Merge remote-tracking branch 'qubesos/pr/63'

* qubesos/pr/63:
  archlinux: restore setup of pam.d/su-l
  archlinux: remove python3 dependency
  archlinux: ensure [options] section is present in all pacman drop-ins
  archlinux: enforce usage of python2 in all scripts
  Makefile: avoid using python interpreter as a static name
  archlinux: create user 'user' using bash by default instead of zsh
  archlinux: ship pam.d/qrexec as a replacement of using su
  archlinux: do not mess with locales in post-install script
  archlinux: remove pam configuration for su and su-l
  archlinux: remove deprecated setup of pam since v4.0.3
  Add the 4.0 repo to the PKGBUILD sources list
  Restore the binary pacman repo and update it for QubesOS 4.0
  Fix the makefile for archlinux - SBINDIR is already /usr/bin
  Update the arch PKGBUILD script for QubesOS 4.0
This commit is contained in:
Marek Marczykowski-Górecki 2017-11-03 22:43:34 +01:00
commit 28be709238
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
9 changed files with 38 additions and 49 deletions

View File

@ -9,7 +9,7 @@ BINDIR ?= /usr/bin
LIBDIR ?= /usr/lib LIBDIR ?= /usr/lib
SYSLIBDIR ?= /lib SYSLIBDIR ?= /lib
PYTHON = /usr/bin/python2 PYTHON ?= /usr/bin/python2
PYTHON_SITEARCH = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)'` PYTHON_SITEARCH = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)'`
PYTHON2_SITELIB = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib()'` PYTHON2_SITELIB = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib()'`
PYTHON3_SITELIB = `python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())'` PYTHON3_SITELIB = `python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())'`
@ -171,9 +171,13 @@ install-common: install-doc
install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
# force /usr/bin before /bin to have /usr/bin/python instead of /bin/python # force /usr/bin before /bin to have /usr/bin/python instead of /bin/python
PATH="/usr/bin:$(PATH)" python setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR) PATH="/usr/bin:$(PATH)" $(PYTHON) setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR)
mkdir -p $(DESTDIR)$(SBINDIR) mkdir -p $(DESTDIR)$(SBINDIR)
ifneq ($(SBINDIR),/usr/bin)
mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall
endif
install -d -m 0750 $(DESTDIR)/etc/sudoers.d/ install -d -m 0750 $(DESTDIR)/etc/sudoers.d/
install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes

View File

@ -3,15 +3,15 @@
# shellcheck disable=SC2034 # shellcheck disable=SC2034
pkgname=qubes-vm-core pkgname=qubes-vm-core
pkgver=$(cat version) pkgver=$(cat version)
pkgrel=11 pkgrel=13
epoch= epoch=
pkgdesc="The Qubes core files for installation inside a Qubes VM." pkgdesc="The Qubes core files for installation inside a Qubes VM."
arch=("x86_64") arch=("x86_64")
url="http://qubes-os.org/" url="http://qubes-os.org/"
license=('GPL') license=('GPL')
groups=() groups=()
depends=("qubes-vm-utils>=3.1.3" python2 python3 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg) depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg)
makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release) makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc)
checkdepends=() checkdepends=()
optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer) optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer)
provides=() provides=()
@ -24,16 +24,16 @@ changelog=
source=( source=(
PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook
PKGBUILD-qubes-noupgrade.conf PKGBUILD-qubes-pacman-options.conf
PKGBUILD-qubes-repo-3.1.conf
PKGBUILD-qubes-repo-3.2.conf PKGBUILD-qubes-repo-3.2.conf
PKGBUILD-qubes-repo-4.0.conf
) )
noextract=() noextract=()
md5sums=(SKIP) md5sums=(SKIP)
build() { build() {
for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version; do for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version doc setup.py qubesagent post-install.d; do
# shellcheck disable=SC2154 # shellcheck disable=SC2154
(ln -s "$srcdir/../$source" "$srcdir/$source") (ln -s "$srcdir/../$source" "$srcdir/$source")
done done
@ -46,10 +46,10 @@ build() {
sed 's:/bin/grep:grep:g' -i network/* sed 's:/bin/grep:grep:g' -i network/*
# Force running all scripts with python2 # Force running all scripts with python2
sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i misc/* sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i misc/*
sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i misc/* sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i misc/*
sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i qubes-rpc/* sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i qubes-rpc/*
sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i qubes-rpc/* sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i qubes-rpc/*
# Fix for archlinux sbindir # Fix for archlinux sbindir
sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock
@ -65,7 +65,7 @@ package() {
# shellcheck disable=SC2154 # shellcheck disable=SC2154
make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib
make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux PYTHON=python2 make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
# Remove things non wanted in archlinux # Remove things non wanted in archlinux
rm -r "$pkgdir/etc/yum"* rm -r "$pkgdir/etc/yum"*
@ -82,7 +82,7 @@ package() {
# Install pacman.d drop-ins (at least 1 drop-in must be installed or pacman will fail) # Install pacman.d drop-ins (at least 1 drop-in must be installed or pacman will fail)
mkdir -p "${pkgdir}/etc/pacman.d" mkdir -p "${pkgdir}/etc/pacman.d"
install -m 644 "$srcdir/PKGBUILD-qubes-noupgrade.conf" "${pkgdir}/etc/pacman.d/10-qubes-noupgrade.conf" install -m 644 "$srcdir/PKGBUILD-qubes-pacman-options.conf" "${pkgdir}/etc/pacman.d/10-qubes-options.conf"
# Install pacman repository # Install pacman repository
release=$(echo "$pkgver" | cut -d '.' -f 1,2) release=$(echo "$pkgver" | cut -d '.' -f 1,2)

