Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

• Overview: Sysmaint, or system maintenance, is an account created by the user-sysmaint-split feature. It increases security by separating daily activities from administrative tasks.
• Default: Kicksecure-LXQt and Kicksecure-Qubes comes with user-sysmaint-split by default.
• Accounts: There are two accounts:
  • user: For daily activities.
  • sysmaint: For system maintenance administrative activities, such as installing software or upgrading.
• Recommended administrative access: For administrative tasks (for example, using sudo or pkexec), reboot into the sysmaint session (PERSISTENT Mode | SYSMAINT Session | system maintenance tasks) and run the command there.
• Troubleshooting: If you see the following errors, you are most likely in the user session:

permission denied: sudo

permission denied: pkexec

• Fix: Reboot into the sysmaint session and retry the command.
• Advanced opt-out: Unrestricted Admin Mode disables user and sysmaint separation and restores a more traditional setup where the user account can use administrative tools such as sudo or pkexec without using a sysmaint session. This is generally not recommended, because it removes the security benefits of user-sysmaint-split.
• Older versions: For older versions, refer to Version Overview for upgrade information.

Kicksecure:

Image: Kicksecure - sysmaint Boot Option in GRUB Boot Menu

Kicksecure for Qubes:

Image: Kicksecure - sysmaint Boot Option in Qubes VM Manager (QVMM)

Kicksecure comes with a security feature called user-sysmaint-split enabled by default (in graphical user interface (GUI) (LXQt) version and Qubes version). This feature creates two separate user accounts:

• user - for daily activities like browsing, writing documents, etc.
• sysmaint - short for system maintenance; used for tasks that require administrative rights such as installing or updating software.

This separation improves security. For example, if malware compromises your web browser in the user session, it will not have permission to make critical system changes or install rootkits (malicious software that can hide in the system).

You only use the sysmaint account when you want to change system behavior, such as adding new programs, applying updates, or performing administrative tasks.

• Recommended: For administrative actions, boot into the sysmaint session and run the command there.
• Advanced opt-out: The opposite of user-sysmaint-split is Unrestricted Admin Mode, which disables user and sysmaint separation and restores a more traditional setup where the user account can use administrative tools like sudo, su, lxsudo, pkexec directly. This is less secure and not enabled by default, but it can be configured if it better suits your use case.

(Read our rationale here.)

• You want to install a new application:
  • Reboot into the sysmaint account to perform the installation.
  • Once done, reboot back into your regular desktop account.
• You want to install system updates:
  • Boot into sysmaint mode and run the updates from the System Maintenance Panel.
• You want to avoid malware affecting system settings:
  • Use your regular user account for browsing and daily work. Since it does not have admin access, it is harder for malware to deeply damage your system.

• Old versions: Kicksecure build version up to version 17.2.8.5 will not automatically include user-sysmaint-split. However, users can choose to install it manually (see #Installation).
• New versions:
  • graphical user interface (GUI): Includes user-sysmaint-split by default.
  • command line interface (CLI): The kicksecure-*-cli meta packages do not include user-sysmaint-split by default.
  • servers: user-sysmaint-split is not installed by default on servers.
  • Distribution Morphing: Not installed by default. Might be installed by default for the GUI version in a future Release Upgrade.

graphical user interface (GUI) versus command line interface (CLI).

1 Platform specific.

Select your platform.

Kicksecure

2 Notices.

• Privilege escalation tools restricted: When user-sysmaint-split is installed, the account user can no longer use privilege escalation tools (sudo, su, pkexec) when logged into any account other than sysmaint.
• Immediate effect: This change takes effect immediately.
• System maintenance workflow: To perform system maintenance tasks such as checking for software updates or installing updates, reboot into the sysmaint account.
• Reduced attack surface: To reduce attack surface, most superfluous background services are suppressed while booted into the sysmaint account.
• Minimal session by design: The sysmaint desktop session is intentionally minimal and not suited for normal desktop use. This is to discourage using it for work that has a higher risk of causing a difficult-to-avoid system compromise (such as web browsing). Quick shortcuts are provided for simple software management and system administration tasks, while more advanced tasks can be performed from a terminal. The sudo and pkexec commands will be usable here.
• Virtual console login: When booted in PERSISTENT Mode | SYSMAINT Session | system maintenance tasks, you can also log into the sysmaint account from a virtual console (tty) by entering sysmaint at the login prompt. This session behaves identically to a typical virtual console session. A short informational message will be printed after login reminding you that the sysmaint account must be used with caution.

