.service → /lib/systemd/system/service-name.service.
{{IconSet|h2|11}} Start the service in the current sysmaint session by running sudo systemctl start service-name.service.
{{IconSet|h2|12}} Done.
The procedure of persistently enabling and starting a service in sysmaint sessions is now complete.
}}
= Notes =
* ''' sysmaint account restrictions''': Several restrictions are imposed to reduce the risk of the sysmaint account becoming compromised:
** '''Locked access depending on boot mode''': The sysmaint account is locked and cannot be logged into when booted into modes other than {{BootEntries|key=syspers}}.
** '''Session limitation''': Logging into the sysmaint account using anything other than the special sysmaint desktop session is prohibited.
** '''Prohibition of other logins''': When booted in {{BootEntries|key=syspers}}, you will be prevented from logging into accounts other than sysmaint.[Implemented in a script that runs as a PAM module: {{Github_link|repo=security-misc|path=/blob/master/usr/libexec/security-misc/block-unsafe-logins%23security-misc-shared}}]
** '''Inhibition of non-critical services''': When booted in {{BootEntries|key=syspers}}, only the minimum services needed for the session to be usable are started by default. New services are prevented from automatically starting during APT software upgrades.
= Questions and Answers =
* Why is there a separate sysmaint account?
** See [[Root#Rationale_for_Separate_sysmaint_Account|Rationale for Separate sysmaint Account]].
* Why is it required to boot into sysmaint mode, why not simply log out (Start Menu → Power button → Logout) and log into account sysmaint? ([[Sysmaint#Fast_User_Switching|Fast User Switching]])
** This is to mitigate [[login spoofing]] attacks and to prevent [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]].
* How to go back to [[unrestricted admin mode]], where account user can use sudo?
** See [[#Uninstallation]].
= user-sysmaint-split - GUI vs CLI - Default Installation Status Differences =
user-sysmaint-split is different for the {{gui}} versus the {{cli}} version.
In the future, the CLI version will be improved to be more suitable for servers.
Server support for user-sysmaint-split, however, is not as sophisticated yet as it is for the GUI version. For some server use cases, user-sysmaint-split may be less needed or unneeded. This topic is elaborated in the development chapter {{kicksecure_wiki
|wikipage=Dev/user-sysmaint-split#Server_Support
|text=user-sysmaint-split Server Support
}}.
= Applications requiring Administrative Rights during User Session =
If it is unsuitable to run some applications in the sysmaint session, then this could be difficult. This is because historically, Freedom Software Linux desktop distributions did not have a strong [[Dev/user-sysmaint-split|user-sysmaint-split]].
There might be many cases where applications should be run in the user session, but this is not possible because some aspect of the application requires [[root|administrative ("root") rights]].
'''Options:'''
* '''A)''' '''privleap custom actions:''' If it is possible to do this on the {{cli}}, [[Advanced Users]] could consider configuring [[Root#privleap_custom_actions|privleap custom actions]].
* '''B)''' '''[[Unrestricted admin mode]]:''' This mode disables the separation between the user and system maintenance roles, allowing the user to directly perform administrative tasks without needing to switch contexts. It provides more flexibility for tasks requiring elevated privileges but at the cost of reduced compartmentalization and security. This approach might be more suitable in environments where usability or workflow requirements outweigh the benefits of strict privilege separation. See [[Unrestricted_admin_mode#Uninstalling_user-sysmaint-split_and_Enabling_Unrestricted_Admin_Mode|Uninstalling user-sysmaint-split and Enabling Unrestricted Admin Mode]].
* '''C)''' '''Use multiple {{VMs}}:''' For compartmentalization. VMs that require administrative ("root") rights could use Unrestricted Admin Mode. Others could keep user-sysmaint-split.
'''Issues:'''
* [https://forums.whonix.org/t/zulucrypt-not-working-in-user-session/21609 ZuluCrypt not working in user session]
* [https://forums.kicksecure.com/t/veracrypt-containers-do-not-open/1091 Veracrypt containers do not open]
** [https://forums.whonix.org/t/whonix-user-isolation-user-sysmaint-split-breaks-veracrypt-workflow/21629 Whonix user isolation (user-sysmaint-split) breaks VeraCrypt workflow]
* [https://forums.kicksecure.com/t/struggling-with-the-point-release-update-user-sysmaint-split-sudo/1051 Struggling with the point release update - user-sysmaint-split - sudo]
= Advanced Topics =
For [[Advanced Users]].
== Enable sudo access in user session ==
{{IconSet|h2|1}} Warnings.
* For debugging or advanced users only.
* Enabling sudo access during user session can be a security issue.
* This is often unnecessary. [[#Uninstallation|Uninstallation of the user-sysmaint-split package]] might be better.
{{IconSet|h2|2}} Boot into {{BootEntries|key=syspers}}.
Setting this up requires booting into sysmaint session.
{{IconSet|h2|3}} Create file /etc/privleap/conf.d/privleap-debugging.conf.
{{CodeSelect|code=
sudo append-once /etc/privleap/conf.d/privleap-debugging.conf "\
[action:sudo]
Command=chmod o+x /usr/bin/sudo
#Command=/usr/libexec/helper-scripts/sudo-tools-enable
AuthorizedGroups=sudo
AuthorizedUsers=user
"
}}
{{IconSet|h2|4}} Boot into {{BootEntries|key=userpers}}.
{{IconSet|h2|5}} Enable sudo.
{{CodeSelect|code=
leaprun sudo
}}
{{IconSet|h2|6}} Notice.
The above command can be run whenever required to enable sudo.
sudo access will be automatically disabled after installing or removing a package using APT. This is because this triggers [[SUID Disabler and Permission Hardener]], which will re-disable sudo, unless an /etc/permission-hardener.d configuration folder snippet gets added.
{{IconSet|h2|7}} Use of sudo.
sudo can be used normally. For example:
{{CodeSelect|code=
sudo touch /etc/testfile
}}
{{IconSet|h2|8}} Done.
The process is complete.
= Uninstallation =
See [[Unrestricted_admin_mode#Uninstalling_user-sysmaint-split_and_enabling_Unrestricted_Admin_Mode|Uninstalling user-sysmaint-split and enabling Unrestricted Admin Mode]].
= Known Issues =
* Qubes has a potential local privilege escalation issue: [https://github.com/QubesOS/qubes-issues/issues/9717 harden insecure permissions inside /dev/xen folder / research security impact of the Qubes /dev/xen folder permissions #9717] -- This issue is [[unspecific|unspecific to {{project_name_short}}]] and is entirely unrelated to {{project_name_short}}. It equally applies to App Qubes that are not using qubes-core-agent-passwordless-root such as Qubes Debian minimal Template.
= Developers =
* [[Dev/Strong_Linux_User_Account_Isolation|User Account Isolation (developers)]]
* [[Dev/user-sysmaint-split|user-sysmaint-split (developers)]]
* {{Github_link|repo=user-sysmaint-split|path=}}
* {{Github_link|repo=sysmaint-panel|path=}}
= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}