From 212df1d586712bb7dc634c1bbd5f6c9800c95b26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Marczewski?= Date: Wed, 6 May 2020 17:15:22 +0200 Subject: [PATCH 1/4] Enable root autologin on serial console See QubesOS/qubes-issues#5799. Use an option to agetty: https://wiki.archlinux.org/index.php/Getty#Automatic_login_to_virtual_console The --login-pause causes agetty to wait for Enter key. This is important, because otherwise the root session prevents systemd from shutting down, and probably causes other side effect. --- Makefile | 2 +- debian/qubes-core-agent.install | 1 + rpm_spec/core-agent.spec.in | 1 + vm-systemd/serial-getty@.service.d/30_qubes.conf | 3 +++ 4 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 vm-systemd/serial-getty@.service.d/30_qubes.conf diff --git a/Makefile b/Makefile index 50ecad9..d15573b 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ USER_DROPIN_DIR ?= "usr/lib/systemd/user" SYSTEM_DROPINS := boot.automount chronyd.service crond.service SYSTEM_DROPINS += cups.service cups-browsed.service cups.path cups.socket ModemManager.service -SYSTEM_DROPINS += getty@tty.service +SYSTEM_DROPINS += getty@tty.service serial-getty@.service SYSTEM_DROPINS += tmp.mount SYSTEM_DROPINS += org.cups.cupsd.service org.cups.cupsd.path org.cups.cupsd.socket SYSTEM_DROPINS += systemd-random-seed.service diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install index 9859458..580a532 100644 --- a/debian/qubes-core-agent.install +++ b/debian/qubes-core-agent.install @@ -88,6 +88,7 @@ lib/systemd/system/qubes-updates-proxy-forwarder@.service lib/systemd/system/qubes-updates-proxy-forwarder.socket lib/systemd/system/qubes-sync-time.service lib/systemd/system/qubes-sync-time.timer +lib/systemd/system/serial-getty@.service.d/30_qubes.conf lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf lib/systemd/system/tmp.mount.d/30_qubes.conf diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index cd0d2b4..5b642c4 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -869,6 +869,7 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/ModemManager.service.d/30_qubes.conf /lib/systemd/system/NetworkManager.service.d/30_qubes.conf /lib/systemd/system/NetworkManager-wait-online.service.d/30_qubes.conf +/lib/systemd/system/serial-getty@.service.d/30_qubes.conf /lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf /lib/systemd/system/systemd-timesyncd.service.d/30_qubes.conf /lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf diff --git a/vm-systemd/serial-getty@.service.d/30_qubes.conf b/vm-systemd/serial-getty@.service.d/30_qubes.conf new file mode 100644 index 0000000..dacfeb5 --- /dev/null +++ b/vm-systemd/serial-getty@.service.d/30_qubes.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin root --login-pause --keep-baud 115200,38400,9600 %I $TERM From e52f4f13416c1059e88f197104176c6f36fb89b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Marczewski?= Date: Wed, 6 May 2020 18:03:19 +0200 Subject: [PATCH 2/4] Lock root password in passwordless-root package See QubesOS/qubes-issues#5799. Undo the change to empty password previously performed by that package. --- archlinux/PKGBUILD.install | 2 +- debian/qubes-core-agent-passwordless-root.preinst | 4 ++-- rpm_spec/core-agent.spec.in | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index c3e9cdf..404c2d6 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -35,7 +35,7 @@ pre_install() { # Add qubes core related fstab entries echo "xen /proc/xen xenfs defaults 0 0" >> /etc/fstab - usermod -p '' root + usermod -L root usermod -L user } diff --git a/debian/qubes-core-agent-passwordless-root.preinst b/debian/qubes-core-agent-passwordless-root.preinst index b72057e..ba7a6e9 100755 --- a/debian/qubes-core-agent-passwordless-root.preinst +++ b/debian/qubes-core-agent-passwordless-root.preinst @@ -33,8 +33,8 @@ set -e # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or # the debian-policy package -if [ "$1" = "install" ] ; then - usermod -p '' root +if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then + usermod -L root fi # dh_installdeb will replace this with shell code automatically diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 5b642c4..2fe4ad1 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -288,7 +288,7 @@ usermod -L user %pre passwordless-root -usermod -p '' root +usermod -L root %install From da2fa4655132197aca01ea0a5e228fc09a9d3c25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Marczewski?