Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

This page gives tips on using sudo / root (privileged) commands safely. The root account is a special user account in Unix-based operating systems that has complete access to all files and commands on a system. It is typically used only for system administration tasks that require unrestricted access.

Learn why 'root' is important, what it is used for, and how to use sudo / root (privileged) commands safely.

What is the point on a typical single user Linux desktop computer of separating privileged administrator account (called root account) and limited user accounts (such as for example account user)?

It is assumed that most desktop computer users are single user computers. I.e. computers being used by only one person. Rather it is assumed that most users are only using a single login user account which will be referred to as account user.

Quote xkcd authorization:

If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.

Quote user discussion:

Most people will consider their home directory as more important than root dirs

Once a malicious program has access to my home folder, I don't care if it also has access to the admin content

This is true for most users using single user computers, using only one user account and no virtual machines. As a counter measure this is why this documentation recommends compartmentalization, that is, running different activities in different virtual machines or even on different hardware.

The rationale of prevention of root compromise has the following goals: ^[1]

• Protect the host operating system: If using virtual machines (VM): It is much less likely that malware will break out of a virtual machine if it does not have root access within the VM. ^[2] This is because root can change kernel settings (to wide. attack surface), load kernel modules. This is also called VM escape.
• Protection from rootkits: Root access allow malware to install rootkits, which can be very difficult to detect and remove.
• Protect the virtualizer: It is harder to attack the virtualizer without root / kernel access. (Applies only when using virtual machines.)
• Protect the hardware: A compromised host operating system might result in malware infecting the hardware, i.e. malware could install a persistent hardware backdoor (such as in BIOS or other firmware trojan) surviving even re-installation of the host operating system. In many cases, root access is required before hardware can be attacked. ^[3]
• Protect against compromised non-root users: it is harder for potentially compromised non-root users (such as www-data) to access account user or other parts of the system. This is important when considering that even single-user systems have many system-level user accounts.
• Sandboxing: Sandboxing applications can prevent applications getting exploited by attackers ^[4] or limit the severity of the exploit since if sandboxing is successfully, malware will be trapped inside the sandbox. Sandboxing is a lot harder, less efficient or even impossible when applications are running as root. See also AppArmor, apparmor.d (Full System AppArmor Profile) and sandbox-app-launcher.

Kicksecure implements various security hardening to Enforce Strong Linux User Account Isolation.

user-sysmaint-split (Multiple Boot Modes for Better Security) can provide strong guidance for users to better separate their limited (everyday use) account (user) from their administrative account (sysmaint). This results in robust [[root#Prevent Malware from Sniffing the Root Password|Prevention of Malware Sniffing the Root Password]].

The default passwords for Kicksecure are:

The default root account is locked (or should be locked). ^[6] This is a purposeful security feature -- see below for further details.

Users can change or set a password for security reasons if this is useful in their case based on this Information.

To run an application with administrative ("root") rights.

1 Sysmaint Notice

2 Use a privilege elevation utility to run commands as root.

Note: Replace command with the actual command.

• command line interface (CLI): sudo command
• graphical user interface (GUI): See Graphical Applications with Root Rights.

3 Password entry.

If a password has been configured, the utility will prompt for it.

4 Done.

5 Test command.

Run a test command with administrative ("root") rights.

This is only a simple test to confirm that the user can currently escalate to administrative rights. ^[7] Type the following command in the terminal and press <Enter>.

sudo whoami

Expected output.

root

Tools such as sudo and lxsudo prompt for the password of the user account. This is different from the root account password.

Commands that require root permissions should be run individually using sudo. In all cases:

• Do not login as root.
• Do not run sudo su.

Do not think of root as a shortcut to fix issues.

Inappropriate Use of root Rights:

• Can cause additional non-security related issues. ^[8] Related is also later chapter Graphical Applications with Root Rights.
• Risks harmful code being run as root.

1 Do not run graphical user interface (GUI) with sudo!

It is discouraged to run graphical user interface (GUI) applications with sudo gui-application.

