{{Header}}
{{title|title=
Unrestricted Admin Mode
}}
{{#seo:
|description={{project_name_short}} allows configuration for unrestricted admin mode, enabling the default user account to access privilege escalation tools like sudo and pkexec.
}}
{{passwords_mininav}}
{{intro|
'''{{project_name_short}} can be configured for unrestricted admin mode.'''
In this mode, traditional access to privilege escalation tools such as sudo and pkexec is possible for the {{project_name_short}} default limited account user.
Most other operating systems do not even call this "unrestricted admin mode" because they do not come with user-sysmaint-split by default. In such systems, unrestricted admin mode is implied. However, {{project_name_short}} provides the flexibility to switch between user-sysmaint-split and unrestricted admin mode depending on your needs.
Starting from {{project_name_short}} version TODO Xfce and above, {{project_name_short}} comes with [[sysmaint|user-sysmaint-split]] by default.
}}
__FORCETOC__
= Uninstalling user-sysmaint-split and Enabling Unrestricted Admin Mode =
This chapter documents how to disable user-sysmaint-split and revert to unrestricted admin mode, where the user user can use sudo.
'''Optional.''' Discouraged.
Warnings:
* Reverting to unrestricted admin mode increases the risk of privilege escalation attacks and may weaken system security.
* It is discouraged to use apt for this purpose, to avoid meta-package removal issues ([[Debian Packages]]). Instead, it is recommended to proceed as per instructions below.
Platform specific. Select your platform.
{{Tab
|type=controller
|content=
{{Tab
|title= == {{project_name_short}} ==
|image=[[File:{{project_name_short}}-logo-icon.svg]]
|content=
If the user-sysmaint-split package is installed by default, the easiest way to remove it is by using the REMOVE user-sysmaint-split boot option on the GRUB screen.
{{Box|text=
'''1.''' Reboot the machine.
'''2.''' Select {{project_name_short}} REMOVE user-sysmaint-split GNU/Linux from the list of boot options.
'''3.''' Authenticate as necessary to log in as the sysmaint account. You may have to provide a disk encryption passphrase and/or the user password for the sysmaint account, if either or both passwords are set.
'''4.''' Type the word yes into the dialog box confirming that you really do want to uninstall user-sysmaint-split.
'''5.''' Click "OK". A terminal window will appear, showing the logs generated while uninstalling user-sysmaint-split.
'''6.''' When the text Command exited. You may close this window safely appears, close the terminal window. The system will automatically reboot.
'''7.''' Done.
The process of removing user-sysmaint-split is now complete.
}}
Alternatively, you can use [[Debian_Packages#dummy-dependency|dummy-dependency]] to remove the user-sysmaint-split package while booted in PERSISTENT Mode - SYSMAINT Session. [
The ]--purge option is optional and not required in this case when using dummy-dependency, because user-sysmaint-split has been designed without configuration files in the /etc folder. Instead, user-sysmaint-split uses symlinks, which are deleted upon removal. This design ensures that a standard apt remove user-sysmaint-split will not result in unexpected functionality, such as parts of user-sysmaint-split (e.g., boot menu entries) still being active.
{{CodeSelect|code=
sudo dummy-dependency user-sysmaint-split
}}
}}
{{Tab
|title= == {{q_project_name_long}} ==
|image=[[File:Qubes-logo-icon.png]]
|content=
{{Box|text=
'''1.''' Qubes version specific.
* Qubes R4.2: Open a [[Root#Qubes_Root_Console|Qubes Root Console]].
* Qubes R4.3 and above: Ensure that the {{project_name_workstation_template}} Template is booted in PERSISTENT Mode - SYSMAINT Session.
'''2.''' Run:
{{CodeSelect|code=
sudo dummy-dependency user-sysmaint-split
}}
'''3.''' Install qubes-core-agent-passwordless-root to allow the user account to elevate to root.
{{CodeSelect|code=
sudo apt install qubes-core-agent-passwordless-root
}}
'''4.''' Shut down the qube template.
'''5.''' Reboot any AppVMs that are based on the qube template.
'''6.''' Done.
The process of removing user-sysmaint-split is now complete.
}}
}}
}}
= Impact =
This removes the sysmaint mode-related [[Grub|GRUB]] boot menu modifications and reverts back to a "normal" boot menu.
Security impact? This is hard to quantify. It is important to contextualize user-sysmaint-split for what it is: an additional security feature, not magic.
The security concept of user versus administrative account isolation, implemented by the user-sysmaint-split package, is a many-years-old and standard security feature on mainstream mobile operating systems such as Android and iOS. These mobile operating systems degrade device owners to limited rights and provide administrative rights to the device manufacturer (OEM) only. The purpose of this, among other security aspects, is to enforce [[Miscellaneous_Threats_to_User_Freedom#mobile_devices_restrictions|mobile device restrictions]], prioritizing the wishes of OEMs and application developers over user preferences. See also the [[Miscellaneous_Threats_to_User_Freedom|General Threats to User Freedom]] wiki chapter [[Miscellaneous_Threats_to_User_Freedom#Administrative_Rights|Administrative Rights]].
user-sysmaint-split improved security in many contexts. For example, if a user is using a dedicated {{VM}} in a session only for the purpose of web browsing, then there is no need for that VM to ever gain root rights. However, in other contexts such as on a server or development environment, user-sysmaint-split might provide less or no security or degrade usability to unproductive levels.
There have been times where user-sysmaint-split was unavailable and nothing catastrophic took place. At worst, this reduces the security level to {{project_name_short}} versions equal to or lower than version 17.2.8.5.
See also [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]].
= Optional Restrictions =
After removal the user can configure sudo and/or other privilege escalation tools etc as per usual.
= Footnotes =
{{Footer}}
[[Category: Design]]
[[Category: Development]]