= Date: Thu, 7 May 2020 14:10:04 +0200 Subject: [PATCH 3/4] Use pam-configs to override Debian PAM config Instead of the old workaround that replaces the whole PAM config, use Debian's framework (pam-configs) to add a rule for su. Enable it for users in qubes group only. PAM Config framework documentation: https://wiki.ubuntu.com/PAMConfigFrameworkSpec Issue: QubesOS/qubes-issues#5799 Original PR this change is based on: QubesOS/qubes-core-agent-linux#171 --- debian/control | 1 + ...qubes-core-agent-passwordless-root.install | 2 +- ...ubes-core-agent-passwordless-root.postinst | 31 +++++++++ .../qubes-core-agent-passwordless-root.prerm | 43 ++++++++++++ ...s-core-agent-passwordless-root.undisplace} | 0 passwordless-root/debian/Makefile | 5 +- passwordless-root/debian/pam-configs_su.qubes | 6 ++ passwordless-root/debian/pam.d_su.qubes | 66 ------------------- 8 files changed, 83 insertions(+), 71 deletions(-) create mode 100644 debian/qubes-core-agent-passwordless-root.postinst create mode 100644 debian/qubes-core-agent-passwordless-root.prerm rename debian/{qubes-core-agent-passwordless-root.displace => qubes-core-agent-passwordless-root.undisplace} (100%) create mode 100644 passwordless-root/debian/pam-configs_su.qubes delete mode 100644 passwordless-root/debian/pam.d_su.qubes diff --git a/debian/control b/debian/control index 0335ce7..e06f33b 100644 --- a/debian/control +++ b/debian/control @@ -160,6 +160,7 @@ Description: NetworkManager integration for Qubes VM Package: qubes-core-agent-passwordless-root Architecture: any +Depends: libpam-runtime Replaces: qubes-core-agent (<< 4.0.0-1) Breaks: qubes-core-agent (<< 4.0.0-1) Provides: ${diverted-files} diff --git a/debian/qubes-core-agent-passwordless-root.install b/debian/qubes-core-agent-passwordless-root.install index 34c7768..03c3eb7 100644 --- a/debian/qubes-core-agent-passwordless-root.install +++ b/debian/qubes-core-agent-passwordless-root.install @@ -1,4 +1,4 @@ etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla etc/polkit-1/rules.d/00-qubes-allow-all.rules -etc/pam.d/su.qubes etc/sudoers.d/qubes +usr/share/pam-configs/su.qubes diff --git a/debian/qubes-core-agent-passwordless-root.postinst b/debian/qubes-core-agent-passwordless-root.postinst new file mode 100644 index 0000000..04562d9 --- /dev/null +++ b/debian/qubes-core-agent-passwordless-root.postinst @@ -0,0 +1,31 @@ +#!/bin/bash +# postinst script for qubes-core-agent-passwordless-root +# +# see: dh_installdeb(1) + +set -e + +# The postinst script may be called in the following ways: +# * 'configure' +# * 'abort-upgrade' +# * 'abort-remove' 'in-favour' +# +# * 'abort-remove' +# * 'abort-deconfigure' 'in-favour' +# 'removing' +# +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +pam-auth-update --package + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/qubes-core-agent-passwordless-root.prerm b/debian/qubes-core-agent-passwordless-root.prerm new file mode 100644 index 0000000..fcc0a4a --- /dev/null +++ b/debian/qubes-core-agent-passwordless-root.prerm @@ -0,0 +1,43 @@ +#!