• Never login as root as explained above.
• This includes, never use sudo su and then start GUI applications.

Doing so would be an Inappropriate Use of Root Rights. That would fail in many cases and is a limitation inherited from Debian. If this action is attempted, error messages like those below will appear. ^[9]

No protocol specified

cannot connect to X server :0

2 If there is a legitimate reason to start GUI applications with root rights when using X11, use lxsudo instead. ^[10] Syntax:

lxsudo application-name

For example to start the partition manager gparted by default with root rights.

lxsudo gparted

^[11]

If there is a legitimate reason to start GUI applications with root rights when using Wayland, see Wayland instructions below.

3 To edit files which can only be edited with root rights. Use the following syntax.

Note: Replace /path/to/file/name with the actual path to the file.

Open file /path/to/file/name in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /path/to/file/name

Kicksecure-Qubes

Notes:

• When using Kicksecure-Qubes, this must be done inside the Template.

sudoedit /path/to/file/name

• After applying this change, shut down the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Others and Alternatives

Notes:

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

sudoedit /path/to/file/name

For example:

Open file /etc/default/keyboard in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /etc/default/keyboard

Kicksecure-Qubes

Notes:

• When using Kicksecure-Qubes, this must be done inside the Template.

sudoedit /etc/default/keyboard

• After applying this change, shut down the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Others and Alternatives

Notes:

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

sudoedit /etc/default/keyboard

Use of Polkit (formerly PolicyKit) (pkexec) might also be appropriate for running GUI applications with root rights. Usually such applications should have desktop shortcuts or wrappers which make use of pkexec. There are no (or rare) known cases where users need to run pkexec on the command line.

Running GUI applications as root (lxsudo, sudo --set-home, pkexec will be more difficult once Kicksecure has been ported from X11 to Wayland. This is because Wayland requires applications to access $XDG_RUNTIME_DIR/$WAYLAND_SOCKET to open GUI windows. ^[12] You may run into this when using Other Desktop Environments using Wayland.

The following command should work to run Wayland applications as root in most instances. Replace application-name as appropriate:

sudo --set-home XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR application-name

Qt applications may try to use X11 by default, in which case this technique will fail. To override this and make Qt attempt to use Wayland instead, use:

sudo --set-home XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR QT_QPA_PLATFORM=wayland application-name

• Root account locked: For security reasons, the root account has been configured into the state of "locked" for login by default in Kicksecure. ^[13]
• Definition complexity: The definition and repercussions of a "locked" Linux user account, however, are complicated for all Linux distributions. For technical details on what this means exactly, advanced users can refer to the wiki chapter Root Account Locked and Meanings of Special Characters in the Password Field of /etc/shadow File.
• No root usage needed: Most users should not need to use the root account.

Should the user log in as root? No. See footnote for rationale. ^[14]

If the user wants to enable the root account, run the following commands.

1 Sysmaint Notice

2 Platform-specific notice.

• Kicksecure: No special notice.
• Kicksecure-Qubes: Inside kicksecure-17 Template.

3 Choose sudo availability.

4 Set a root password.

See configuring passwords for detailed information on changing user account passwords.

Note: These instructions apply to the user account. Replace user with root. ^[15]

5 Done.

The root account has been unlocked.

Applicability:

• Earlier versions: Kicksecure (versions lower than 15.0.0.3.6) came with the root account enabled by default.
• Distro-morphing: Users who installed Kicksecure inside Debian using the installation method described in the User Account Information section.

Most users should disable the root account by running the following commands.

1 Sysmaint Notice

2 Platform-specific notice.

• Kicksecure: No special notice.
• Kicksecure-Qubes: Inside kicksecure-17 Template.

3 Lock the root account.

sudo passwd --lock root

^[16]

4 Done.

The root account has been locked.

In the future, use sudo instead when necessary.

After inappropriate use of root rights, attempt to fix:

Open a terminal.

Select your platform.

Kicksecure

If you are using a graphical Kicksecure with Xfce, run.

