From 32915fe126271636f53d0c6bcc6953f03db4aea0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 31 May 2017 21:18:34 +0200
Subject: [PATCH] deb,rpm: split passwordless root access configs into separate
 package

Make passwordless root access optional - ease integration qrexec
authorization for sudo.

QubesOS/qubes-issues#2695
---
 debian/control                                | 15 +++++-
 ...bes-core-agent-passwordless-root.displace} |  2 +-
 ...gent-passwordless-root.displace-extension} |  0
 ...qubes-core-agent-passwordless-root.install |  4 ++
 ...qubes-core-agent-passwordless-root.preinst | 48 +++++++++++++++++++
 debian/qubes-core-agent.install               |  4 --
 debian/qubes-core-agent.preinst               |  5 +-
 rpm_spec/core-agent.spec                      | 28 +++++++++--
 8 files changed, 92 insertions(+), 14 deletions(-)
 rename debian/{qubes-core-agent.displace => qubes-core-agent-passwordless-root.displace} (80%)
 rename debian/{qubes-core-agent.displace-extension => qubes-core-agent-passwordless-root.displace-extension} (100%)
 create mode 100644 debian/qubes-core-agent-passwordless-root.install
 create mode 100755 debian/qubes-core-agent-passwordless-root.preinst

diff --git a/debian/control b/debian/control
index 7d6823e..9aa8244 100644
--- a/debian/control
+++ b/debian/control
@@ -69,8 +69,7 @@ Recommends:
     qubes-core-agent-networking,
     qubes-core-agent-network-manager,
     xsettingsd
-Provides: ${diverted-files}
-Conflicts: ${diverted-files}, qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
+Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Description: Qubes core agent
  This package includes various daemons necessary for qubes domU support,
  such as qrexec.
@@ -135,3 +134,15 @@ Description: NetworkManager integration for Qubes VM
   * make connections config persistent
   * adjust DNS redirections when needed
   * show/hide NetworkManager applet icon
+
+Package: qubes-core-agent-passwordless-root
+Architecture: any
+Replaces: qubes-core-agent (<< 4.0.0-1)
+Breaks: qubes-core-agent (<< 4.0.0-1)
+Provides: ${diverted-files}
+Conflicts: ${diverted-files}
+Description: Passwordless root access from normal user
+ Configure sudo, PolicyKit and similar tool to not ask for any password when
+ switching from user to root. Since all the user data in a VM is accessible
+ already from normal user account, there is not much more to guard there. Qubes
+ VM is a single user system.
diff --git a/debian/qubes-core-agent.displace b/debian/qubes-core-agent-passwordless-root.displace
similarity index 80%
rename from debian/qubes-core-agent.displace
rename to debian/qubes-core-agent-passwordless-root.displace
index 7dde451..6d19bf3 100644
--- a/debian/qubes-core-agent.displace
+++ b/debian/qubes-core-agent-passwordless-root.displace
@@ -1,4 +1,4 @@
-## This file is part of Whonix.
+## This file is part of Qubes OS.
 ## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
diff --git a/debian/qubes-core-agent.displace-extension b/debian/qubes-core-agent-passwordless-root.displace-extension
similarity index 100%
rename from debian/qubes-core-agent.displace-extension
rename to debian/qubes-core-agent-passwordless-root.displace-extension
diff --git a/debian/qubes-core-agent-passwordless-root.install b/debian/qubes-core-agent-passwordless-root.install
new file mode 100644
index 0000000..34c7768
--- /dev/null
+++ b/debian/qubes-core-agent-passwordless-root.install
@@ -0,0 +1,4 @@
+etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
+etc/polkit-1/rules.d/00-qubes-allow-all.rules
+etc/pam.d/su.qubes
+etc/sudoers.d/qubes
diff --git a/debian/qubes-core-agent-passwordless-root.preinst b/debian/qubes-core-agent-passwordless-root.preinst
new file mode 100755
index 0000000..fdd0079
--- /dev/null
+++ b/debian/qubes-core-agent-passwordless-root.preinst
@@ -0,0 +1,48 @@
+#!/bin/sh
+# preinst script for core-agent-linux
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The preinst script may be called in the following ways:
+#   * <new-preinst> 'install'
+#   * <new-preinst> 'install' <old-version>
+#   * <new-preinst> 'upgrade' <old-version>
+#
+#     The package will not yet be unpacked, so the preinst script cannot rely
+# on any files included in its package. Only essential packages and
+# pre-dependencies (Pre-Depends) may be assumed to be available.
+# Pre-dependencies will have been configured at least once, but at the time the
+# preinst is called they may only be in an "Unpacked" or "Half-Configured" state
+# if a previous version of the pre-dependency was completely configured and has
+# not been removed since then.
+#
+#
+#  * <old-preinst> 'abort-upgrade' <new-version>
+#
+#    Called during error handling of an upgrade that failed after unpacking the
+# new package because the postrm upgrade action failed. The unpacked files may
+# be partly from the new version or partly missing, so the script cannot rely
+# on files included in the package. Package dependencies may not be available.
+# Pre-dependencies will be at least "Unpacked" following the same rules as
+# above, except they may be only "Half-Installed" if an upgrade of the
+# pre-dependency failed.[46]
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "$1" = "install" ] ; then
+    usermod -p '' root
+    usermod -a --groups sudo user
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :
diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install
index 26d83cf..6a9e06e 100644
--- a/debian/qubes-core-agent.install
+++ b/debian/qubes-core-agent.install
@@ -4,9 +4,6 @@ etc/apt/sources.list.d/qubes-r3.list
 etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 etc/fstab
 etc/needrestart/conf.d/50_qubes.conf
-etc/pam.d/su.qubes
-etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
-etc/polkit-1/rules.d/00-qubes-allow-all.rules
 etc/profile.d/qt_x11_no_mitshm.sh
 etc/qubes-rpc/qubes.Backup
 etc/qubes-rpc/qubes.DetachPciDevice
@@ -37,7 +34,6 @@ etc/qubes/post-install.d/*.sh
 etc/qubes/suspend-post.d/README
 etc/qubes/suspend-pre.d/README
 etc/sudoers.d/qt_x11_no_mitshm
-etc/sudoers.d/qubes
 etc/sudoers.d/umask
 etc/sysctl.d/20_tcp_timestamps.conf
 etc/sysctl.d/80-qubes.conf
diff --git a/debian/qubes-core-agent.preinst b/debian/qubes-core-agent.preinst
index 4b47fb9..04432d1 100755
--- a/debian/qubes-core-agent.preinst
+++ b/debian/qubes-core-agent.preinst
@@ -44,13 +44,12 @@ if [ "$1" = "install" ] ; then
     # User add / modifications
     # --------------------------------------------------------------------------
     id -u 'user' >/dev/null 2>&1 || {
-        useradd --password "" --user-group --create-home --shell /bin/bash user
+        useradd --user-group --create-home --shell /bin/bash user
     }
     id -u 'tinyproxy' >/dev/null 2>&1 || {
         useradd --user-group --system -M --home /run/tinyproxy --shell /bin/false tinyproxy
     }
-    usermod -p '' root
-    usermod -L -a --groups qubes,sudo user
+    usermod -L -a --groups qubes user
 
