update the kicksecure tutorials to include how to setup the host OS

2025-06-08 03:09:32 +00:00 · 2025-05-24 21:44:04 +02:00 · 2025-05-24 21:44:04 +02:00 · d83710b817
commit d83710b817
parent e2cd8d43d1
16 changed files with 62 additions and 5 deletions
--- a/hypervisorsetup/index.md
+++ b/hypervisorsetup/index.md
@ -143,7 +143,12 @@ To setup the Private use VM, we'll download the Kicksecure ISO just like we prev

 From there you can repeat the steps that we took [to install kicksecure on the host OS](../linux/index.md), to install it:

-![](../linux/23.png) ![](../linux/24.png) ![](../linux/25.png) ![](../linux/26.png) ![](../linux/28.png)
+![alt text](../linux/image.png)
+
+And from there, Bob installs linux as per his needs:
+
+![alt text](../linux/image-1.png)
+ ![](../linux/24.png) ![](../linux/25.png) ![](../linux/26.png) ![](../linux/28.png)

 Once here, we reboot the VM, and upon rebooting we unlock the encrypted system drive:

--- a/linux/image-1.png
+++ b/linux/image-1.png
--- a/linux/image-10.png
+++ b/linux/image-10.png
--- a/linux/image-11.png
+++ b/linux/image-11.png
--- a/linux/image-2.png
+++ b/linux/image-2.png
--- a/linux/image-3.png
+++ b/linux/image-3.png
--- a/linux/image-4.png
+++ b/linux/image-4.png
--- a/linux/image-5.png
+++ b/linux/image-5.png
--- a/linux/image-6.png
+++ b/linux/image-6.png
--- a/linux/image-7.png
+++ b/linux/image-7.png
--- a/linux/image-8.png
+++ b/linux/image-8.png
--- a/linux/image-9.png
+++ b/linux/image-9.png
--- a/linux/image.png
+++ b/linux/image.png
--- a/linux/index.md
+++ b/linux/index.md
@ -126,15 +126,16 @@ Boot device Selection > **his USB stick**

 Once we selects his USB Stick, Bob can now boot from it, and he is greeted by kicksecure's welcome screen:

-![](22.png)
+![alt text](image.png)

 And from there, Bob installs linux as per his needs:

-![](23.png) ![](24.png) ![](25.png) ![](26.png) ![](28.png)
+![alt text](image-1.png)
+ ![](24.png) ![](25.png) ![](26.png) ![](28.png)

 And there, we finished the kicksecure installation, we can unplug the USB stick, and click done to reboot the computer, into the newly installed kicksecure Host OS:

-![](52.png)
+

 As we reboot the computer, we're greeted by the kicksecure boot screen, and then we type the password to unlock the encrypted system drive:

@ -148,3 +149,38 @@ And that's it! Bob has managed to get privacy from Microsoft's constant surveill

 ![](2.png)

+## Making sure that the main user has sudo rights
+
+Kicksecure by default separates the regular user and the admin user on the boot option level, however for the clientside Host OS I don't think we need that separation, so we select the "remove user-sysmaint-split" boot option, to enable [the unrestricted admin mode](http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Unrestricted_admin_mode):
+
+
+![alt text](image-2.png)
+
+Once in that boot option, we type "yes" to confirm that we want the change:
+
+![alt text](image-3.png)
+
+Here we close the terminal window once it confirms us that we can close the window:
+
+![alt text](image-4.png)
+
+Then it'll automatically reboot and enter the default user session, except that this time the user will have sudo rights by default.
+
+![alt text](image-5.png)
+
+once back in the Kicksecure Host OS, we now setup a password for the user:
+
+![alt text](image-8.png)
+
+![alt text](image-9.png)
+
+Once the sudo password is set for the user, we close the window:
+
+![alt text](image-10.png)
+
+And then we disable the autologin aswell:
+
+![alt text](image-11.png)
+
+That way, you'll be able to lock your computer whenever you're not next to it, and require to type a password to get back into it.
+
--- a/sensitivevm/image.png
+++ b/sensitivevm/image.png
--- a/sensitivevm/index.md
+++ b/sensitivevm/index.md
@ -359,6 +359,7 @@ Which after tweaking it accordingly we end up with the following reboot script:
    
    [user ~]% vim reboot.sh
    [user ~]% cat reboot.sh
+
    #!/bin/bash
    
    # turn off display
@ -382,6 +383,21 @@ Which after tweaking it accordingly we end up with the following reboot script:
    # reboot the host OS
    /usr/bin/sudo /usr/sbin/reboot now
    
+Now here if the host OS user has a password set like we setup in the [Host OS tutorial](../linux/index.md), we need can either remove the user password like so:
+
+![alt text](image.png)
+
+OR we can simply use visudo to set the NOPASSWD on the commands we want to run (that normally require a sudo password) to avoid having to type the sudo password to run them: 
+
+```sh
+[user ~]% sudo visudo
+
+# User alias specification
+user  ALL=(ALL) NOPASSWD:/usr/bin/systemctl, /usr/bin/zuluCrypt-cli, /usr/sbin/reboot, /usr/bin/virsh
+
+```
+And with this we're all set to use the emergency reboot script without having to type the sudo password.
+


 Even in a deniability setting, having this script sit in your home directory doesn't incriminate you either, **because you can tell the adversary that this script is used to prevent someone else from seeing that you're watching the non-sensitive content (such as adult content) that is sitting in the encrypted volume.** Still this is a plausible explanation that makes it look like you are cooperating to the adversary when you are being asked about that script in particular.