Download

• ISO: testers-only
• VirtualBox: testers-only
• KVM: testers-only
• Qubes: Kicksecure Template for Qubes - Testers Wanted!

(What is a point release?)

Testers wanted!

Upgrade

Already using Kicksecure? No need to reinstall — perform an in-place upgrade using the Kicksecure repository.

This milestone was made possible thanks to the incredible support from our community. Thank you!

Please Donate!

Get Involved — Please Contribute!

Major Changes

user-sysmaint-split

Kicksecure Xfce now defaults to a safer split-user model: one account for daily use (user) and another for admin tasks (sysmaint). This limits the impact of potential malware and strengthens system security. Power users can opt into Unrestricted Admin Mode if needed.

System Maintenance Panel

A user-friendly interface for essential system tasks: update software, manage user accounts, configure autologin, change passwords, and run systemcheck, all in one place and designed for sysmaint sessions.

sudoless

The user account no longer has access to sudo or other privilege escalation tools. Only dedicated admin accounts like sysmaint can perform such actions, reducing the attack surface and improving security.

privleap

A new security-focused privilege escalation framework replacing sudo. It allows only specific, pre-approved actions to be executed with elevated rights, reducing the risk of misuse or exploitation. SUID-free.

updatecheck

A new background service periodically checks for software updates and alerts users via passive popups. (Notifications about new updates)

dummy-dependency

dummy-dependency: Ever wanted to uninstall, for example, Firefox or Thunderbird but ran into the meta package issue? dummy-dependency allows the uninstallation of packages that are normally not uninstallable, without removing a (meta) package that depends on the original package.

systemcheck

Now provides more guidance for Protection against Physical Attacks. New checks include: detection of user-sysmaint-split; on host systems, notification if full disk encryption (FDE) is set up or missing; bootloader password status; and a login security table highlighting passwordless or autologin accounts.

Virtual Hard Disk Size Increase

Virtual Hard Disk Size Increase is now easier.

Permission Hardener Improvements

SUID Disabler and Permission Hardener v2: major overhaul and improved reliability when adding/removing SUID binaries, which is important for user-sysmaint-split installation/removal.

Source Code Hardening

• unicode verification
• git symlinks verification

Upcoming Changes

It is planned to no longer install Firefox and Thunderbird by default for the next release.

Rationale:
Kicksecure Default Browser - Development Considerations

User documentation:
Web Browser

Instead, there will be a local browser choice application looking similar to this. (Not a website.) Development plan:
browser choice

Changelog

• anon-apt-sources-list:
  • Add Fasttrack backports-staging suite (Thanks to Ben Grande!)
• anon-connection-wizard:
  • Port to privleap (Thanks to @ArrayBolt3!)
• apparmor-profile-dist:
  • Improve live mode detection
• debug-misc:
  • Remove efi_pstore.pstore_disable=1 (Thanks to @raja!)
  • Enable pstore processing by systemd-pstore service (Thanks to @raja!)
  • Update coredumps enabling documentation (Thanks to @raja!)
• dist-base-files:
  • Add systemd-repart support (Thanks to @ArrayBolt3!)
  • Don’t enable systemd-repart on existing systems, ISOs, or Qubes OS (Thanks to @ArrayBolt3!)
  • Don’t enable systemd-repart on existing systems (Thanks to @ArrayBolt3!)
  • Re-organize GRUB boot menu (Thanks to @ArrayBolt3!)
  • No longer adding user user to groups cdrom, audio, dip, plugdev as this should no longer be required
  • Set default shell to zsh also for root user
• genmkfile:
  • Fix genmkfile install permissions
• grub-live:
  • Ensure update-grub is called when switching initramfs generators (Thanks to @ArrayBolt3!)
  • Avoid ending up with GRUB_DEVICE being set to an invalid path (Thanks to @ArrayBolt3!)
  • Live mode rename: For daily use. → disposable use
  • Implement LIVE Mode | SYSMAINT Session LIVE mode SYSMAINT
• helper-scripts:
  • Add /usr/libexec/helper-scripts/use_pkexec.sh
  • stecho, stprintf, stcat, stcatn (Thanks to Ben Grande!)
  • Rewrite append-once in Python, with enhanced error and edge case handling (Thanks to @ArrayBolt3!)
  • append, append-once, override (Thanks to @ArrayBolt3!)
  • Implemented unicode-show
  • unicode-show: enhance efficiency, show trailing whitespace (Thanks to @ArrayBolt3!)
  • Improved grep-find-unicode-wrapper to find more ASCII control characters; created test script /usr/libexec/helper-scripts/write-suspicious-ascii
  • Polish pwchange (Thanks to @ArrayBolt3!)
  • crypt-pwchange (Thanks to @ArrayBolt3!)
  • Implement grub-password-status-check and grub-pwchange
  • Use log function in terminal wrapper to show exit code status
  • Improve sanitize_variable
  • Implement autologinchange (Thanks to @ArrayBolt3!)
  • Add /usr/libexec/helper-scripts/temp.sh
  • Avoid expected error message in case a Tor consensus has not been downloaded yet:

    • ERROR: Variable ‘vstart’ is empty or contains only whitespace/newlines.

    • Thanks to @marmarek for the bug report! Systemcheck fails for unclear reason - #14 by marmarek - Qubes-Whonix - Whonix Forum
  • Add /usr/libexec/helper-scripts/live-mode.sh
  • anondate: Improve error handling
  • Add /usr/libexec/helper-scripts/use_sudo.sh
  • Add utility and library to manage accounts. Query account state, check password state, and query any entry from supported databases. (Thanks to Ben Grande!)
  • Implement dummy-dependency
  • str_replace: improved error handling if file is not UTF-8
  • Fix apt-get-update for non-English locale, fixes Systemcheck reports `WARNING: Debian Package Update Check Result: apt-get reports that packages can be updated.` but system is already fully upgraded
• kicksecure-meta-packages:
  • Add xfce4-notifyd to essential GUI packages (Thanks to @ArrayBolt3!)
  • Add sysmaint-panel to kicksecure-desktop-applications-xfce (Thanks to @ArrayBolt3!)
  • Fix Thunar icons in Kicksecure Qubes template (Thanks to @ArrayBolt3!)
  • Make kicksecure-qubes-cli and kicksecure-qubes-gui suitable for use with qubes-whonix (Thanks to @ArrayBolt3!)
• legacy-dist:
  • Remove deborphan (outdated dependency) (Thanks to Jeremy Rand!)
  • Avoid auto removal of qubes-core-agent-passwordless-root, if it was already installed (which was previously a Depends:). This is to avoid breaking existing users’ workflows.
• libvirt-dist:
  • Improve live mode detection
• live-config-dist:
  • Instruct Calamares to save GRUB configuration into /etc/default/grub.d (Thanks to @ArrayBolt3!)
  • Make install-host compatible with classic permissions model, and take into account a sysmaint mode edge case (Thanks to @ArrayBolt3!)
  • Improve UX when launching the installer from a sysmaint-enabled ISO in live mode (Thanks to @ArrayBolt3!)
  • Add unrestricted admin mode to ISO (Thanks to @ArrayBolt3!)
  • Properly install GRUB to the fallback bootloader configuration if debconf is configured for this (Thanks to @ArrayBolt3!)
• msgcollector:
  • msgdispatcher: add systemd watchdog support
  • Port msgdispatcher process management to systemd for code simplification, fixes Systemcheck fails for unclear reason - #19 by marmarek - Qubes-Whonix - Whonix Forum
• open-link-confirmation:
  • Refuse to open links in sysmaint mode and show an error message if this is attempted (Thanks to @ArrayBolt3!)
  • Hook web browser launch attempts via XDG on generic non-XFCE desktops (Thanks to @ArrayBolt3!)
• privleap:
  • New package GitHub - Kicksecure/privleap: Limited Privilege Escalation Framework (Thanks to @ArrayBolt3!)
• ram-wipe:
  • Simplified installation (fixes Clarify ram-wipe dependencies · Issue #2 · Kicksecure/ram-wipe · GitHub)
• repository-dist:
  • Output repository-dist-wizard error messages also on console in case GUI does not work (such as when starting it as root by mistake)
  • Improved error handling (such as when pkexec is unavailable)
• sdwdate:
  • Re-enable log watching in sdwdate-log-viewer (Thanks to @ArrayBolt3!)
  • Port to privleap (Thanks to @ArrayBolt3!)
  • Add faccessat2 syscall to the whitelist (Thanks to @ArrayBolt3!)
• sdwdate-gui:
  • Port to privleap (Thanks to @ArrayBolt3!)
  • Use a safe directory outside of /run/user/1000 for inter-qube sdwdate status communication (Thanks to @ArrayBolt3!)
• security-misc:
  • Fix umask for pkexec-run commands (Thanks to @ArrayBolt3!)
  • Make /usr/libexec/security-misc/apt-get-update more reliable