3 Restart the system normally.

4 Select PERSISTENT Mode | SYSMAINT Session | system maintenance tasks from the boot menu.

Figure: Persistent Mode - Sysmaint Session - GRUB Boot Menu Option

5 The system will boot into a minimal desktop session with the System Maintenance Panel running.

Figure: System Maintenance Panel

6 Perform your system maintenance tasks.

7 Once you are done, click "Reboot" to reboot the system.

8 Boot into PERSISTENT Mode | USER Session | daily activities or LIVE Mode | USER Session | disposable use. This will provide you with a standard desktop session.

9 Done.

The procedure is now complete.

Kicksecure for Qubes

2 Qubes version specific.

Select your Qubes version.

Qubes R4.2

3 Notice.

• In Qubes OS R4.2 and earlier:
  • Status: Kicksecure for Qubes cannot be booted into sysmaint session.
  • Benefit: user-sysmaint-split is still useful in Qubes VMs because it makes SUID privilege escalation tools (sudo, su, pkexec) inaccessible for account user.
  • Upgrade recommended: See Kicksecure 18 for Qubes Released! Major Release Upgrade! (Similar to derivatives such as Qubes-Whonix 18 Released! Major Release Upgrade!)
  • Administrative actions: Follow the instructions below to perform administrative actions and to use sudo, su, pkexec.

4 Administrative actions.

You can access the root account by opening a Qubes Root Console.

Qubes R4.3

3 Notices.

Qubes OS R4.3 and later:

• Boot modes support: Supports boot modes.
  • Boot modes usage: Kicksecure for Qubes uses boot modes to allow any Kicksecure Qube to be booted in either PERSISTENT Mode | USER Session | daily activities or PERSISTENT Mode | SYSMAINT Session | system maintenance tasks.
• Template: The kicksecure-18 Template boots in PERSISTENT Mode | SYSMAINT Session | system maintenance tasks by default.
• App Qubes: Kicksecure App Qubes and Disposables boot in PERSISTENT Mode | USER Session | daily activities by default.
• Changing boot modes: Boot modes can be changed. See below.
• Comparison with non-Qubes: Optional reading and comparison notes.
  • Definition: non-Qubes means not using Qubes, such as using Kicksecure on hardware.
  • Similarity: PERSISTENT Mode | USER Session | daily activities and PERSISTENT Mode | SYSMAINT Session | system maintenance tasks are mostly functionally identical under Qubes OS.
  • Key differences: Under Qubes OS, PERSISTENT Mode | SYSMAINT Session | system maintenance tasks differs in the following ways:
    • Default user account: The default user account for most actions is changed to sysmaint.
    • URL opening disabled: Potentially dangerous operations such as opening URLs are disabled.
    • System Maintenance Panel: The System Maintenance Panel is usable.
    • Privilege escalation usability: Privilege escalation tools are easily usable, since the sysmaint account will be provided rather than the user account.
• Non-standard boot mode: It is possible to boot a Kicksecure Qube in a non-standard boot mode, such as booting a Template in PERSISTENT Mode | USER Session | daily activities or booting an AppVM in PERSISTENT Mode | SYSMAINT Session | system maintenance tasks. To do so, change the boot mode of the Qube before starting it.

4 Instructions.

Qubes R4.3 (and above) boot mode changes.

1 Ensure the Qube is shut down.

2 Open Qube Manager.

Start menu → Gear icon → Qubes Tools → Qube Manager

3 Click on the VM you wish to change the boot mode of.

4 Click "Settings" in the toolbar.

5 Click the "Advanced" tab in the Settings window.

6 In the "Kernel" section, change "Boot mode" to your desired boot mode.

7 Click "OK" in the Settings window.

8 Start the Qube. It will boot in the selected boot mode.

9 Done.

The procedure of switching the boot mode for a Qube is now complete.

5 Done.

1 Platform specific.

Select your platform.

Kicksecure

2 Notice.

Reboot into sysmaint session is required, as documented above.

Note: It is unsupported to switch from account user to sysmaint using Start Menu → Power button → logout.

This is a security feature. ^[1]

Kicksecure for Qubes

2 Notice.

Not applicable.

When booted in PERSISTENT Mode | SYSMAINT Session | system maintenance tasks, only the minimum services needed for the session to be usable are started by default. New services are prevented from automatically starting during APT software upgrades.

While enabling additional services within the sysmaint session is generally discouraged, it may be necessary in some situations. Services can be started either temporarily for one sysmaint session, or persistently for all sysmaint sessions.

To start a service for the current sysmaint session:

To enable a service persistently, so that it autostarts on every sysmaint session boot:

Created symlink /etc/systemd/system/sysmaint-boot.target.wants/service-name.service → /lib/systemd/system/service-name.service.

