I am using Qubes OS, and just installed whonix-workstation-17 from the community templates (Qubes Menu → Qubes Tools → Qubes Template Manager → whonix-workstation-17 → Install → Apply). After installation, I booted up the “whonix-workstation-17 template” and tried to update and upgrade my applications with in xfce terminal:
sudo apt update && sudo apt install myapplication
Here is the output from it:
zsh: permission denied: sudo
zsh: exit 126 sudo su
So it turns out on a freshly installed template, I don’t have permissions to use sudo. sudo su returns the exact same message. I though I might have downloaded a corrupted whonix-workstation-17 image, so I removed it, and then downloaded it again and tried using sudo or sudo su, with the exact same results:
zsh: permission denied: sudo
zsh: exit 126 sudo su
So on a fresh install inside of Qubes, I cannot use sudo in whonix-workstation-17. Why is this happening, and how can I get sudo to work in my whonix-workstation-17?
This is expected. This is a part of new hardening of Whonix Workstation templates and introduction of sysmaint account. Here are more information on sysmaint account.
To have sudo access to new Whonix Workstation (and Kicksecure) templates, open a terminal with sysmaint account in them:
This hardening relies heavily on features that are only accessible on Q4.3 (e.g. boot mode), which is not yet a stable release. Having this on 4.2 on both Whonix and Kicksecure has been a usability nightmare, at least for me. Having to open a dom0 terminal every time I need root permissions is really annoying. Wouldn’t it be better to backport this to 4.2 for the time being, until Q4.3 is released? This would help new users and save time.
