Noob questions about sudo and suid, CLI vs. GUI

I am evaluating Kicksecure for my desktop. I have some initial questions that I hope someone can answer:

  • Is it possible to use Kicksecure without enabling sudo for any users without loss of normal functionality? In other words, rely entirely on the rescue/recovery boot option to do any root operations like apt upgrade, etc.? Without the logged in user even being a member of privileged groups like wheel? I know doing so would be inconvenient. But I’m wondering if there are activities Kicksecure expects of users that require sudo.

  • Is there a place where one can put suid exes (not root-owned, and chattr +i’ed to prevent modification) that is safe from suid-prevention scripts and/or mount nosuid points? I plan to use multiple system user accounts controlled by suid exes, but I read that either Kicksecure currently checks or will in the near future check to prevent suids.

  • I plan on using bwrap for sandboxing. Does anyone in the Kicksecure community have opinions as to whether it should be installed and used suid with unprivileged namespaces disabled, or non-suid with unprivileged namespaces enabled? I’m on the fence about this. The biggest difference in functionality is that without unprivileged namespaces, there is no way to nest bwrap sandboxes. But I read that enabling unprivileged namespaces is risky.

  • I am considering starting with CLI Kicksecure and installing my own GUI configuration in order to sandbox Xorg and other parts of the desktop (a Qubes-like setup with sandboxes instead of VMs). What packages of the GUI Kicksecure should I consider after doing this, and are they separated enough from the standard XFCE install to use without it? Or am I better off starting with the XFCE GUI Kicksecure and retrofitting sandboxes?

Thanks in advance for any help with these questions!

Further study shows:

  • . /etc/permission-hardening.d controls what execs don’t lose suid due to kicksecure additions. There appears to be an expectation that user entries would be added to /etc/permission-hardening.d/20_user.conf. OK!

  • bwrap is in /etc/permission-hardening.d so as to retain suid, but /proc/sys/kernel/unprivileged_userns_clone is 1. But, bwrap is not installed with suid. I guess that the kicksecure developers don’t have a conclusion about whether it should or should not be suid, and are allowing user preference. Is that correct? I see that chrome-sandbox is set up similarly.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]