• sysmaint account restrictions: Several restrictions are imposed to reduce the risk of the sysmaint account becoming compromised:
  • Locked access depending on boot mode: The sysmaint account is locked and cannot be logged into when booted into modes other than PERSISTENT Mode | SYSMAINT Session | system maintenance tasks.
  • Session limitation: Logging into the sysmaint account using anything other than the special sysmaint desktop session is prohibited.
  • Prohibition of other logins: When booted in PERSISTENT Mode | SYSMAINT Session | system maintenance tasks, you will be prevented from logging into accounts other than sysmaint.^[2]
  • Inhibition of non-critical services: When booted in PERSISTENT Mode | SYSMAINT Session | system maintenance tasks, only the minimum services needed for the session to be usable are started by default. New services are prevented from automatically starting during APT software upgrades.

• Why is there a separate sysmaint account?
  • See Rationale for Separate sysmaint Account.

• Why is it required to boot into sysmaint mode, why not simply log out (Start Menu → Power button → Logout) and log into account sysmaint? (Fast User Switching)
  • This is to mitigate login spoofing attacks and to prevent sudo password sniffing.

• How to go back to unrestricted admin mode, where account user can use sudo?
  • See #Uninstallation.

user-sysmaint-split is different for the graphical user interface (GUI) versus the command line interface (CLI) version.

In the future, the CLI version will be improved to be more suitable for servers.

Server support for user-sysmaint-split, however, is not as sophisticated yet as it is for the GUI version. For some server use cases, user-sysmaint-split may be less needed or unneeded. This topic is elaborated in the development chapter user-sysmaint-split Server Support.

If it is unsuitable to run some applications in the sysmaint session, then this could be difficult. This is because historically, Freedom Software Linux desktop distributions did not have a strong user-sysmaint-split.

There might be many cases where applications should be run in the user session, but this is not possible because some aspect of the application requires administrative ("root") rights.

Options:

• A) privleap custom actions: If it is possible to do this on the command line interface (CLI), Advanced Users could consider configuring privleap custom actions.
• B) Unrestricted admin mode: This mode disables the separation between the user and system maintenance roles, allowing the user to directly perform administrative tasks without needing to switch contexts. It provides more flexibility for tasks requiring elevated privileges but at the cost of reduced compartmentalization and security. This approach might be more suitable in environments where usability or workflow requirements outweigh the benefits of strict privilege separation. See Uninstalling user-sysmaint-split and Enabling Unrestricted Admin Mode.
• C) Use multiple virtual machines (VM): For compartmentalization. VMs that require administrative ("root") rights could use Unrestricted Admin Mode. Others could keep user-sysmaint-split.

Issues:

• ZuluCrypt not working in user session
• Veracrypt containers do not open
  • Whonix user isolation (user-sysmaint-split) breaks VeraCrypt workflow
• Struggling with the point release update - user-sysmaint-split - sudo

For Advanced Users.

1 Warnings.

• For debugging or advanced users only.
• Enabling sudo access during user session can be a security issue.
• This is often unnecessary. Uninstallation of the user-sysmaint-split package might be better.

2 Boot into PERSISTENT Mode | SYSMAINT Session | system maintenance tasks.

Setting this up requires booting into sysmaint session.

3 Create file /etc/privleap/conf.d/privleap-debugging.conf.

sudo append-once /etc/privleap/conf.d/privleap-debugging.conf "\ [action:sudo] Command=chmod o+x /usr/bin/sudo #Command=/usr/libexec/helper-scripts/sudo-tools-enable AuthorizedGroups=sudo AuthorizedUsers=user "

4 Boot into PERSISTENT Mode | USER Session | daily activities.

5 Enable sudo.

leaprun sudo

6 Notice.

The above command can be run whenever required to enable sudo.

sudo access will be automatically disabled after installing or removing a package using APT. This is because this triggers SUID Disabler and Permission Hardener, which will re-disable sudo, unless an /etc/permission-hardener.d configuration folder snippet gets added.

7 Use of sudo.

sudo can be used normally. For example:

sudo touch /etc/testfile

8 Done.

The process is complete.

See Uninstalling user-sysmaint-split and enabling Unrestricted Admin Mode.

• Qubes has a potential local privilege escalation issue: harden insecure permissions inside /dev/xen folder / research security impact of the Qubes /dev/xen folder permissions #9717 -- This issue is unspecific to Kicksecure and is entirely unrelated to Kicksecure. It equally applies to App Qubes that are not using qubes-core-agent-passwordless-root such as Qubes Debian minimal Template.

• User Account Isolation (developers)
• user-sysmaint-split (developers)
• Kicksecure GitHub user-sysmaint-split repository
• Kicksecure GitHub sysmaint-panel repository

Root Documentation unrestricted admin mode Previous page: Root Index page: Documentation Next page: unrestricted admin mode

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!