Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Override PAM config for su in RPM package

Browse Source 
In Red Hat based distributions, there is no pam-configs like
mechanism (authselect seems too heavy and is not configured by
default), so instead, we replace the PAM file.

Enable su for users in the qubes group, same as in the Debian
package.
This commit is contained in:
Paweł Marczewski 2020-05-07 15:29:26 +02:00
parent da2fa46551
commit 969ec301d5
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
6 changed files with 50 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
debian/rules vendored
View File

@ -23,8 +23,7 @@ override_dh_auto_install:
make -C network install make -C network install
make -C package-managers install make -C package-managers install
make -C package-managers install-apt make -C package-managers install-apt
make -C passwordless-root install make -C passwordless-root install install-debian
make -C passwordless-root/debian install
make -C qubes-rpc install make -C qubes-rpc install
make -C qubes-rpc/kde install make -C qubes-rpc/kde install
make -C qubes-rpc/nautilus install make -C qubes-rpc/nautilus install

10
passwordless-root/Makefile
View File

@ -1,8 +1,10 @@
SYSCONFDIR ?= /etc SYSCONFDIR ?= /etc
SUDOERSDIR = $(SYSCONFDIR)/sudoers.d SUDOERSDIR = $(SYSCONFDIR)/sudoers.d
POLKIT1DIR = $(SYSCONFDIR)/polkit-1 POLKIT1DIR = $(SYSCONFDIR)/polkit-1
PAMDIR = $(SYSCONFDIR)/pam.d
PAMCONFIGSDIR = /usr/share/pam-configs/
.PHONY: install .PHONY: install install-debian install-rh
install: install:
install -d -m 0750 $(DESTDIR)$(SUDOERSDIR) install -d -m 0750 $(DESTDIR)$(SUDOERSDIR)
@ -10,3 +12,9 @@ install:
install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla
install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d
install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules
install-rh:
install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes
install-debian:
install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes

4
passwordless-root/debian/Makefile
View File

@ -1,4 +0,0 @@
.PHONY: install
install:
install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes

0
passwordless-root/debian/pam-configs_su.qubes → passwordless-root/pam-configs_su.qubes
View File

21
passwordless-root/pam.d_su.qubes Normal file
View File

@ -0,0 +1,21 @@
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
# {{ Qubes specific modifications begin here
# Prevent su from asking for password
# (by package qubes-core-agent-passwordless-root).
auth sufficient pam_succeed_if.so use_uid user ingroup qubes
# }} Qubes specific modifications end here
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so

20
rpm_spec/core-agent.spec.in
View File

@ -299,7 +299,7 @@ make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install
make -C filesystem DESTDIR=$RPM_BUILD_ROOT install make -C filesystem DESTDIR=$RPM_BUILD_ROOT install
make -C misc DESTDIR=$RPM_BUILD_ROOT install make -C misc DESTDIR=$RPM_BUILD_ROOT install
make -C network DESTDIR=$RPM_BUILD_ROOT install make -C network DESTDIR=$RPM_BUILD_ROOT install
make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install install-rh
make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install
make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install
make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install
@ -333,6 +333,16 @@ if ! grep -q /etc/default/grub.qubes /etc/default/grub 2>/dev/null; then
echo '. /etc/default/grub.qubes' >> /etc/default/grub echo '. /etc/default/grub.qubes' >> /etc/default/grub
fi fi
%triggerin passwordless-root -- util-linux
qubesfile=/etc/pam.d/su.qubes
origfile=${qubesfile%.qubes}
backupfile=${origfile}.qubes-orig
if [ -r "$origfile" -a ! -r "$backupfile" ]; then
mv -f "$origfile" "$backupfile"
fi
ln -sf "$qubesfile" "$origfile"
%post %post
# disable some Upstart services # disable some Upstart services
@ -535,6 +545,13 @@ if [ $1 -eq 0 ]; then
usermod -p '*' root usermod -p '*' root
fi fi
qubesfile=/etc/pam.d/su.qubes
origfile=${qubesfile%.qubes}
backupfile=${origfile}.qubes-orig
if [ -f "$backupfile" ]; then
mv -f "$backupfile" "$origfile"
fi
%posttrans %posttrans
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
@ -755,6 +772,7 @@ rm -f %{name}-%{version}
%config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla %config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
%config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules %config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
%config(noreplace) /etc/sudoers.d/qubes %config(noreplace) /etc/sudoers.d/qubes
%config(noreplace) /etc/pam.d/su.qubes
%package sysvinit %package sysvinit
Summary: Qubes unit files for SysV init style or upstart Summary: Qubes unit files for SysV init style or upstart