Start menu → Applications → System → Terminal

Kicksecure-Qubes

If you are using Kicksecure-Qubes, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Kicksecure App Qube (commonly named kicksecure) → Xfce Terminal

Run the following command to reset permissions of account user's home folder /home/user back to owner user and group user.

sudo chown --recursive user:user /home/user

The following steps can be used in case the password has been forgotten and needs to be reset.

The following steps can be used in case the user entered the wrong password too many times, which resulted in the user account being automatically locked. (This is related to security feature Bruteforcing Linux User Account Passwords Protection.)

sudo adduser account-name group-name

If Linux user account user is compromised and has sudo access, malware can easily steal the administrative ("sudo") password. ^[18] Therefore it is more secure (rationale) to perform administrative actions such as running sudo from a separate sysmaint (System Maintenance) account that is less likely to get compromised, since this reduces the chances of malware sniffing the password to escalate to administrative ("root") access.

The basic concept is a separation of the following accounts:

• account user: Perform everyday actions such as running web browsers.
• account sysmaint: Perform system maintenance administrative actions such as installing additional packages.

Questions and answers:

• Is running applications such as browser under account sysmaint less secure? Yes, that defeats this concept.
• Is running applications such as browser under account user more secure? Yes, because it becomes harder for malware to perform privilege escalation attacks to gain administrative ("root") access.
• What is so bad about malware escalating to administrative? See rationale.
• Why use account sysmaint and not simply the root account? See Avoid Root Login.

To more securely perform administrative tasks that require root access, see the following overview steps below. Detailed technical steps are available further below.

1. Prerequisite knowledge: login spoofing
2. These instructions are ideally applied after installing the host / VM when it is still considered free of malware.
3. Only then perform administrative tasks according to the instructions below.

1 Check if user-sysmaint-split is already installed.

See sysmaint Default Installation Status.

2 Install the user-sysmaint-split package, if needed.

This is required to create user sysmaint. For instructions, see user-sysmaint-split Installation.

3 Perform the following steps securely using sudo. Use one of the methods below.

The majority of users do not need to utilize the su command. ^[24].

In Kicksecure, by default:

• group sudo membership is required to use su. ^[25]
• Account user is a member of group sudo. (This might change in a later release.)

To permit the su command from account user, complete the following steps.

(Kicksecure-Qubes: perform these steps in Kicksecure Template.)

1 Enable the root account.

2 Add account user to group root.

sudo adduser user root

3 Re-enable SUID.

Set suid. Note: It is okay if the second command fails.

sudo permission-hardener disable /bin/su sudo permission-hardener disable /usr/bin/su

^[26]

4 Add SUID whitelisting.

sudo mkdir -p /etc/permission-hardener.d

Open file /etc/permission-hardener.d/20_user.conf in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /etc/permission-hardener.d/20_user.conf

Kicksecure-Qubes

Notes:

• When using Kicksecure-Qubes, this must be done inside the Template.

sudoedit /etc/permission-hardener.d/20_user.conf

• After applying this change, shut down the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Others and Alternatives

Notes:

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

sudoedit /etc/permission-hardener.d/20_user.conf

Add.

/bin/su exactwhitelist /usr/bin/su exactwhitelist

5 Save.

6 Done.

Steps to permit su command from account user are complete.

Root login within a virtual console will be disabled by default after upgrades. ^{[27] [28]}

To enable login from a virtual console, first apply the Enable Root Account instructions further above, then complete the steps below.

1 To allow root login, /etc/securetty must be configured. ^[29]

Open file $(realpath /etc/securetty) in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit $(realpath /etc/securetty)

Kicksecure-Qubes

Notes:

• When using Kicksecure-Qubes, this must be done inside the Template.

sudoedit $(realpath /etc/securetty)

• After applying this change, shut down the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Others and Alternatives

Notes:

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

sudoedit $(realpath /etc/securetty)

2 Add the following content.

Note: Add one or more tty depending on your circumstances; see file /etc/securetty.security-misc-orig.

