Lock out root and user passwords; provide passwordless login on the serial console

common/qubes_eventd_serial

@@ -0,0 +1,42 @@
+# Automatically start a configured serial console
+#
+# How this works:
+#
+# On boot, a udev helper examines /dev/console. If a serial console is the
+# primary console (last console on the commandline in grub),  the event
+# 'fedora.serial-console-available <port name> <speed>' is emitted, which
+# triggers this script. It waits for the runlevel to finish, ensures
+# the proper port is in /etc/securetty, and starts the getty.
+#
+# If your serial console is not the primary console, or you want a getty
+# on serial even if it's not the console, create your own event by copying
+# /etc/event.d/tty[2-6], and changing the getty line in that file.
+
+start on fedora.serial-console-available *
+stop on runlevel [016]
+
+instance
+pre-start script
+	while /bin/true ; do
+		LANG=C /sbin/initctl status rcS | grep -wq "rcS (stop) waiting" && break
+		sleep 1
+	done
+	while /bin/true ; do 
+		runlevel=$(/sbin/runlevel | /bin/awk '{ print $2 }')
+		case "$runlevel" in 
+			2|3|4|5)
+				LANG=C /sbin/initctl status rc$runlevel | grep -wq "rc$runlevel (stop) waiting" && break
+				;;
+			*)
+				;;
+		esac
+		sleep 1
+	done
+	/sbin/securetty $1
+end script
+exec /sbin/agetty -l /sbin/qubes_serial_login /dev/$1 $2 vt100-nav
+post-stop script
+	if [ "$UPSTART_EVENT" != "${UPSTART_EVENT##fedora.serial-console-available}" ]; then
+		initctl emit --no-wait fedora.serial-console-available $1 $2
+	fi
+end script

common/qubes_serial_login

@@ -0,0 +1,7 @@
+#!/bin/sh
+if /bin/ls -l /proc/self/fd/0 | grep -q /dev/hvc0 ; then
+	exec su - $2
+	exit
+else
+	exec /bin/login "$@"
+fi

rpm_spec/core-appvm.spec

@@ -69,10 +69,23 @@ mkdir -p $RPM_BUILD_ROOT/mnt/outgoing
 mkdir -p $RPM_BUILD_ROOT/mnt/removable
 mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
 cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
+mkdir -p $RPM_BUILD_ROOT/sbin   
+cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin
+mkdir -p $RPM_BUILD_ROOT/etc
+cp ../common/qubes_eventd_serial $RPM_BUILD_ROOT/etc/
+
+%triggerin -- initscripts
+cp /etc/qubes_eventd_serial /etc/event.d/serial
 
 
 %post
 
+usermod -L root
+usermod -L user
+if ! [ -f /var/lib/qubes/serial.orig ] ; then
+	cp /etc/event.d/serial /var/lib/qubes/serial.orig
+fi
+
 if [ "$1" !=  1 ] ; then
 # do this whole %post thing only when updating for the first time...
 exit 0
@@ -132,7 +145,6 @@ do
 
     mv $f /var/lib/qubes/removed-udev-scripts/
 done
-
 mkdir -p /rw
 #rm -f /etc/mtab
 echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
@@ -145,6 +157,7 @@ if [ "$1" = 0 ] ; then
     chkconfig qubes_core off
     mv /var/lib/qubes/fstab.orig /etc/fstab
     mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
+    mv /var/lib/qubes/serial.orig /etc/event.d
 fi
 
 %clean
@@ -166,3 +179,5 @@ rm -rf $RPM_BUILD_ROOT
 %dir /mnt/outgoing
 %dir /mnt/removable
 /etc/yum.repos.d/qubes.repo
+/sbin/qubes_serial_login
+/etc/qubes_eventd_serial

rpm_spec/core-netvm.spec

@@ -63,6 +63,13 @@ mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
 cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
+mkdir -p $RPM_BUILD_ROOT/sbin   
+cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin
+mkdir -p $RPM_BUILD_ROOT/etc
+cp ../common/qubes_eventd_serial $RPM_BUILD_ROOT/etc/
+
+%triggerin -- initscripts
+cp /etc/qubes_eventd_serial /etc/event.d/serial
 
 %post
 
@@ -144,6 +151,7 @@ if [ "$1" = 0 ] ; then
     chkconfig qubes_core off
     mv /var/lib/qubes/fstab.orig /etc/fstab
     mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
+    mv /var/lib/qubes/serial.orig /etc/event.d
 fi
 
 %clean
@@ -159,3 +167,5 @@ rm -rf $RPM_BUILD_ROOT
 /etc/dhclient.d/qubes_setup_dnat_to_ns.sh
 /etc/NetworkManager/dispatcher.d/qubes_nmhook
 /etc/yum.repos.d/qubes.repo
+/sbin/qubes_serial_login
+/etc/qubes_eventd_serial