Override PAM config for su in RPM package

In Red Hat based distributions, there is no pam-configs like mechanism (authselect seems too heavy and is not configured by default), so instead, we replace the PAM file. Enable su for users in the qubes group, same as in the Debian package.
2020-05-07 15:29:26 +02:00 · 2020-05-07 15:29:26 +02:00 · 969ec301d5
commit 969ec301d5
parent da2fa46551
6 changed files with 50 additions and 8 deletions
--- a/debian/rules
+++ b/debian/rules
@ -23,8 +23,7 @@ override_dh_auto_install:
 	make -C network install
 	make -C package-managers install
 	make -C package-managers install-apt
-	make -C passwordless-root install
-	make -C passwordless-root/debian install
+	make -C passwordless-root install install-debian
 	make -C qubes-rpc install
 	make -C qubes-rpc/kde install
 	make -C qubes-rpc/nautilus install
--- a/passwordless-root/Makefile
+++ b/passwordless-root/Makefile
@ -1,8 +1,10 @@
 SYSCONFDIR ?= /etc
 SUDOERSDIR = $(SYSCONFDIR)/sudoers.d
 POLKIT1DIR = $(SYSCONFDIR)/polkit-1
+PAMDIR = $(SYSCONFDIR)/pam.d
+PAMCONFIGSDIR = /usr/share/pam-configs/

-.PHONY: install
+.PHONY: install install-debian install-rh

 install:
 	install -d -m 0750 $(DESTDIR)$(SUDOERSDIR)
@ -10,3 +12,9 @@ install:
 	install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla
 	install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d
 	install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules
+
+install-rh:
+	install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes
+
+install-debian:
+	install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes
--- a/passwordless-root/debian/Makefile
+++ b/passwordless-root/debian/Makefile
@ -1,4 +0,0 @@
-.PHONY: install
-
-install:
-	install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes
--- a/passwordless-root/debian/pam-configs_su.qubes
+++ b/passwordless-root/debian/pam-configs_su.qubes
--- a/passwordless-root/pam.d_su.qubes
+++ b/passwordless-root/pam.d_su.qubes
@ -0,0 +1,21 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+
+# {{ Qubes specific modifications begin here
+#    Prevent su from asking for password
+#    (by package qubes-core-agent-passwordless-root).
+auth    	sufficient	pam_succeed_if.so use_uid user ingroup qubes
+# }} Qubes specific modifications end here
+
+auth		substack	system-auth
+auth		include		postlogin
+account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		include		postlogin
+session		optional	pam_xauth.so
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@ -299,7 +299,7 @@ make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install
 make -C filesystem DESTDIR=$RPM_BUILD_ROOT install
 make -C misc DESTDIR=$RPM_BUILD_ROOT install
 make -C network DESTDIR=$RPM_BUILD_ROOT install
-make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install
+make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install install-rh
 make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install
 make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install
 make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install
@ -333,6 +333,16 @@ if ! grep -q /etc/default/grub.qubes /etc/default/grub 2>/dev/null; then
    echo '. /etc/default/grub.qubes' >> /etc/default/grub
 fi

+%triggerin passwordless-root -- util-linux
+
+qubesfile=/etc/pam.d/su.qubes
+origfile=${qubesfile%.qubes}
+backupfile=${origfile}.qubes-orig
+if [ -r "$origfile" -a ! -r "$backupfile" ]; then
+	mv -f "$origfile" "$backupfile"
+fi
+ln -sf "$qubesfile" "$origfile"
+
 %post

 # disable some Upstart services
@ -535,6 +545,13 @@ if [ $1 -eq 0 ]; then
    usermod -p '*' root
 fi

+qubesfile=/etc/pam.d/su.qubes
+origfile=${qubesfile%.qubes}
+backupfile=${origfile}.qubes-orig
+if [ -f "$backupfile" ]; then
+    mv -f "$backupfile" "$origfile"
+fi
+
 %posttrans
    /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :

@ -755,6 +772,7 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 %config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
 %config(noreplace) /etc/sudoers.d/qubes
+%config(noreplace) /etc/pam.d/su.qubes

 %package sysvinit
 Summary:        Qubes unit files for SysV init style or upstart