• Kicksecure:

tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10

• Kicksecure-Qubes:

hvc0

3 Save the file.

Root login is possible using recovery mode. ^[30]

When the root account is disabled, passwordless root login using recovery mode is possible; see below for the security impact.

This is only relevant on the host and not inside virtual machines.

Passwordless recovery mode is allowed because a locked root password would break the rescue and emergency shell. Therefore the security-misc package enables a passwordless rescue and emergency shell. This is the same solution that Debian will likely adapt for Debian installer. ^[31]

To prevent adverse security effects posed by lesser adversaries with physical access to the machine, set up BIOS password protection, bootloader grub password protection and/or full disk encryption.

See also: Recovery Mode

The following will open a root console inside a Qubes VM.

Choose an option.

Right click qube and Open console in qube

The following can be used to set up passwordless root access for specific Qubes VMs.

NOTE: In 17.2.3.8 and above this can be simplified to 1 command.

passwordless-root

dsudo is a Kicksecure specific feature. ^[34]

As long as still using the default password (not having changed sudo password), commands can be run as root without entering a password. This is useful for users having issues with changing the keyboard layout and for testing VMs.

Instead of using

sudo

use

dsudo

Kicksecure version 17.3.9.9 and above comes with /usr/bin/passwordless-root. A tool to easily set up passwordless sudo for account user.

Execution of passwordless-root requires administrative ("root") rights.

1. Sysmaint Notice

2. Run the passwordless-root command. ^[35]

sudo passwordless-root

3. Done.

Notes:

• Works with command line interface (CLI) applications only!

1. Boot into PERSISTENT Mode | SYSMAINT Session | maintenance tasks.

Setting this up requires booting into sysmaint session.

2. Create file /etc/privleap/conf.d/user-custom.conf.

sudo append-once /etc/privleap/conf.d/user-custom.conf "\ [action:user-custom] Command=/usr/bin/user-custom AuthorizedGroups=sudo AuthorizedUsers=user "

3. Check the privleap configuration file is valid.

privleapd --check-config

If there is no output, no error message, then the configuration is valid.

4. Create executable file /usr/bin/user-custom.

Open file /usr/bin/user-custom in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /usr/bin/user-custom

Kicksecure-Qubes

Notes:

• When using Kicksecure-Qubes, this must be done inside the Template.

sudoedit /usr/bin/user-custom

• After applying this change, shut down the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Others and Alternatives

Notes:

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

sudoedit /usr/bin/user-custom

5. Paste.

Notes:

• Replace custom-command-here with your actual custom command or commands.
• Advanced users feel free to use other script or programming languages instead.
• Optional: See folder /etc/privleap/conf.d for other examples.

#!/bin/bash custom-command-here

6. Make executable.

sudo chmod +x /usr/bin/user-custom

7. Boot into PERSISTENT Mode | USER Session | power user activities.

8. Run the privleap custom action.

leaprun user-custom

9. Done.

The process is complete.

What does it mean to be "rooted"? The word "rooted" in the context of computer security, smartphones, and root isolation is used in different ways.

A device can get "rooted" by at least two different entities:

• A) user: Intentional rooting by the user grants them full administrative rights and is typically carried out to overcome restrictions imposed by the manufacturer or operating system (e.g., to uninstall bloatware or customize the OS).
• B) malware: Malware-induced rooting occurs when malicious software exploits vulnerabilities to gain privileged access without user consent, often for nefarious purposes such as installing malicious programs, gaining deeper access to sensitive data, or ensuring malware persistence.

Linux desktop operating system (Debian, Fedora, Kicksecure, Whonix, and most others) specific example:

• Definition: If sudo is configured to allow account user to run commands without a password, the machine can be considered rooted by the user.
• In technical terms: File /etc/sudoers.d/user-passwordless contains content user ALL=(ALL:ALL) NOPASSWD:ALL.
• Implications: This means the user will be able to run sudo some-command to execute a command with administrative ("root") rights without a password. The user could even run sudo su to log into the root account.