  • /usr/libexec/security-misc/apt-get-update
  • Set efi_pstore.pstore_disable=1 (Thanks to @raja!)
  • Disable pstore processing by systemd-pstore service (Thanks to @raja!)
  • No longer disable vivid kernel module by default, because it breaks Qubes Video Companion. Thanks to @marmarek for the bug report! Testing Qubes Video Companion on Whonix - Qubes-Whonix - Whonix Forum fixes Qubes Video Companion broken due to missing vivid kernel module · Issue #298 · Kicksecure/security-misc · GitHub
  • Update docs on kernel panics (Thanks to @raja!)
  • Don’t handle files with multiple hardlinks (Thanks to @ArrayBolt3!)
  • Make permission-hardener always apply changes to real files, not symlinks (Thanks to @ArrayBolt3!)
  • README.md: List CPU mitigations (Thanks to @raja!)
  • Add info on DBX updates via the UEFI Revocation List (Thanks to @raja!)
  • Add print-diagnostics command to permission-hardener (Thanks to @ArrayBolt3!)
  • Permission hardener: disable SUID for chrome-sandbox
  • Permission hardener: disable SUID for ssh-agent, ssh-keysign, /lib/openssh/*. This might break SSH host-based authentication.
  • Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 (Thanks to @ArrayBolt3!)
  • README.md: Note importance of microcode updates (Thanks to @raja!)
  • Add comment about microcode updates (Thanks to @raja!)
  • Increase priority of pam wheel so it is checked even before pam faillock in case of attempting to use su without being a member of the required group sudo. It’s useful to abort the PAM stack as early as possible to avoid needlessly prompting for a password to later be rejected due to lack of group membership.
  • Fix: apply PAM wheel only to su PAM service
  • Adjust pam-info messaging for sysmaint mode (Thanks to @ArrayBolt3!)
  • Add warning about using non-sysmaint accounts in sysmaint mode (Thanks to @ArrayBolt3!)
  • Move from /etc/permission-hardener.d to /usr/lib/permission-hardener.d
  • Permission hardener: also parse /usr/lib/permission-hardener.d/*.conf folder
  • Add link to tabular comparison of CPU mitigations (Thanks to @raja!)
  • Set net.ipv4.conf.*.drop_gratuitous_arp=1 (Thanks to @raja!)
  • Set net.ipv4.conf.*.arp_ignore=2 (Thanks to @raja!)
  • Set net.ipv4.conf.*.arp_filter=1 (Thanks to @raja!)
  • Set net.ipv4.conf.*.shared_media=0 (Thanks to @raja!)
  • Add sysmaint account lock detection (Thanks to @ArrayBolt3!)
  • Update presentation on user namespaces (Thanks to @raja!)
  • Enable kvm.mitigate_smt_rsb=1 (Thanks to @raja!)
  • Enable kvm-intel.vmentry_l1d_flush=always (Thanks to @raja!)
  • Refactor CPU mitigations (Thanks to @raja!)
  • arp_ignore: Add reference to 2024-12-10 Mullvad VPN audit details (Thanks to @raja!)
  • Permission hardener: treat mount the same way we treat umount. Thanks to @the-moog for the bug report! fixes default SUID for umount (un-mount) may be incorrect · Issue #284 · Kicksecure/security-misc · GitHub
  • Permission hardener: mount chmod change from 745 to 755, fixes default SUID for umount (un-mount) may be incorrect · Issue #284 · Kicksecure/security-misc · GitHub
  • Enable umask hardening (Thanks to @ArrayBolt3!)
  • Provide option to deny sending and receiving shared media redirects (Thanks to @raja!)
  • Provide option to harden response to ARP requests (Thanks to @raja!)
  • Provide option to enable ARP filtering (Thanks to @raja!)
  • Provide option to drop gratuitous ARP packets (Thanks to @raja!)
• setup-dist:
  • Add warning about passwordless users (Thanks to @ArrayBolt3!)
