Override PAM config for su in RPM package

In Red Hat based distributions, there is no pam-configs like
mechanism (authselect seems too heavy and is not configured by
default), so instead, we replace the PAM file.

Enable su for users in the qubes group, same as in the Debian
package.
This commit is contained in:
Paweł Marczewski 2020-05-07 15:29:26 +02:00
parent da2fa46551
commit 969ec301d5
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
6 changed files with 50 additions and 8 deletions

3
debian/rules vendored
View File

@ -23,8 +23,7 @@ override_dh_auto_install:
make -C network install
make -C package-managers install
make -C package-managers install-apt
make -C passwordless-root install
make -C passwordless-root/debian install
make -C passwordless-root install install-debian
make -C qubes-rpc install
make -C qubes-rpc/kde install
make -C qubes-rpc/nautilus install

View File

@ -1,8 +1,10 @@
SYSCONFDIR ?= /etc
SUDOERSDIR = $(SYSCONFDIR)/sudoers.d
POLKIT1DIR = $(SYSCONFDIR)/polkit-1
PAMDIR = $(SYSCONFDIR)/pam.d
PAMCONFIGSDIR = /usr/share/pam-configs/
.PHONY: install
.PHONY: install install-debian install-rh
install:
install -d -m 0750 $(DESTDIR)$(SUDOERSDIR)
@ -10,3 +12,9 @@ install:
install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla
install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d
install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules
install-rh:
install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes
install-debian:
install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes

View File

@ -1,4 +0,0 @@
.PHONY: install
install:
install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes

View File

@ -0,0 +1,21 @@
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
# {{ Qubes specific modifications begin here
# Prevent su from asking for password
# (by package qubes-core-agent-passwordless-root).
auth sufficient pam_succeed_if.so use_uid user ingroup qubes
# }} Qubes specific modifications end here
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so

View File

@ -299,7 +299,7 @@ make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install
make -C filesystem DESTDIR=$RPM_BUILD_ROOT install
make -C misc DESTDIR=$RPM_BUILD_ROOT install
make -C network DESTDIR=$RPM_BUILD_ROOT install
make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install
make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install install-rh
make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install
make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install
make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install
@ -333,6 +333,16 @@ if ! grep -q /etc/default/grub.qubes /etc/default/grub 2>/dev/null; then
echo '. /etc/default/grub.qubes' >> /etc/default/grub
fi
%triggerin passwordless-root -- util-linux
qubesfile=/etc/pam.d/su.qubes
origfile=${qubesfile%.qubes}
backupfile=${origfile}.qubes-orig
if [ -r "$origfile" -a ! -r "$backupfile" ]; then
mv -f "$origfile" "$backupfile"
fi
ln -sf "$qubesfile" "$origfile"
%post
# disable some Upstart services
@ -535,6 +545,13 @@ if [ $1 -eq 0 ]; then
usermod -p '*' root
fi
qubesfile=/etc/pam.d/su.qubes
origfile=${qubesfile%.qubes}
backupfile=${origfile}.qubes-orig
if [ -f "$backupfile" ]; then
mv -f "$backupfile" "$origfile"
fi
%posttrans
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
@ -755,6 +772,7 @@ rm -f %{name}-%{version}
%config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
%config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
%config(noreplace) /etc/sudoers.d/qubes
%config(noreplace) /etc/pam.d/su.qubes
%package sysvinit
Summary: Qubes unit files for SysV init style or upstart