Qubes specific example: If package qubes-core-agent-passwordless-root gets installed, then the VM has been rooted by the user. The implications are the same as above. On the other hand, if the user opens a Qubes Root Console, the VM should not be considered rooted.

Kicksecure specific example:

• A) user session: When using user-sysmaint-split and booting into a user session, the system should not be considered rooted because sudo/root access is unavailable.
• B) Unrestricted Admin Mode: When enabling Unrestricted Admin Mode, then the system can be considered rooted by the user.
• C) sysmaint session: When the user boots into sysmaint session, the system should not be considered rooted. Sysmaint session is a temporary, legitimate admin session, does not break the security model and is not the same as Unrestricted Admin Mode. ^[36]

Malware specific example: If a web server (such as nginx running under a limited Linux account user nginx) gets compromised, the malware could attempt to root the device (a synonym for saying "root the operating system"). This is also often called local privilege escalation (LPE), which refers to exploiting vulnerabilities, misconfigurations, or using other techniques to escalate permissions from a regular account to a higher privilege level, typically the "root" account. In this case, the web server could be considered rooted by malware.

Android specific example: If the user manages to get an Android Root Management Tool such as SuperSU, Magisk, or Superuser by ChainsDD to be functional, then the device is typically considered "rooted by the user". On the other hand, if a compromised or malicious app accomplishes LPE, then the device can be considered "rooted by malware".

Unclear definitions: What if on a Linux desktop distribution, account user can gain root rights after using sudo and entering a password? Typically, for Linux desktop distributions this is not considered "rooted". The word "rooted" is mostly used on mobile operating systems Android and iOS.

Difference in Terminology:

• Desktop Linux: The concept of "rooting" is not usually applied to traditional Linux desktops. Instead, users elevate privileges with sudo, which is considered a normal administrative function. The term "rooted" implies a fundamental change in the system's security model that is not present when using standard privilege escalation like sudo.
• Mobile OS (Android/iOS): "Rooting" or "jailbreaking" signifies that the device’s default restrictions are bypassed, giving the user continuous and unrestricted access to system files and functions.

Malicious Root Management Tools
Malicious Root Management Tools: Are an Android / iOS specific issue. Some websites say, for example, that KingRoot for Android is malware. ^[37] This issue does not exist for Linux desktop distributions. Tools such as su, sudo, doas are Open Source, Freedom Software and generally not considered malware. The existence of malicious root management tools and other issues (documented on Mobile Devices Privacy and Security, Administrative Rights) are among reasons why rooting is often discouraged for mobile devices. However, a blanket recommendation to avoid rooting in all cases for all use cases cannot be deduced from that.

Related:

• General Threats to User Freedom, Administrative Rights Refusal
• Verified Boot

What does "sudoless" mean? Word definition.

Different people have used the term "sudoless" for very different meanings.

• 2015: ivandokov/sudoless: means passwordless sudo. The ability of a specific Linux user account name such as "user" to run sudo without a password.
• 2021: How to run Docker commands without sudo on a Synology NAS: A quick guide to enable sudoless docker commands.
• 2022: a Kicksecure user forum post: used "sudoless" as a synonym for "passwordless".
• 2023: TechRebuplic: How to enable Podman sudo-less container management
• 2024: secureblue: used "sudoless" in context of removal of sudo, su and pkexec. (Related: Comparison of secureblue with Kicksecure and Development Notes, chapter sudoless.)

The term "sudoless" can therefore be confusing, should either be avoided or clarified when used.

• System Recovery using SysRq Key
• Login spoofing
• Strong Linux User Account Isolation

• Kicksecure code: Restrict access to the root account.
• https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/68
• https://forums.whonix.org/t/should-lesser-adversaries-with-physical-access-be-part-of-the-threat-model-of-whonix-whonix-host-kicksecure/7997

Avoid nonfreedom software Documentation sysmaint Previous page: Avoid nonfreedom software Index page: Documentation Next page: sysmaint

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!