View File

@ -1,3 +0,0 @@
[options]
NoUpgrade = etc/pam.d/su
NoUpgrade = etc/pam.d/su-l

View File

@ -0,0 +1,2 @@
[options]
NoUpgrade = etc/pam.d/su-l

View File

@ -1,2 +1,2 @@
[qubes-r3.1] [qubes-r4.0]
Server = http://olivier.medoc.free.fr/archlinux/current Server = http://olivier.medoc.free.fr/archlinux/current

View File

@ -12,7 +12,7 @@ update_default_user() {
# Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this. # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
# See https://bugs.archlinux.org/task/31831 # See https://bugs.archlinux.org/task/31831
id -u 'user' >/dev/null 2>&1 || { id -u 'user' >/dev/null 2>&1 || {
useradd --user-group --create-home --shell /bin/zsh user useradd --user-group --create-home --shell /bin/bash user
} }
usermod -a --groups qubes user usermod -a --groups qubes user
} }
@ -130,21 +130,6 @@ EOF
done done
fi fi
# Make sure there is a default locale set so gnome-terminal will start
if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
touch /etc/locale.conf
echo "LANG=en_US.UTF-8" >> /etc/locale.conf
fi
# ... and make sure it is really generated
# This line is buggy as LANG can be set to LANG="en_US.UTF-8". The Quotes must be stripped
current_locale=$(grep LANG /etc/locale.conf|cut -f 2 -d = | tr -d '"')
if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then
base=$(echo "$current_locale" | cut -f 1 -d .)
charmap=$(echo "$current_locale.UTF-8" | cut -f 2 -d .)
[ -n "$charmap" ] && charmap="-f $charmap"
# shellcheck disable=SC2086
localedef -i "$base" $charmap "$current_locale"
fi
} }
############################ ############################
@ -331,24 +316,14 @@ update_finalize() {
/usr/lib/qubes/update-proxy-configs /usr/lib/qubes/update-proxy-configs
# Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
# Also remove pam_unix.so from su configuration # This is required as qubes-gui agent calls xinit with su -l user without initializing properly
# the user session.
# pam_unix.so can also be removed from su configuration
# as system-login (which include system-auth) already gives pam_unix.so # as system-login (which include system-auth) already gives pam_unix.so
# with more appropriate parameters (fix the missing nullok parameter) # with more appropriate parameters (fix the missing nullok parameter)
if grep -q pam_unix.so /etc/pam.d/su; then if grep -q pam_unix.so /etc/pam.d/su; then
echo "Fixing pam.d" echo "Fixing pam.d"
cat <<EOF > /etc/pam.d/su cp /etc/pam.d/qrexec /etc/pam.d/su-l
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-login
account include system-login
session include system-login
EOF
cp /etc/pam.d/su /etc/pam.d/su-l
fi fi
# Archlinux specific: ensure tty1 is enabled # Archlinux specific: ensure tty1 is enabled

View File

@ -121,7 +121,7 @@ if [ -d /etc/pacman.d ]; then
### All modifications here will be lost. ### All modifications here will be lost.
### If you want to override some of this settings, create another file under ### If you want to override some of this settings, create another file under
### /etc/pacman.d ### /etc/pacman.d
[options]
XferCommand = http_proxy=$PROXY_ADDR /usr/bin/curl -C - -f %u > %o XferCommand = http_proxy=$PROXY_ADDR /usr/bin/curl -C - -f %u > %o
EOF EOF
else else

View File

@ -21,6 +21,8 @@ install:
install qubes-rpc-multiplexer $(DESTDIR)/usr/lib/qubes install qubes-rpc-multiplexer $(DESTDIR)/usr/lib/qubes
ifeq ($(shell lsb_release -is), Debian) ifeq ($(shell lsb_release -is), Debian)
install -D -m 0644 qrexec.pam.debian $(DESTDIR)/etc/pam.d/qrexec install -D -m 0644 qrexec.pam.debian $(DESTDIR)/etc/pam.d/qrexec
else ifeq ($(shell lsb_release -is), Arch)
install -D -m 0644 qrexec.pam.archlinux $(DESTDIR)/etc/pam.d/qrexec
else else
install -D -m 0644 qrexec.pam $(DESTDIR)/etc/pam.d/qrexec install -D -m 0644 qrexec.pam $(DESTDIR)/etc/pam.d/qrexec
endif endif

View File

@ -0,0 +1,9 @@
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-login
account include system-login
session include system-login