I am reaching out to share some observations regarding missing panel items in the desktop settings for the two users (boot sessions), USER and USERMAINT. These issues were noticed while booting in Live Mode USB, and I believe it would be beneficial to me to provide my feedback.
USER
Power Manager Icon Missing
The battery level indicator is absent from the system tray. This is particularly inconvenient for laptop users who rely on this feature to monitor their battery life.
USERMAINT
Power Manager Icon Missing
Similar to USER, the battery level indicator is also missing.
Time Clock Item Missing
The Time Clock item is absent from the panel, which is a useful feature for quick access to the current time.
Window Buttons Missing
The absence of window indicators making it difficult to manage open windows. This has led to me to frustration while multitasking, such as when using the terminal to launch Firefox (look up issues) and Mousepad (take notes) and another xterm for debugging commands.
Its good to leave the USERMAINT desktop minimal but the three above would not be too much to add to the panel.
The missing power manager icon is weird, I’ll double-check on my end but I think that’s supposed to be there by default. If it’s not, it’s possible the OS isn’t detecting your system’s battery. Will investigate.
On the sysmaint session, just from a standpoint of what is or isn’t good to implement:
Adding a clock to the sysmaint session sounds like a good idea, especially since time can be security-related due to its effect on things like SSL.
I don’t think adding window buttons is a good idea, as much as they would be convenient. The sysmaint session is intentionally designed to be a bit annoying to use as a general-purpose session because using it as a general-purpose session is a security hazard. This is why we have a separate sysmaint session, so that it’s hard to get to Firefox or other complex apps that interact with the network.
From a standpoint of implementation difficulty:
Right now the sysmaint session panel is implemented using trayer, which only supports system tray icons, not other widgets like clocks, power indicators, or window buttons. We’d have to use a more complete panel implementation (maybe xfce4-panel could be configured to work right somehow?) to introduce those elements, and I don’t really want us to use a panel implementation that’s too complete or easily reconfigured in order to keep the sysmaint session from being used for general-purpose tasks. It may be possible to pull in a good power manager applet from the Debian repos, and there might be a clock applet that could work in a similar way. (If a clock applet proves to be impossible, that could be worked into the system maintenance panel itself.) Window buttons are probably not going to be possible. It might be possible to get xfwm4 to minimize windows in such a way that they remain partially visible, we could look into that.
If the permissions limitations in a user session and the functionality limitations in a sysmaint session are too limiting for your use case, you can revert back to “unrestricted admin mode” by booting into the REMOVE user-sysmaint-split | enable unrestricted admin mode boot option. This will get rid of the sysmaint session and bring back sudo access in normal user sessions. See Unrestricted Admin Mode for details.
I found out why the battery level indicator is missing. XFCE’s power manager is installed, but for some reason it’s not set to enable the system tray icon. You can fix it by clicking on Application Menu > Settings > Power Manager and then switch on “System tray icon”. You may want to enable “Status notifications” at the same time.
On same system booted into Debian 12 Live Xfce the power manager plugin is there on the panel
Yeah but since sysmaint is the only user that has sudo privileges its gonna be little annoying if a user is trying fix things and they need to look them up. Another example is looking how to install something lets say to install a .deb for software found online or build something from source online.
Yeah as long as it doesn’t increase attack surface.
Yeah I that I like sysmaint-split I just got confused for a second.
Yeah I just checked and the toggle system tray on Debian 12 Live Xfce is separate from the plugin. If you already have the plugin it will add a second power selector like in the case of Debian 12 Live Xfce (not kickscure).
Well… you have a point, and you’re kind of proving my point at the same time. Opening Firefox to look things up while booted into sysmaint mode could be a fatal move. You may note that the sysmaint session has no “launch browser” button and no Start Menu - that’s specifically because we’re trying to keep people from launching Firefox in sysmaint mode if at all possible. This does make it harder to look things up, but there’s not any safe way to allow looking things up while in sysmaint mode. (What you could do instead is look up how to do things while in user mode, create plain text files with notes about what you intend to do in sysmaint mode, then reboot into sysmaint mode and do those things. You can access the files saved in your user account by running sudo -i, then cd /home/user.)
Obviously this is going to be severely annoying for a significant number of use cases. And as a developer, I freely admit to using sysmaint mode for things it isn’t designed to be used for (mostly building packages from a VM shared folder). My threat model is such that I can do that safely, but since we’re trying to cater to much stricter threat models, we try to make it harder to shoot yourself in the foot that way. Most users who have a less strict threat model can probably afford to remove user-sysmaint-split. (The only reason I don’t is because I have to develop the sysmaint session itself, so having it around is essential.)
You’re right, it could be fatal move since its the account with most privileges so to speak.
Agreed its better to look up on another device or look up via user (then save file).
Yeah and avoid general purpose use, and honestly this is what I did before sysmaint as I would only have one dedicated user for sudo privlages and only login to that user do install or update software of fix system wide issues etc.
Really do appreciate this more then you know thanks.
Most users who have a less strict threat model can probably afford to remove user-sysmaint-split.
Yeah I like the idea of sysmaint and hope to see it progress, might want to look at adding an option in sysmaint panel next for setting a GRUB password.
That’s there already If you click “Manage Passwords” on the system maintenance panel, a popup will appear that allows you to change your user password, bootloader password, or disk passphrase. (It looks like System Maintenance Panel doesn’t have that documented yet, that should probably be fixed.)