  • Port to privleap (Thanks to @ArrayBolt3!)
  • Remove bitrotten easyorca code (Thanks to @ArrayBolt3!)
• setup-wizard-dist:
  • Remove distutils (outdated dependency) (Thanks to Jeremy Rand!)
  • Simplify Kicksecure version detection code
  • Do not start in live mode
  • Improve detection of which Kicksecure version to run setup-wizard-dist
  • Improve grub-live detection
  • Enable wizard for Kicksecure, refuse to run in live mode (Thanks to @ArrayBolt3!)
  • Add autologin documentation; make links actually work rather than just wiping the text view when clicked (Thanks to @ArrayBolt3!)
• swap-file-creator:
  • Improve live mode detection code
  • Fix printf error message on non-English locales by setting LC_ALL=C environment variable. Thanks to @Decidable3 for the bug report! swap file creator error - Support - Whonix Forum
• sysmaint-panel: (Thanks to @ArrayBolt3!)
  • repository-dist-wizard button
  • Linux user account password change button
  • Disk passphrase management button
  • Bootloader password changer button
  • Data persistence info
  • APT software management features (install, remove, purge, dummy-dependency, search)
  • Screenlock button
  • autologinchange button
  • systemcheck button
  • Open terminal emulator button
  • Remove user-sysmaint-split support if booting into remove user-sysmaint-split
• systemcheck:
  • Detect user versus sysmaint session
  • Check if user-sysmaint-split is installed
  • Improve offline support (for example, if networking has not been set up yet):
    • Check if external network interface can be detected. This is done by checking the output of the command ip -o addr show scope global.
    • This is only a local command; it does not connect to any servers on the internet
    • This avoids waiting for a long systemcheck timeout
    • If there is an external network interface but actual internet connectivity is broken (for example due to router issues), this is not detected yet
  • No longer terminate early if:
    • Unsupported virtualizer has been detected
    • Control port filter proxy could not be found
    • Clock issues
    • Firewall issues
    • Tor not running
  • Add updatecheck
  • Check if full disk encryption (FDE) is enabled
  • Check if a bootloader password has been set, if running on host operating system only (not inside VMs), see also bootloader password
  • Add login security table (point out passwordless and autologin accounts) (Thanks to @ArrayBolt3!)
  • Exit non-zero when unexpected non-freedom packages are found (function check_non_freedom only runs when using --verbose)
  • Exit non-zero if derivative repository is disabled
  • Ignore false positive messages, fixes Systemcheck fails for unclear reason - #2 by Patrick - Qubes-Whonix - Whonix Forum (Thanks to @marmarek)
  • Add a new test to check if TMP and TMPDIR environment variables are correctly set when running privleap
  • Show output of vrms only if using verbose level 2 and above
  • Exit non-zero when using --verbose and when unexpected error log files exist or unexpected messages in the systemd journal exist
  • Improve output of check journal (when using --verbose)
  • Check privleap configuration (privleap --check-config)
  • Check sudo using privleap
  • Test both sudo and leaprun
  • Port to privleap (Thanks to @ArrayBolt3!)
• tb-starter:
  • Port to privleap (Thanks to @ArrayBolt3!)
• tb-updater:
  • OCSP is deprecated upstream
  • Ensure the user’s .cache folder isn’t owned by root (Thanks to @ArrayBolt3!)
