{{Header}}
{{title|title=
Role-Based Boot Modes (user versus admin) for Enhanced Security
}}
{{#seo:
|description=Persistent User / Live user / Persistent Admin
}}
[[File:Grub-boot-icon.jpg|300px|thumb]]
{{intro|
GRUB boot menu options Persistent User / Live user / Persistent Admin and their use cases.
}}
{{mbox
|icon=fa-solid fa-exclamation cs-yellow
|text=This is a concept still in development. Waiting for implementation. Help welcome!
}}
= Introduction =

This page discusses different boot modes in the {{project_name_long}} operating system, aimed at improving security through role-based boot options. It describes modes like "Persistent User" for daily activities and "Persistent Admin" for updates, software installation, and full system control. The goal is to isolate user activities and reduce security risks by restricting what each boot mode can access and modify. The page also explains potential opt-outs for users who prefer traditional [[root]] access.

These schemes are generic and work for both hosts and VMs. This applies to {{project_name_long}} and derivatives of {{project_name_long}}, such as (non-Qubes) {{whonix}}.

= Development Goals =
{{Anchor|Goals}}

These goals guide the boot modes implementation:

* [[Login spoofing|Defeat login spoofing]]
* [[Root#Prevent_Malware_from_Sniffing_the_Root_Password|Prevent Malware from Sniffing the Root Password]]
* [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
* [[Noexec]]
* [[Verified Boot]]

= Grub Default Boot Menu Entries =

The default GRUB boot menu entries are:

* <code>PERSISTENT mode USER (For daily activities.)</code>
* <code>LIVE mode USER (For daily activities.)</code>
* <code>PERSISTENT mode ADMIN (For software installation.)</code>

= Use Cases for the Different Boot Modes =

Common use cases tailored to the available boot modes:

* <code>PERSISTENT mode USER (For daily activities.)</code>:
** Ideal for browsing, email, chat, or running a pre-configured server.
** read-only <code>/usr</code>, <code>/etc</code>.
** read-write <code>/home</code>
** Verified Boot: enabled.
* <code>LIVE mode USER (For daily activities.)</code>: Similar to Persistent User but without persistence.
* <code>PERSISTENT mode ADMIN (For administrative tasks.)</code>: Allows running <code>sudo apt install [package]</code>, editing <code>/etc/apt/sources.list.d</code>, and similar tasks. Reboot into USER mode afterward.
** read-write <code>/usr</code>, <code>/etc</code>, <code>/home</code>
** Verified Boot: disabled

= Boot Modes Comparison Table =

{| class="wikitable"
! Feature
! <code>[[Persistent Mode|PERSISTENT mode]] USER</code>
! <code>[[Live Mode|LIVE mode]] USER</code>
! <code>PERSISTENT mode ADMIN</code>
|-
! Description
| For daily activities such as browsing, email, chat, or running a pre-configured server.
| Similar to Persistent User but without persistence.
| For administrative tasks such as running <code>sudo apt install [package]</code>, editing <code>/etc/apt/sources.list.d</code>, and similar tasks. Reboot into USER mode afterward.
|-
! File System Access: <code>/usr</code>, <code>/etc</code>
| {{No}}, read-only
| {{No}}, read-only
| {{Yes}}, read-write
|-
! File System Access: <code>/home</code>
| {{Yes}}, read-write
| {{No}}, read-only
| {{Yes}}, read-write
|-
! [[Verified Boot]] ('''<u>planned</u>''')
| {{Yes}}, Enabled
| {{Yes}}, Enabled
| {{No}}, Disabled
|}

= Integration with Verified Boot =

When booting into PERSISTENT mode ADMIN, [[Verified Boot|verified boot]] will be disabled for the purpose of updates, software installation, and system configuration. During shutdown, the checksums required for verified boot will be created.

When booting into USER, verified boot will be enabled for the purpose of improved security.

See also [[Verified_Boot#Verified_Boot_for_User_but_not_for_Admin|Verified Boot for User but not for Admin]].

'''<u>planned</u>''': Role-Based Boot Modes (user versus admin) will be implemented first. Verified boot is an additional security feature that is planned to be implemented later.

= Opt-Out to Get the Same Behavior as Old {{project_name_short}} =
Users who wish "the old {{project_name_short}}" "with unrestricted sudo for user <code>user</code>" back, who don't want to see any of the new options [A], [B], [C] could delete these <code>/etc/grub.d</code> grub menu entries by running <code>sudo chmod -x /etc/grub.d/somenumber_name-of-boot-mode</code>. (There could be a script to simplify that.)

