From ed15bc157ee84fb1d8bf7928fe4c45145b8daebe Mon Sep 17 00:00:00 2001 From: Nedyalko Andreev Date: Tue, 17 Oct 2017 22:58:01 +0300 Subject: [PATCH 01/14] Update the arch PKGBUILD script for QubesOS 4.0 --- archlinux/PKGBUILD | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index d501c7b..8f4a0ac 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -11,7 +11,7 @@ url="http://qubes-os.org/" license=('GPL') groups=() depends=("qubes-vm-utils>=3.1.3" python2 python3 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg) -makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release) +makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc) checkdepends=() optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer) provides=() @@ -33,7 +33,7 @@ noextract=() md5sums=(SKIP) build() { - for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version; do + for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version doc setup.py qubesagent post-install.d; do # shellcheck disable=SC2154 (ln -s "$srcdir/../$source" "$srcdir/$source") done @@ -85,9 +85,9 @@ package() { install -m 644 "$srcdir/PKGBUILD-qubes-noupgrade.conf" "${pkgdir}/etc/pacman.d/10-qubes-noupgrade.conf" # Install pacman repository - release=$(echo "$pkgver" | cut -d '.' -f 1,2) - echo "Installing repository for release ${release}" - install -m 644 "$srcdir/PKGBUILD-qubes-repo-${release}.conf" "${pkgdir}/etc/pacman.d/99-qubes-repository-${release}.conf.disabled" + #release=$(echo "$pkgver" | cut -d '.' -f 1,2) + #echo "Installing repository for release ${release}" + #install -m 644 "$srcdir/PKGBUILD-qubes-repo-${release}.conf" "${pkgdir}/etc/pacman.d/99-qubes-repository-${release}.conf.disabled" # Archlinux specific: enable autologin on tty1 mkdir -p "$pkgdir/etc/systemd/system/getty@tty1.service.d/" From 607096eed61fae69a563273fb19239bbebd73b39 Mon Sep 17 00:00:00 2001 From: Nedyalko Andreev Date: Tue, 17 Oct 2017 22:59:38 +0300 Subject: [PATCH 02/14] Fix the makefile for archlinux - SBINDIR is already /usr/bin --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index a815578..ee6c08c 100644 --- a/Makefile +++ b/Makefile @@ -173,7 +173,11 @@ install-common: install-doc # force /usr/bin before /bin to have /usr/bin/python instead of /bin/python PATH="/usr/bin:$(PATH)" python setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR) mkdir -p $(DESTDIR)$(SBINDIR) + +ifneq ($(SBINDIR),/usr/bin) mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall +endif + install -d -m 0750 $(DESTDIR)/etc/sudoers.d/ install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes From 7770a69030a6ca56fe8000b69eb30660dce5327b Mon Sep 17 00:00:00 2001 From: Nedyalko Andreev Date: Sat, 21 Oct 2017 15:44:05 +0300 Subject: [PATCH 03/14] Restore the binary pacman repo and update it for QubesOS 4.0 --- archlinux/PKGBUILD | 6 +++--- ...ILD-qubes-repo-3.1.conf => PKGBUILD-qubes-repo-4.0.conf} | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) rename archlinux/{PKGBUILD-qubes-repo-3.1.conf => PKGBUILD-qubes-repo-4.0.conf} (81%) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 8f4a0ac..3798d2a 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -85,9 +85,9 @@ package() { install -m 644 "$srcdir/PKGBUILD-qubes-noupgrade.conf" "${pkgdir}/etc/pacman.d/10-qubes-noupgrade.conf" # Install pacman repository - #release=$(echo "$pkgver" | cut -d '.' -f 1,2) - #echo "Installing repository for release ${release}" - #install -m 644 "$srcdir/PKGBUILD-qubes-repo-${release}.conf" "${pkgdir}/etc/pacman.d/99-qubes-repository-${release}.conf.disabled" + release=$(echo "$pkgver" | cut -d '.' -f 1,2) + echo "Installing repository for release ${release}" + install -m 644 "$srcdir/PKGBUILD-qubes-repo-${release}.conf" "${pkgdir}/etc/pacman.d/99-qubes-repository-${release}.conf.disabled" # Archlinux specific: enable autologin on tty1 mkdir -p "$pkgdir/etc/systemd/system/getty@tty1.service.d/" diff --git a/archlinux/PKGBUILD-qubes-repo-3.1.conf b/archlinux/PKGBUILD-qubes-repo-4.0.conf similarity index 81% rename from archlinux/PKGBUILD-qubes-repo-3.1.conf rename to archlinux/PKGBUILD-qubes-repo-4.0.conf index 8f86b6d..3c02cfb 100644 --- a/archlinux/PKGBUILD-qubes-repo-3.1.conf +++ b/archlinux/PKGBUILD-qubes-repo-4.0.conf @@ -1,2 +1,2 @@ -[qubes-r3.1] +[qubes-r4.0] Server = http://olivier.medoc.free.fr/archlinux/current From 2a006b6c093b2a43d4f5bb5ecee30259bb5ae2ce Mon Sep 17 00:00:00 2001 From: Nedyalko Andreev Date: Sun, 22 Oct 2017 00:07:18 +0300 Subject: [PATCH 04/14] Add the 4.0 repo to the PKGBUILD sources list --- archlinux/PKGBUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 3798d2a..974f9fd 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -25,8 +25,8 @@ changelog= source=( PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook PKGBUILD-qubes-noupgrade.conf - PKGBUILD-qubes-repo-3.1.conf PKGBUILD-qubes-repo-3.2.conf + PKGBUILD-qubes-repo-4.0.conf ) noextract=() From f65ab12c46ee87160834fc47c6fac528a39f4e49 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Sun, 22 Oct 2017 21:43:47 +0200 Subject: [PATCH 05/14] archlinux: remove deprecated setup of pam since v4.0.3 PAM is now used directly instead of calling su --- archlinux/PKGBUILD.install | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index 5265c3b..3a852cf 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -330,27 +330,6 @@ update_finalize() { /usr/lib/qubes/update-proxy-configs - # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper - # Also remove pam_unix.so from su configuration - # as system-login (which include system-auth) already gives pam_unix.so - # with more appropriate parameters (fix the missing nullok parameter) - - if grep -q pam_unix.so /etc/pam.d/su; then - echo "Fixing pam.d" - cat < /etc/pam.d/su -#%PAM-1.0 -auth sufficient pam_rootok.so -# Uncomment the following line to implicitly trust users in the "wheel" group. -#auth sufficient pam_wheel.so trust use_uid -# Uncomment the following line to require a user to be in the "wheel" group. -#auth required pam_wheel.so use_uid -auth include system-login -account include system-login -session include system-login -EOF - cp /etc/pam.d/su /etc/pam.d/su-l - fi - # Archlinux specific: ensure tty1 is enabled rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service systemctl enable getty\@tty1.service From 6b68397f6f8b2c0f8b1b3c21d00298d7ba14e435 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 07:49:10 +0200 Subject: [PATCH 06/14] archlinux: remove pam configuration for su and su-l The related bug should have been fixed in issue #2903 (https://github.com/QubesOS/qubes-issues/issues/2903) --- archlinux/PKGBUILD | 2 -- archlinux/PKGBUILD-qubes-noupgrade.conf | 3 --- 2 files changed, 5 deletions(-) delete mode 100644 archlinux/PKGBUILD-qubes-noupgrade.conf diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 974f9fd..1f9f44b 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -24,7 +24,6 @@ changelog= source=( PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook - PKGBUILD-qubes-noupgrade.conf PKGBUILD-qubes-repo-3.2.conf PKGBUILD-qubes-repo-4.0.conf ) @@ -82,7 +81,6 @@ package() { # Install pacman.d drop-ins (at least 1 drop-in must be installed or pacman will fail) mkdir -p "${pkgdir}/etc/pacman.d" - install -m 644 "$srcdir/PKGBUILD-qubes-noupgrade.conf" "${pkgdir}/etc/pacman.d/10-qubes-noupgrade.conf" # Install pacman repository release=$(echo "$pkgver" | cut -d '.' -f 1,2) diff --git a/archlinux/PKGBUILD-qubes-noupgrade.conf b/archlinux/PKGBUILD-qubes-noupgrade.conf deleted file mode 100644 index 343f988..0000000 --- a/archlinux/PKGBUILD-qubes-noupgrade.conf +++ /dev/null @@ -1,3 +0,0 @@ -[options] -NoUpgrade = etc/pam.d/su -NoUpgrade = etc/pam.d/su-l From 0bf69ebc2446a55918632561b2c8c8f2a6a7a8a4 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 07:53:23 +0200 Subject: [PATCH 07/14] archlinux: do not mess with locales in post-install script Locales must be setup properly in the template. --- archlinux/PKGBUILD.install | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index 3a852cf..bf79e61 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -130,21 +130,6 @@ EOF done fi - # Make sure there is a default locale set so gnome-terminal will start - if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then - touch /etc/locale.conf - echo "LANG=en_US.UTF-8" >> /etc/locale.conf - fi - # ... and make sure it is really generated - # This line is buggy as LANG can be set to LANG="en_US.UTF-8". The Quotes must be stripped - current_locale=$(grep LANG /etc/locale.conf|cut -f 2 -d = | tr -d '"') - if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then - base=$(echo "$current_locale" | cut -f 1 -d .) - charmap=$(echo "$current_locale.UTF-8" | cut -f 2 -d .) - [ -n "$charmap" ] && charmap="-f $charmap" - # shellcheck disable=SC2086 - localedef -i "$base" $charmap "$current_locale" - fi } ############################ From 0b15761d69408d254d0cad2388fda425f030d990 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 08:09:34 +0200 Subject: [PATCH 08/14] archlinux: ship pam.d/qrexec as a replacement of using su --- qrexec/Makefile | 2 ++ qrexec/qrexec.pam.archlinux | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 qrexec/qrexec.pam.archlinux diff --git a/qrexec/Makefile b/qrexec/Makefile index 0732c46..443ef0c 100644 --- a/qrexec/Makefile +++ b/qrexec/Makefile @@ -21,6 +21,8 @@ install: install qubes-rpc-multiplexer $(DESTDIR)/usr/lib/qubes ifeq ($(shell lsb_release -is), Debian) install -D -m 0644 qrexec.pam.debian $(DESTDIR)/etc/pam.d/qrexec +else ifeq ($(shell lsb_release -is), Arch) + install -D -m 0644 qrexec.pam.archlinux $(DESTDIR)/etc/pam.d/qrexec else install -D -m 0644 qrexec.pam $(DESTDIR)/etc/pam.d/qrexec endif diff --git a/qrexec/qrexec.pam.archlinux b/qrexec/qrexec.pam.archlinux new file mode 100644 index 0000000..3289b7c --- /dev/null +++ b/qrexec/qrexec.pam.archlinux @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +#auth required pam_wheel.so use_uid +auth include system-login +account include system-login +session include system-login From 5e4ca2ac743576b07c0d162f43b8784f3a8d36f6 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 09:35:24 +0200 Subject: [PATCH 09/14] archlinux: create user 'user' using bash by default instead of zsh The bash/zsh bug should not be present anymore in Qubes 4.0 as discussed in the issue 2888. (https://github.com/QubesOS/qubes-issues/issues/2888) --- archlinux/PKGBUILD.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index bf79e61..4e0c899 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -12,7 +12,7 @@ update_default_user() { # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this. # See https://bugs.archlinux.org/task/31831 id -u 'user' >/dev/null 2>&1 || { - useradd --user-group --create-home --shell /bin/zsh user + useradd --user-group --create-home --shell /bin/bash user } usermod -a --groups qubes user } From a9898d576e3ea340ef600b22506f11b6c112d97f Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 19:53:25 +0200 Subject: [PATCH 10/14] Makefile: avoid using python interpreter as a static name --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ee6c08c..6a6aadf 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ BINDIR ?= /usr/bin LIBDIR ?= /usr/lib SYSLIBDIR ?= /lib -PYTHON = /usr/bin/python2 +PYTHON ?= /usr/bin/python2 PYTHON_SITEARCH = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)'` PYTHON2_SITELIB = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib()'` PYTHON3_SITELIB = `python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())'` @@ -171,7 +171,7 @@ install-common: install-doc install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab # force /usr/bin before /bin to have /usr/bin/python instead of /bin/python - PATH="/usr/bin:$(PATH)" python setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR) + PATH="/usr/bin:$(PATH)" $(PYTHON) setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR) mkdir -p $(DESTDIR)$(SBINDIR) ifneq ($(SBINDIR),/usr/bin) From 5fdcb1968516691f4e77f1537ea51f66dd025310 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 20:16:27 +0200 Subject: [PATCH 11/14] archlinux: enforce usage of python2 in all scripts --- archlinux/PKGBUILD | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 1f9f44b..8494064 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -45,10 +45,10 @@ build() { sed 's:/bin/grep:grep:g' -i network/* # Force running all scripts with python2 - sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i misc/* - sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i misc/* - sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i qubes-rpc/* - sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i qubes-rpc/* + sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i misc/* + sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i misc/* + sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i qubes-rpc/* + sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i qubes-rpc/* # Fix for archlinux sbindir sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock @@ -64,7 +64,7 @@ package() { # shellcheck disable=SC2154 make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib - make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux + PYTHON=python2 make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux # Remove things non wanted in archlinux rm -r "$pkgdir/etc/yum"* From 26659d4e51f8c7ebae17b6ab48fa666baacc4aae Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 20:22:04 +0200 Subject: [PATCH 12/14] archlinux: ensure [options] section is present in all pacman drop-ins Create an empty [options] dropin by default or pacman will fail when no dropin is present --- archlinux/PKGBUILD | 2 ++ archlinux/PKGBUILD-qubes-pacman-options.conf | 1 + network/update-proxy-configs | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 archlinux/PKGBUILD-qubes-pacman-options.conf diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 8494064..cb9a23e 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -24,6 +24,7 @@ changelog= source=( PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook + PKGBUILD-qubes-pacman-options.conf PKGBUILD-qubes-repo-3.2.conf PKGBUILD-qubes-repo-4.0.conf ) @@ -81,6 +82,7 @@ package() { # Install pacman.d drop-ins (at least 1 drop-in must be installed or pacman will fail) mkdir -p "${pkgdir}/etc/pacman.d" + install -m 644 "$srcdir/PKGBUILD-qubes-pacman-options.conf" "${pkgdir}/etc/pacman.d/10-qubes-options.conf" # Install pacman repository release=$(echo "$pkgver" | cut -d '.' -f 1,2) diff --git a/archlinux/PKGBUILD-qubes-pacman-options.conf b/archlinux/PKGBUILD-qubes-pacman-options.conf new file mode 100644 index 0000000..0b16520 --- /dev/null +++ b/archlinux/PKGBUILD-qubes-pacman-options.conf @@ -0,0 +1 @@ +[options] \ No newline at end of file diff --git a/network/update-proxy-configs b/network/update-proxy-configs index 9d067c4..6c5c53f 100755 --- a/network/update-proxy-configs +++ b/network/update-proxy-configs @@ -121,7 +121,7 @@ if [ -d /etc/pacman.d ]; then ### All modifications here will be lost. ### If you want to override some of this settings, create another file under ### /etc/pacman.d - +[options] XferCommand = http_proxy=$PROXY_ADDR /usr/bin/curl -C - -f %u > %o EOF else From 0f3084ff2a5b88a41c7c5c17651a84b32cc4d09e Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 23 Oct 2017 20:23:51 +0200 Subject: [PATCH 13/14] archlinux: remove python3 dependency --- archlinux/PKGBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index cb9a23e..67a52ca 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -3,14 +3,14 @@ # shellcheck disable=SC2034 pkgname=qubes-vm-core pkgver=$(cat version) -pkgrel=11 +pkgrel=12 epoch= pkgdesc="The Qubes core files for installation inside a Qubes VM." arch=("x86_64") url="http://qubes-os.org/" license=('GPL') groups=() -depends=("qubes-vm-utils>=3.1.3" python2 python3 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg) +depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg) makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc) checkdepends=() optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer) From 5971cdd5bcb9f2061fc87acb8763cbf7070ad8a5 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Wed, 25 Oct 2017 14:54:48 +0200 Subject: [PATCH 14/14] archlinux: restore setup of pam.d/su-l qubes-gui agent calls su-l instead of initializing its own pam session such as qrexec. pam.d/su-l qubes specific configuration must be restored to ensure that the user login session is properly initialized: https://github.com/QubesOS/qubes-issues/issues/3185 --- archlinux/PKGBUILD | 2 +- archlinux/PKGBUILD-qubes-pacman-options.conf | 3 ++- archlinux/PKGBUILD.install | 11 +++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 67a52ca..6a3dd4e 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -3,7 +3,7 @@ # shellcheck disable=SC2034 pkgname=qubes-vm-core pkgver=$(cat version) -pkgrel=12 +pkgrel=13 epoch= pkgdesc="The Qubes core files for installation inside a Qubes VM." arch=("x86_64") diff --git a/archlinux/PKGBUILD-qubes-pacman-options.conf b/archlinux/PKGBUILD-qubes-pacman-options.conf index 0b16520..703c472 100644 --- a/archlinux/PKGBUILD-qubes-pacman-options.conf +++ b/archlinux/PKGBUILD-qubes-pacman-options.conf @@ -1 +1,2 @@ -[options] \ No newline at end of file +[options] +NoUpgrade = etc/pam.d/su-l \ No newline at end of file diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index 4e0c899..94a71d5 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -315,6 +315,17 @@ update_finalize() { /usr/lib/qubes/update-proxy-configs + # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper + # This is required as qubes-gui agent calls xinit with su -l user without initializing properly + # the user session. + # pam_unix.so can also be removed from su configuration + # as system-login (which include system-auth) already gives pam_unix.so + # with more appropriate parameters (fix the missing nullok parameter) + if grep -q pam_unix.so /etc/pam.d/su; then + echo "Fixing pam.d" + cp /etc/pam.d/qrexec /etc/pam.d/su-l + fi + # Archlinux specific: ensure tty1 is enabled rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service systemctl enable getty\@tty1.service