From 16f48b62983932d5995ea69f4eb67282f91cfc19 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Thu, 24 Dec 2020 15:46:08 -0500 Subject: [PATCH 1/2] =?UTF-8?q?Only=20give=20the=20=E2=80=9Cqubes=E2=80=9D?= =?UTF-8?q?=20group=20full=20Polkit=20access?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is consistent with the rest of qubes-core-agent-passwordless-root, and helps prevent sandbox escapes by daemons with dbus access. --- passwordless-root/polkit-1-qubes-allow-all.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/passwordless-root/polkit-1-qubes-allow-all.rules b/passwordless-root/polkit-1-qubes-allow-all.rules index 723d6d6..a83c827 100644 --- a/passwordless-root/polkit-1-qubes-allow-all.rules +++ b/passwordless-root/polkit-1-qubes-allow-all.rules @@ -1,2 +1,2 @@ //allow any action, detailed reasoning in sudoers.d/qubes -polkit.addRule(function(action,subject) { return polkit.Result.YES; }); +polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; }); From 3bcc1c37cee974cc98f7473573f82d5ccb66f8db Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Thu, 24 Dec 2020 15:48:33 -0500 Subject: [PATCH 2/2] =?UTF-8?q?=E2=80=9Csudo=E2=80=9D=20must=20remove=20SE?= =?UTF-8?q?Linux=20restrictions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise, if “user” has the SELinux user “staff_u”, the user will typically need to write “sudo -r unconfined_r -t unconfined_t”, which is annoying. If SELinux is disabled, these fields are ignored. --- passwordless-root/qubes.sudoers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/passwordless-root/qubes.sudoers b/passwordless-root/qubes.sudoers index 5c3229f..cf185eb 100644 --- a/passwordless-root/qubes.sudoers +++ b/passwordless-root/qubes.sudoers @@ -1,4 +1,4 @@ -Defaults !requiretty +Defaults role=unconfined_r, type=unconfined_t, !requiretty %qubes ALL=(ALL) NOPASSWD: ALL # WTF?! Have you lost your mind?!