  • Port to privleap (Thanks to @ArrayBolt3!)
  • No longer supporting Heikki Lindholm SourceForge Tor Browser ARM64 version because it is unmaintained. ARM64 Tor Browser - #21 by Patrick - Development - Whonix Forum
• timesanitycheck:
  • Update minimum_unixtime
• tirdad:
  • Declare tirdad only available for Intel/AMD64 TCP ISN CPU Information Leak Protection - tirdad - #33 by Patrick - Development - Whonix Forum
• tor-control-panel:
  • Port to privleap (Thanks to @ArrayBolt3!)
• tor-ctrl:
  • Hardening (Thanks to @ArrayBolt3!)
  • Hardcode Tor cookie path to /run/tor/control.authcookie for better security
  • tor-ctrl-onion: fix -k, -u, -x
  • Disable colors in tor-ctrl-stream for better security
• usability-misc:
  • dist-installer-cli: Do not hide xtrace when started with bash -x (xtrace). It is therefore no longer required to get xtrace from debug file.
  • dist-installer-cli: Fix Fedora 42 package installation (Thanks to Ben Grande!)
  • dist-installer-cli: Fix VirtualBox downgrade (Thanks to Ben Grande!)
  • dist-installer-cli: Install fasttrack keyring only if needed, because it fails on testing and unstable, where the package is unavailable
  • dist-installer-cli: Fix install failure when using --onion (Thanks to @ArrayBolt3!)
  • dist-installer-cli: Bugfixes, cleanup shellcheck overrides, improve robustness (Thanks to @ArrayBolt3!)
  • Add error message when trying to run upgrade-nonroot as a normal user when user-sysmaint-split is installed (Thanks to @ArrayBolt3!)
• user-sysmaint-split:
  • sysmaint - System Maintenance User
  • Tint sysmaint terminal red (Thanks to @ArrayBolt3!)
  • Add PERSISTENT mode SYSMAINT Session boot mode (Thanks to @ArrayBolt3!)
  • Lock the sysmaint account on system shutdown (Thanks to @ArrayBolt3!)
  • Minimal sysmaint-boot.target (Thanks to @ArrayBolt3!)
• vm-config-dist:
  • Only if ‘OpenGL renderer string’ is ‘llvmpipe’ according to ‘glxinfo’, then set environment variable QMLSCENE_DEVICE=softwarecontext.
    • Monero Integration in Whonix - #93 by Patrick - Development - Whonix Forum
    • Automatic fallback to softwarecontext renderer · Issue #2878 · monero-project/monero-gui · GitHub
    • Enforce whonix opengl renderer by everoddandeven · Pull Request #4419 · monero-project/monero-gui · GitHub
    • Thanks to @everoddandeven for mentioning glxinfo.
• derivative-maker:
  • Development towards ARM64 support (work in progress)
  • Remove GNU/Linux, CPU architecture references from live ISO boot menu (Thanks to @ArrayBolt3!)
  • Improve build speed: avoid unnecessary initramfs builds
  • Error out earlier when building workstation without corresponding gateway, because otherwise the build would fail very late at dm-prepare-release during creation of the unified image Whonix on Mac M1 (ARM) - Development Discussion - #67 by LoftyGoals - Development - Whonix Forum
  • Delete no longer required help-steps/vm-exists-test
  • Add systemd-repart support (Thanks to @ArrayBolt3!)
  • Make sure apt-cacher-ng configuration option PassThroughPattern: .* is set
  • Remove libpam-tmpdir from include_opt because grml-debootstrap is nowadays functional if libpam-tmpdir is installed on the host, thanks to its clean_chroot function
  • Remove grub2-common from include_opt because grml-debootstrap handles that nowadays
  • Delete utm folder after utm archive creation to save disk space
  • Sudo setup: write Defaults:%$USER runcwd=* to /etc/sudoers.d/derivative-maker to fix sudo error when using $SUDO_TO_VBOX_TEMP