/bin/sh +# prerm script for qubes-core-agent-passwordless-root +# +# see: dh_installdeb(1) + +set -e + +# The prerm script may be called in the following ways: +# * 'remove' +# * 'upgrade' +# * 'remove' 'in-favour' +# * 'deconfigure' 'in-favour' +# [removing conflicting-package version] +# +# The package whose prerm is being called will be at least "Half-Installed". +# All package dependencies will at least be "Half-Installed" and will have +# previously been configured and not removed. If there was no error, all +# dependencies will at least be "Unpacked", but these actions may be called in +# various error states where dependencies are only "Half-Installed" due to a +# partial upgrade. +# +# * 'failed-upgrade' +# +# Called during error handling when prerm upgrade fails. The new package +# will not yet be unpacked, and all the same constraints as for preinst +# upgrade apply. +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = remove ]; then + pam-auth-update --package --remove su.qubes +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/qubes-core-agent-passwordless-root.displace b/debian/qubes-core-agent-passwordless-root.undisplace similarity index 100% rename from debian/qubes-core-agent-passwordless-root.displace rename to debian/qubes-core-agent-passwordless-root.undisplace diff --git a/passwordless-root/debian/Makefile b/passwordless-root/debian/Makefile index 926d678..d8042dc 100644 --- a/passwordless-root/debian/Makefile +++ b/passwordless-root/debian/Makefile @@ -1,7 +1,4 @@ -SYSCONFDIR ?= /etc -PAMDIR ?= $(SYSCONFDIR)/pam.d - .PHONY: install install: - install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes + install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes diff --git a/passwordless-root/debian/pam-configs_su.qubes b/passwordless-root/debian/pam-configs_su.qubes new file mode 100644 index 0000000..2c6a9c2 --- /dev/null +++ b/passwordless-root/debian/pam-configs_su.qubes @@ -0,0 +1,6 @@ +Name: allow su without password (by package qubes-core-agent-passwordless-root) +Default: yes +Priority: 258 +Auth-Type: Primary +Auth: + sufficient pam_succeed_if.so use_uid user ingroup qubes service in su:su-l diff --git a/passwordless-root/debian/pam.d_su.qubes b/passwordless-root/debian/pam.d_su.qubes deleted file mode 100644 index 99b6c22..0000000 --- a/passwordless-root/debian/pam.d_su.qubes +++ /dev/null @@ -1,66 +0,0 @@ -# -# The PAM configuration file for the Shadow `su' service -# - -# This allows root to su without passwords (normal operation) -auth sufficient pam_rootok.so - -# Uncomment this to force users to be a member of group root -# before they can use `su'. You can also add "group=foo" -# to the end of this line if you want to use a group other -# than the default "root" (but this may have side effect of -# denying "root" user, unless she's a member of "foo" or explicitly -# permitted earlier by e.g. "sufficient pam_rootok.so"). -# (Replaces the `SU_WHEEL_ONLY' option from login.defs) -# auth required pam_wheel.so - -# Uncomment this if you want wheel members to be able to -# su without a password. -# auth sufficient pam_wheel.so trust - -# Uncomment this if you want members of a specific group to not -# be allowed to use su at all. -# auth required pam_wheel.so deny group=nosu - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on su usage. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - -# Defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -# -# "nopen" stands to avoid reporting new mail when su'ing to another user -session optional pam_mail.so nopen - -# Sets up user limits according to /etc/security/limits.conf -# (Replaces the use of /etc/limits in old login) -session required pam_limits.so - -# {{ Qubes specific modifications being here -# Prevent 'su -' from asking for password in Debian [based] templates. -# https://github.com/QubesOS/qubes-issues/issues/1128 -# Feel free to comment out the following line. -auth sufficient pam_permit.so -# }} Qubes specific modifications end here - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -@include common-auth -@include common-account -@include common-session From 969ec301d5ff50c518fc7a11849b405bef96d82e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Marczewski?