From 969ec301d5ff50c518fc7a11849b405bef96d82e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Marczewski?= Date: Thu, 7 May 2020 15:29:26 +0200 Subject: [PATCH] Override PAM config for su in RPM package In Red Hat based distributions, there is no pam-configs like mechanism (authselect seems too heavy and is not configured by default), so instead, we replace the PAM file. Enable su for users in the qubes group, same as in the Debian package. --- debian/rules | 3 +-- passwordless-root/Makefile | 10 ++++++++- passwordless-root/debian/Makefile | 4 ---- .../{debian => }/pam-configs_su.qubes | 0 passwordless-root/pam.d_su.qubes | 21 +++++++++++++++++++ rpm_spec/core-agent.spec.in | 20 +++++++++++++++++- 6 files changed, 50 insertions(+), 8 deletions(-) delete mode 100644 passwordless-root/debian/Makefile rename passwordless-root/{debian => }/pam-configs_su.qubes (100%) create mode 100644 passwordless-root/pam.d_su.qubes diff --git a/debian/rules b/debian/rules index 93e61fe..9a5bcdf 100755 --- a/debian/rules +++ b/debian/rules @@ -23,8 +23,7 @@ override_dh_auto_install: make -C network install make -C package-managers install make -C package-managers install-apt - make -C passwordless-root install - make -C passwordless-root/debian install + make -C passwordless-root install install-debian make -C qubes-rpc install make -C qubes-rpc/kde install make -C qubes-rpc/nautilus install diff --git a/passwordless-root/Makefile b/passwordless-root/Makefile index 928c1ac..d9fba25 100644 --- a/passwordless-root/Makefile +++ b/passwordless-root/Makefile @@ -1,8 +1,10 @@ SYSCONFDIR ?= /etc SUDOERSDIR = $(SYSCONFDIR)/sudoers.d POLKIT1DIR = $(SYSCONFDIR)/polkit-1 +PAMDIR = $(SYSCONFDIR)/pam.d +PAMCONFIGSDIR = /usr/share/pam-configs/ -.PHONY: install +.PHONY: install install-debian install-rh install: install -d -m 0750 $(DESTDIR)$(SUDOERSDIR) @@ -10,3 +12,9 @@ install: install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules + +install-rh: + install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes + +install-debian: + install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes diff --git a/passwordless-root/debian/Makefile b/passwordless-root/debian/Makefile deleted file mode 100644 index d8042dc..0000000 --- a/passwordless-root/debian/Makefile +++ /dev/null @@ -1,4 +0,0 @@ -.PHONY: install - -install: - install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes diff --git a/passwordless-root/debian/pam-configs_su.qubes b/passwordless-root/pam-configs_su.qubes similarity index 100% rename from passwordless-root/debian/pam-configs_su.qubes rename to passwordless-root/pam-configs_su.qubes diff --git a/passwordless-root/pam.d_su.qubes b/passwordless-root/pam.d_su.qubes new file mode 100644 index 0000000..e9853f8 --- /dev/null +++ b/passwordless-root/pam.d_su.qubes @@ -0,0 +1,21 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +#auth required pam_wheel.so use_uid + +# {{ Qubes specific modifications begin here +# Prevent su from asking for password +# (by package qubes-core-agent-passwordless-root). +auth sufficient pam_succeed_if.so use_uid user ingroup qubes +# }} Qubes specific modifications end here + +auth substack system-auth +auth include postlogin +account sufficient pam_succeed_if.so uid = 0 use_uid quiet +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session optional pam_xauth.so diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 2fe4ad1..679d836 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -299,7 +299,7 @@ make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install make -C filesystem DESTDIR=$RPM_BUILD_ROOT install make -C misc DESTDIR=$RPM_BUILD_ROOT install make -C network DESTDIR=$RPM_BUILD_ROOT install -make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install +make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install install-rh make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install @@ -333,6 +333,16 @@ if ! grep -q /etc/default/grub.qubes /etc/default/grub 2>/dev/null; then echo '. /etc/default/grub.qubes' >> /etc/default/grub fi +%triggerin passwordless-root -- util-linux + +qubesfile=/etc/pam.d/su.qubes +origfile=${qubesfile%.qubes} +backupfile=${origfile}.qubes-orig +if [ -r "$origfile" -a ! -r "$backupfile" ]; then + mv -f "$origfile" "$backupfile" +fi +ln -sf "$qubesfile" "$origfile" + %post # disable some Upstart services @@ -535,6 +545,13 @@ if [ $1 -eq 0 ]; then usermod -p '*' root fi +qubesfile=/etc/pam.d/su.qubes +origfile=${qubesfile%.qubes} +backupfile=${origfile}.qubes-orig +if [ -f "$backupfile" ]; then + mv -f "$backupfile" "$origfile" +fi + %posttrans /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : @@ -755,6 +772,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla %config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules %config(noreplace) /etc/sudoers.d/qubes +%config(noreplace) /etc/pam.d/su.qubes %package sysvinit Summary: Qubes unit files for SysV init style or upstart