{{Header}}
{{Title|
title=sysmaint - System Maintenance User
}}
{{#seo:
|description=sysmaint
}}
{{passwords_mininav}}
{{intro|
Starting from {{project_name_short}} version <code>17.3.0.5</code> Xfce and above, {{project_name_short}} comes with [[sysmaint|<code>user-sysmaint-split</code>]] by default.

There are two accounts:

* <code>user</code> - For daily activities.
* <code>sysmaint</code> - For system maintenance administrative activities, such as installing software or upgrading.

This is a security feature. ([[Root#Rationale_for_Separate_sysmaint_Account|rationale]])

The opposite of <code>user-sysmaint-split</code> is [[unrestricted_admin_mode|Unrestricted Admin Mode]], which users can opt in to enable.
}}
= Introduction =
<code>sysmaint</code> - system maintenance

= Status =
{{Testers-Only}}
{{stub}}

= Default Installation Status =

* '''Old versions:''' Kicksecure build versions up to <code>17.2.8.5</code> will <u>not</u> be upgraded to install <code>user-sysmaint-split</code> by default. Users however can opt-in to install it, see [[#Installation]]. The package will likely get installed by default when major [[Release Upgrade]] to version 18 is performed.
* '''New versions:'''
** '''host:''' Meta package <code>kicksecure-host-xfce</code> will come with <code>user-sysmaint-split</code> by default.
** '''CLI:''' Meta package <code>kicksecure-host-cli</code> will <u>not</u> come with <code>user-sysmaint-split</code> by default.
** '''servers:''' <code>user-sysmaint-split</code> will not be installed by default on servers.
** '''[[Distribution Morphing]]:''' Depending on chosen meta package.

= Version Overview =
{| class="wikitable"
! Feature
! [[Kicksecure]] Xfce (GUI)
! [[Kicksecure]] CLI
|-

! <code>user-sysmaint-split</code>
| {{Yes}}, installed by default in new images.  
| {{No}}, not installed by default.
|-

! Old Versions
| {{No}}, will not be automatically installed during the current release cycle to avoid breaking existing user workflows.
| {{No}}, not applicable, will remain <code>sudo</code> passwordless by default.
|-

! New Images
| {{Yes}}, will come with <code>user-sysmaint-split</code> installed by default.
| {{No}}, <code>user-sysmaint-split</code> will not be included.
|-

! [[Release Upgrade]]
| {{Yes}}, <code>user-sysmaint-split</code> will be installed by default.
| {{No}}, <code>user-sysmaint-split</code> will not be included.
|-

! Opt-Out
| {{Yes}}, supported via custom configurations.
| {{Yes}}
|-

! Opt-In
| {{Yes}}, <code>user-sysmaint-split</code> can be installed at any time.
| {{Yes}}
|-

|}

= Installation =
{{Install Package
|package=user-sysmaint-split sysmaint-panel
}}

= Usage =
Select your platform.

{{Tab
|type=controller
|linkid=os
|content=
{{Tab
|type=section
|title= == Kicksecure ==
|content=
[[File:System-maintenance-panel.png|thumb|The sysmaint desktop session.]]
[[File:Sysmaint-tty.png|thumb|The sysmaint console session.]]

When <code>user-sysmaint-split</code> is installed, the account <code>user</code> will no longer be able to use privilege escalation tools (<code>sudo</code>, <code>su</code>, <code>pkexec</code>) when logged into any account other than <code>sysmaint</code>. Features of {{project_name_short}} that require privilege escalation will also no longer work. (See [[Dev/sudo]]. This will probably be fixed before release.)

This change takes effect immediately.

To perform system maintenance tasks such as checking for software updates, installing updates, etc, the user will have to reboot into the <code>sysmaint</code> account. To do this, restart the system normally, then select <code>PERSISTENT mode SYSMAINT (For system maintenance.)</code> from the boot menu. The system will boot into a minimal desktop session with the System Maintenance Panel running. To reduce attack surface, most superfluous background services are suppressed while booted into the <code>sysmaint</code> account.

The <code>sysmaint</code> desktop session is intentionally minimal and not suited for normal desktop use. This is to discourage using it for work that has a higher risk of causing a difficult-to-avoid system compromise (such as web browsing). Quick shortcuts are provided for simple software management and system administration tasks, while more advanced tasks can be performed from a terminal. The <code>sudo</code> and <code>pkexec</code> commands will be usable here.