     # --------------------------------------------------------------------------
     # Remove `mesg` from root/.profile?
diff --git a/rpm_spec/core-agent.spec b/rpm_spec/core-agent.spec
index c324536..aad85a5 100644
--- a/rpm_spec/core-agent.spec
+++ b/rpm_spec/core-agent.spec
@@ -231,6 +231,16 @@ Integration of NetworkManager for Qubes VM:
  * adjust DNS redirections when needed
  * show/hide NetworkManager applet icon
 
+%package passwordless-root
+Summary:    Passwordless root access from normal user
+Conflicts:  qubes-core-vm < 4.0.0
+
+%description passwordless-root
+Configure sudo, PolicyKit and similar tool to not ask for any password when
+switching from user to root. Since all the user data in a VM is accessible
+already from normal user account, there is not much more to guard there. Qubes
+VM is a single user system.
+
 %define _builddir %(pwd)
 
 %define kde_service_dir /usr/share/kde4/services
@@ -266,9 +276,12 @@ if [ -e /etc/fstab ] ; then
 mv /etc/fstab /var/lib/qubes/fstab.orig
 fi
 
-usermod -p '' root
 usermod -L user
 
+%pre passwordless-root
+
+usermod -p '' root
+
 %install
 
 (cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
@@ -440,6 +453,11 @@ if [ $1 -eq 0 ] ; then
     rm -rf /var/lib/qubes/xdg
 fi
 
+%postun passwordless-root
+if [ $1 -eq 0 ]; then
+    usermod -p '*' root
+fi
+
 %posttrans
     /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 
@@ -457,8 +475,6 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/X11/xorg-preload-apps.conf
 /etc/fstab
 /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes*
-%config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
-%config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
 %dir /etc/qubes-rpc
 %config(noreplace) /etc/qubes-rpc/qubes.Filecopy
 %config(noreplace) /etc/qubes-rpc/qubes.OpenInVM
@@ -492,7 +508,6 @@ rm -f %{name}-%{version}
 %dir /etc/qubes/post-install.d
 /etc/qubes/post-install.d/README
 /etc/qubes/post-install.d/*.sh
-%config(noreplace) /etc/sudoers.d/qubes
 %config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm
 %config(noreplace) /etc/sysctl.d/20_tcp_timestamps.conf
 %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
@@ -625,6 +640,11 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/qubes-fix-nm-conf.sh
 /usr/lib/qubes/show-hide-nm-applet.sh
 
+%files passwordless-root
+%config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
+%config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
+%config(noreplace) /etc/sudoers.d/qubes
+
 %package sysvinit
 Summary:        Qubes unit files for SysV init style or upstart
 License:        GPL v2 only