    • sudo: you are not permitted to use the -D option

  • Use sudo with -D $HOMEVAR_VBOX_TEMP (--chdir) to avoid VBoxManage error: > VBoxManage: error: Could not create the directory ‘.’ (VERR_ACCESS_DENIED)
  • Implement function chroot_run
  • Replace chroot command with chroot_run function
  • Replace $CHROOT variable with chroot_run function
  • Add help-steps/apt-cacher-ng-reset
  • Disable no longer needed workaround use_vmefi_maybe
  • Make compatible with latest grml-debootstrap code (Thanks to @ArrayBolt3!)
  • Use flavor_meta_packages_to_install for ISO builds (Thanks to @ArrayBolt3!)
  • Fix --remote-derivative-packages true
  • Attempt installing GRUB with env var (Thanks to Rob Stringer!)
  • Add debug block for command failure (Thanks to Rob Stringer!)
  • Rework build script for UTM build (Thanks to Rob Stringer!)
  • Check for apt-cacher-ng start with netcat (Thanks to Rob Stringer!)
  • Rework entrypoint script to run as builder (Thanks to Rob Stringer!)
  • Handle systemctl service for Docker Apple Silicon builds (Thanks to Rob Stringer!)
  • Add working solution with entrypoint script instead of service manager (Thanks to Rob Stringer!)
  • Attempt to run apt-cacher-ng with supervisord (Thanks to Rob Stringer!)
  • Remove apt-cacher-ng for Docker (Thanks to Rob Stringer!)
  • Attempt apt-cacher-ng without systemd (Thanks to Rob Stringer!)
  • Add initial Dockerfile (Thanks to Rob Stringer!)
  • Fix construction of PATH variable. Thanks to @ArrayBolt3 for the bug report!
  • Add isomd5sum to the live package list for the Kicksecure ISO (Thanks to @ArrayBolt3!)
  • Support unusual PATH variables
  • Fix PATH variable if it lacks sbin
  • Update for newer live-build (Thanks to @ArrayBolt3!)
  • Improve check for stray mounts
  • Expand PATH environment variable so grml-debootstrap will use help-steps/mmdebstrap wrapper
  • Turn on user-sysmaint-split on ISO images (Thanks to @ArrayBolt3!)
  • Install user-sysmaint-split by default on Kicksecure Xfce
  • Add Qubes templates submodules
  • Add Qubes templates source code git modules qubes/qubes-template-kicksecure and qubes/qubes-template-whonix to make them easier to discover / search the source code
  • Remove --hard-links from rsync_opts
  • Kicksecure VM build process: make sure host system files such as /etc/resolv.conf do not leak into the image
  • ARM64 build fix: install qemu-user-static from backports
  • VirtualBox 7.0 → 7.1 version upgrade (only when using opt-in to use Oracle repository)
  • Fix compatibility with umask hardening (umask 027)
  • Create Debian package and install live-build instead of using “make install” to avoid permission issues
  • Configure GRUB to install itself to the fallback bootloader location (Thanks to @ArrayBolt3!)
  • No longer install dracut-config-rescue as it actually does not have any effect
  • Enable checksumming for Kicksecure ISO (Thanks to @ArrayBolt3!)
  • grml-debootstrap:
    • Fixed UEFI bootloader updates seem broken · Issue #297 · grml/grml-debootstrap · GitHub (Make bootloader updates on UEFI-based systems work by ArrayBolt3 · Pull Request #299 · grml/grml-debootstrap · GitHub) (Thanks to @ArrayBolt3!)
    • avoid unicode in source code if reasonably avoidable · Issue #219 · grml/grml-debootstrap · GitHub

Full difference of all changes

https://github.com/Kicksecure/derivative-maker/compare/17.2.8.5-developers-only…17.3.9.2-developers-only

(This testers wanted announcement might in future be transformed into a stable release announcement if no major issues are found during the testing period.)

VirtualBox_Kick_05_05_2025_12_12_24.png1307×634 186 KB

I have tried to use all of Kicksecure repositories (including Testers and Developers) I switched using GUI tool but full-upgrade haven’t chabged anything - Kicksecure version is still 17.2.8.5. Was I doing something wrong?

Expected. See Build Version.

There’s a missing green Livecheck icon when logging into SYSMAINT Xfce session (LIVE Mode)

This will be improved in the next, and over next version.