Users preferring the traditional {{project_name_short}} behavior with unrestricted <code>sudo</code> for <code>user</code> can remove the new options:

* <code>PERSISTENT mode USER (For daily activities.)</code> [A]
* <code>LIVE mode USER (For daily activities.)</code> [B]
* <code>PERSISTENT mode ADMIN (For administrative tasks.)</code> [C]

= Boot Modes Considered Too Unimportant to Be Added to GRUB Default Boot Menu =

'''Currently, we don’t see good use cases to include these modes as default, but user feedback could change this in the future.'''

* <code>LIVE mode ADMIN</code>

'''DIY Methods to Include These and Other Entries in the GRUB Boot Menu'''

{{IconSet|h2|A}} Files in the <code>/etc/grub.d/</code> folder could add these entries, but they could be non-executable by default. To opt-in, users could run <code>sudo chmod +x /etc/grub.d/somenumber_name-of-boot-mode</code>.

{{IconSet|h2|B}} Users wanting custom entries can add them directly to the <code>/etc/grub.d/</code> folder or GRUB boot menu.

{{IconSet|h2|C}} Using GRUB boot menu editing (key <code>e</code>) at boot, kernel parameters can be adjusted for any combination.

= /etc/grub.d File Names =

Details about <code>/etc/grub.d</code> files:

<pre>
filename                                     purpose
---------------------------------------      -----------------------------
/etc/grub.d/10_linux                         PERSISTENT mode USER
/etc/grub.d/11_linux_live                    LIVE mode USER
/etc/grub.d/12_linux_admin                   PERSISTENT mode ADMIN
/etc/grub.d/13_linux_admin_live              LIVE mode ADMIN
</pre>

Files should remain in lexical order below <code>/etc/grub.d/20_</code> to avoid conflicts with existing scripts.

Note: Some files may not be created initially (or at all), as outlined in the "Boot Modes Considered Too Unimportant to Be Added to GRUB Default Boot Menu" section.

= Server Support =

GRUB boot menus aren’t easily accessible on many servers. A solution for making these boot modes available on servers is yet to be determined. See the forum discussion: https://forums.whonix.org/t/multiple-boot-modes-for-better-security-persistent-user-live-user-persistent-admin-persistent-superadmin-persistent-recovery-mode/7708/50

Ideas:

* User could create a file that requests booting into admin mode next time.
* Admin mode would use a systemd unit drop-in to disable most systemd units, except SSH, etc.

= Todo =
* Start Menu: Hide Firefox and other similar applications when booting into admin mode.
* A systray icon could display an admin symbol to indicate the mode.
* Add a warning:
** When starting Firefox in admin mode, a popup message should inform the user to avoid browsing the internet unless absolutely necessary.
* Address the challenge of reading documentation after booting into admin mode:
** Why read documentation in admin mode?
*** This is often necessary when performing complex sysadmin tasks.
*** For online searches or resolving issues.
*** Using AI assistants.
*** Posting on forums.

[[Offline Documentation]] is helpful but an insufficient solution.

* Offline documentation often links extensively to upstream resources.
* Users are encouraged to look up online documentation whenever possible (referring to upstream resources).

Alternatives:

* Ideally, users should perform such tasks on a separate computer.
* These alternatives might seem impractical but are safer.
* A less ideal, but safer option is to use a VM for such tasks.

= Implementation =

Outdated:

* https://github.com/{{project_name_short}}/apparmor-profile-everything/tree/master/etc/grub.d

= Prior Versions =

[https://www.kicksecure.com/w/index.php?title=Dev/boot_modes&oldid=87353 Older concept version still containing "SUPERADMIN" and "SECUREADMIN".]

= Tickets =
* [https://github.com/QubesOS/qubes-issues/issues/9519 Create user admin by default and add user admin to group sudo by default]
* [https://github.com/QubesOS/qubes-issues/issues/9512 Selective sudo Access Enabling in VMs Without qubes-core-agent-passwordless-root via qvm-service]

= Related =

* [https://forums.whonix.org/t/disable-newly-all-installed-services-by-default/9381/2 Disable newly (all) installed services by default]
* [[Verified Boot]]
* <s>Forum discussion: [https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339 AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy]</s>
* <s>[https://github.com/{{project_name_short}}/apparmor-profile-everything AppArmor for everything: APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening.]</s>
* <s>[https://forums.whonix.org/t/untrusted-root-improve-security-by-restricting-root/7998 Untrusted Root - Improve Security by Restricting Root]</s>

= Attribution =

{{sdebian
|link=https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html
|text=Mounting partitions the right way
}}

<references/>
{{Footer}}
[[Category: Design]]
[[Category: Development]]