deb,rpm: split passwordless root access configs into separate package

Make passwordless root access optional - ease integration qrexec
authorization for sudo.

QubesOS/qubes-issues#2695

debian/control

@@ -69,8 +69,7 @@ Recommends:
     qubes-core-agent-networking,
     qubes-core-agent-network-manager,
     xsettingsd
-Provides: ${diverted-files}
+Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
-Conflicts: ${diverted-files}, qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Description: Qubes core agent
  This package includes various daemons necessary for qubes domU support,
  such as qrexec.
@@ -135,3 +134,15 @@ Description: NetworkManager integration for Qubes VM
   * make connections config persistent
   * adjust DNS redirections when needed
   * show/hide NetworkManager applet icon
+
+Package: qubes-core-agent-passwordless-root
+Architecture: any
+Replaces: qubes-core-agent (<< 4.0.0-1)
+Breaks: qubes-core-agent (<< 4.0.0-1)
+Provides: ${diverted-files}
+Conflicts: ${diverted-files}
+Description: Passwordless root access from normal user
+ Configure sudo, PolicyKit and similar tool to not ask for any password when
+ switching from user to root. Since all the user data in a VM is accessible
+ already from normal user account, there is not much more to guard there. Qubes
+ VM is a single user system.

debian/qubes-core-agent-passwordless-root.displace

@@ -1,4 +1,4 @@
-## This file is part of Whonix.
+## This file is part of Qubes OS.
 ## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 

debian/qubes-core-agent-passwordless-root.install

@@ -0,0 +1,4 @@
+etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
+etc/polkit-1/rules.d/00-qubes-allow-all.rules
+etc/pam.d/su.qubes
+etc/sudoers.d/qubes

debian/qubes-core-agent-passwordless-root.preinst

@@ -0,0 +1,48 @@
+#!/bin/sh
+# preinst script for core-agent-linux
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The preinst script may be called in the following ways:
+#   * <new-preinst> 'install'
+#   * <new-preinst> 'install' <old-version>
+#   * <new-preinst> 'upgrade' <old-version>
+#
+#     The package will not yet be unpacked, so the preinst script cannot rely
+# on any files included in its package. Only essential packages and
+# pre-dependencies (Pre-Depends) may be assumed to be available.
+# Pre-dependencies will have been configured at least once, but at the time the
+# preinst is called they may only be in an "Unpacked" or "Half-Configured" state
+# if a previous version of the pre-dependency was completely configured and has
+# not been removed since then.
+#
+#
+#  * <old-preinst> 'abort-upgrade' <new-version>
+#
+#    Called during error handling of an upgrade that failed after unpacking the
+# new package because the postrm upgrade action failed. The unpacked files may
+# be partly from the new version or partly missing, so the script cannot rely
+# on files included in the package. Package dependencies may not be available.
+# Pre-dependencies will be at least "Unpacked" following the same rules as
+# above, except they may be only "Half-Installed" if an upgrade of the
+# pre-dependency failed.[46]
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "$1" = "install" ] ; then
+    usermod -p '' root
+    usermod -a --groups sudo user
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent.install

@@ -4,9 +4,6 @@ etc/apt/sources.list.d/qubes-r3.list
 etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 etc/fstab
 etc/needrestart/conf.d/50_qubes.conf
-etc/pam.d/su.qubes
-etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
-etc/polkit-1/rules.d/00-qubes-allow-all.rules
 etc/profile.d/qt_x11_no_mitshm.sh
 etc/qubes-rpc/qubes.Backup
 etc/qubes-rpc/qubes.DetachPciDevice
@@ -37,7 +34,6 @@ etc/qubes/post-install.d/*.sh
 etc/qubes/suspend-post.d/README
 etc/qubes/suspend-pre.d/README
 etc/sudoers.d/qt_x11_no_mitshm
-etc/sudoers.d/qubes
 etc/sudoers.d/umask
 etc/sysctl.d/20_tcp_timestamps.conf
 etc/sysctl.d/80-qubes.conf

debian/qubes-core-agent.preinst

@@ -44,13 +44,12 @@ if [ "$1" = "install" ] ; then
     # User add / modifications
     # --------------------------------------------------------------------------
     id -u 'user' >/dev/null 2>&1 || {
-        useradd --password "" --user-group --create-home --shell /bin/bash user
+        useradd --user-group --create-home --shell /bin/bash user
     }
     id -u 'tinyproxy' >/dev/null 2>&1 || {
         useradd --user-group --system -M --home /run/tinyproxy --shell /bin/false tinyproxy
     }
-    usermod -p '' root
+    usermod -L -a --groups qubes user
-    usermod -L -a --groups qubes,sudo user
 
     # --------------------------------------------------------------------------
     # Remove `mesg` from root/.profile?

rpm_spec/core-agent.spec

@@ -231,6 +231,16 @@ Integration of NetworkManager for Qubes VM:
  * adjust DNS redirections when needed
  * show/hide NetworkManager applet icon
 
+%package passwordless-root
+Summary:    Passwordless root access from normal user
+Conflicts:  qubes-core-vm < 4.0.0
+
+%description passwordless-root
+Configure sudo, PolicyKit and similar tool to not ask for any password when
+switching from user to root. Since all the user data in a VM is accessible
+already from normal user account, there is not much more to guard there. Qubes
+VM is a single user system.
+
 %define _builddir %(pwd)
 
 %define kde_service_dir /usr/share/kde4/services
@@ -266,9 +276,12 @@ if [ -e /etc/fstab ] ; then
 mv /etc/fstab /var/lib/qubes/fstab.orig
 fi
 
-usermod -p '' root
 usermod -L user
 
+%pre passwordless-root
+
+usermod -p '' root
+
 %install
 
 (cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
@@ -440,6 +453,11 @@ if [ $1 -eq 0 ] ; then
     rm -rf /var/lib/qubes/xdg
 fi
 
+%postun passwordless-root
+if [ $1 -eq 0 ]; then
+    usermod -p '*' root
+fi
+
 %posttrans
     /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 
@@ -457,8 +475,6 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/X11/xorg-preload-apps.conf
 /etc/fstab
 /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes*
-%config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
-%config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
 %dir /etc/qubes-rpc
 %config(noreplace) /etc/qubes-rpc/qubes.Filecopy
 %config(noreplace) /etc/qubes-rpc/qubes.OpenInVM
@@ -492,7 +508,6 @@ rm -f %{name}-%{version}
 %dir /etc/qubes/post-install.d
 /etc/qubes/post-install.d/README
 /etc/qubes/post-install.d/*.sh
-%config(noreplace) /etc/sudoers.d/qubes
 %config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm
 %config(noreplace) /etc/sysctl.d/20_tcp_timestamps.conf
 %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
@@ -625,6 +640,11 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/qubes-fix-nm-conf.sh
 /usr/lib/qubes/show-hide-nm-applet.sh
 
+%files passwordless-root
+%config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
+%config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
+%config(noreplace) /etc/sudoers.d/qubes
+
 %package sysvinit
 Summary:        Qubes unit files for SysV init style or upstart
 License:        GPL v2 only