Once you are done with system maintenance tasks, click "Reboot" to reboot the system. Then boot into <code>PERSISTENT mode USER (For daily activities.)</code> or <code>LIVE mode USER (For daily activities.)</code>. This will provide you with a standard desktop session.

You can also log into the <code>sysmaint</code> account from a [[Desktop#Virtual_Consoles|virtual consoles]] (<code>tty</code>). Simply input the account name <code>sysmaint</code> at the login prompt. This session behaves identically to a typical virtual console session. A short informational message will be printed after login reminding you that the <code>sysmaint</code> account must be used with caution.
}}

{{Tab
|type=section
|title= == Qubes Kicksecure ==
|content=
Qubes Kicksecure cannot be booted into sysmaint mode yet. However, <code>user-sysmaint-split</code> is useful in Qubes VMs too because it makes SUID privilege escalation tools (<code>sudo</code>, <code>su</code>, <code>pkexec</code>) inaccessible for account <code>user</code>.
}}

}}

= Fast User Switching =
Select your platform.

{{Tab
|type=controller
|linkid=os
|content=
{{Tab
|type=section
|title= == Kicksecure ==
|content=
It is not possible to switch from account <code>user</code> to <code>sysmaint</code> using:

* Start Menu &rarr; logout
* Start Menu &rarr; switch user

This is a security feature. <ref>
[[Dev/user-sysmaint-split#Fast_User_Switching|<code>user-sysmaint-split</code> (developers), Fast User Switching]]
</ref>

Instead, reboot into <code>sysmaint</code> mode is required, as documented above.
}}

{{Tab
|type=section
|title= == Qubes Kicksecure ==
|content=
Not applicable.
}}

}}

= Notes =

* ''' <code>sysmaint</code> account restrictions''': Several restrictions are imposed to reduce the risk of the <code>sysmaint</code> account becoming compromised:
** '''Locked access depending on boot mode''': The <code>sysmaint</code> account is locked and cannot be logged into when booted into modes other than <code>PERSISTENT mode SYSMAINT</code>.
** '''Session limitation''': Logging into the <code>sysmaint</code> account using anything other than the special <code>sysmaint</code> desktop session is prohibited.
** '''Discouragement of other logins''': When booted in <code>PERSISTENT mode SYSMAINT</code>, you will be discouraged (but not entirely prevented) from logging into accounts other than <code>sysmaint</code>. Locking accounts such as account <code>user</code> is not implemented, since doing so would make it very tricky or even impossible for the user to permanently lock accounts themselves.
** '''Inhibition of non-critical services''': When booted in <code>PERSISTENT mode SYSMAINT</code>, only the minimum services needed for the session to be usable are started by default. New services are prevented from automatically starting during APT software upgrades.

= Questions and Answers =
* Why is there a separate <code>sysmaint</code> account?
** See [[Root#Rationale_for_Separate_sysmaint_Account|Rationale for Separate sysmaint Account]].

* Why is it required to boot into <code>sysmaint</code> mode, why not simply use start menu &rarr; switch user? ([[Sysmaint#Fast_User_Switching|Fast User Switching]])
** This is to mitigate [[login spoofing]] attacks and to to prevent [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|<code>sudo</code> password sniffing]].

* How to go back to [[unrestricted admin mode]], where user <code>user</code> can use <code>sudo</code>?
** See [[#Uninstallation]].

= user-sysmaint-split - GUI vs CLI - Default Installation Status Differences =

<code>user-sysmaint-split</code> is different for the {{gui}} versus the {{cli}} version.

In the future, the CLI version will be improved to be more suitable for servers.

Server support for <code>user-sysmaint-split</code>, however, isn't as sophisticated yet as it is for the GUI version. For some server use cases, <code>user-sysmaint-split</code> may be less needed or unneeded. This topic is elaborated in the development chapter {{kicksecure_wiki
|wikipage=Dev/user-sysmaint-split#Server_Support
|text=<code>user-sysmaint-split</code> Server Support
}}.

= Uninstallation =
See [[Unrestricted_admin_mode#Uninstalling_user-sysmaint-split_and_enabling_Unrestricted_Admin_Mode|Uninstalling user-sysmaint-split and enabling Unrestricted Admin Mode]].

= Developers =
* [[Dev/Strong_Linux_User_Account_Isolation|User Account Isolation (developers)]]
* [[Dev/user-sysmaint-split|<code>user</code>-<code>sysmaint</code>-split (developers)]]
* https://github.com/Kicksecure/user-sysmaint-split
* https://github.com/Kicksecure/sysmaint-panel

= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}