= Date: Thu, 7 May 2020 15:29:26 +0200 Subject: [PATCH 4/4] Override PAM config for su in RPM package In Red Hat based distributions, there is no pam-configs like mechanism (authselect seems too heavy and is not configured by default), so instead, we replace the PAM file. Enable su for users in the qubes group, same as in the Debian package. --- debian/rules | 3 +-- passwordless-root/Makefile | 10 ++++++++- passwordless-root/debian/Makefile | 4 ---- .../{debian => }/pam-configs_su.qubes | 0 passwordless-root/pam.d_su.qubes | 21 +++++++++++++++++++ rpm_spec/core-agent.spec.in | 20 +++++++++++++++++- 6 files changed, 50 insertions(+), 8 deletions(-) delete mode 100644 passwordless-root/debian/Makefile rename passwordless-root/{debian => }/pam-configs_su.qubes (100%) create mode 100644 passwordless-root/pam.d_su.qubes diff --git a/debian/rules b/debian/rules index 93e61fe..9a5bcdf 100755 --- a/debian/rules +++ b/debian/rules @@ -23,8 +23,7 @@ override_dh_auto_install: make -C network install make -C package-managers install make -C package-managers install-apt - make -C passwordless-root install - make -C passwordless-root/debian install + make -C passwordless-root install install-debian make -C qubes-rpc install make -C qubes-rpc/kde install make -C qubes-rpc/nautilus install diff --git a/passwordless-root/Makefile b/passwordless-root/Makefile index 928c1ac..d9fba25 100644 --- a/passwordless-root/Makefile +++ b/passwordless-root/Makefile @@ -1,8 +1,10 @@ SYSCONFDIR ?= /etc SUDOERSDIR = $(SYSCONFDIR)/sudoers.d POLKIT1DIR = $(SYSCONFDIR)/polkit-1 +PAMDIR = $(SYSCONFDIR)/pam.d +PAMCONFIGSDIR = /usr/share/pam-configs/ -.PHONY: install +.PHONY: install install-debian install-rh install: install -d -m 0750 $(DESTDIR)$(SUDOERSDIR) @@ -10,3 +12,9 @@ install: install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules + +install-rh: + install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes + +install-debian: + install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes diff --git a/passwordless-root/debian/Makefile b/passwordless-root/debian/Makefile deleted file mode 100644 index d8042dc..0000000 --- a/passwordless-root/debian/Makefile +++ /dev/null @@ -1,4 +0,0 @@ -.PHONY: install - -install: - install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes diff --git a/passwordless-root/debian/pam-configs_su.qubes b/passwordless-root/pam-configs_su.qubes similarity index 100% rename from passwordless-root/debian/pam-configs_su.qubes rename to passwordless-root/pam-configs_su.qubes diff --git a/passwordless-root/pam.d_su.qubes b/passwordless-root/pam.d_su.qubes new file mode 100644 index 0000000..e9853f8 --- /dev/null +++ b/passwordless-root/pam.d_su.qubes @@ -0,0 +1,21 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +#auth required pam_wheel.so use_uid + +# {{ Qubes specific modifications begin here +# Prevent su from asking for password +# (by package qubes-core-agent-passwordless-root). +auth sufficient pam_succeed_if.so use_uid user ingroup qubes +# }} Qubes specific modifications end here + +auth substack system-auth +auth include postlogin +account sufficient pam_succeed_if.so uid = 0 use_uid quiet +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session optional pam_xauth.so diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 2fe4ad1..679d836 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -299,7 +299,7 @@ make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install make -C filesystem DESTDIR=$RPM_BUILD_ROOT install make -C misc DESTDIR=$RPM_BUILD_ROOT install make -C network DESTDIR=$RPM_BUILD_ROOT install -make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install +make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install install-rh make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install @@ -333,6 +333,16 @@ if ! grep -q /etc/default/grub.qubes /etc/default/grub 2>/dev/null; then echo '. /etc/default/grub.qubes' >> /etc/default/grub fi +%triggerin passwordless-root -- util-linux + +qubesfile=/etc/pam.d/su.qubes +origfile=${qubesfile%.qubes} +backupfile=${origfile}.qubes-orig +if [ -r "$origfile" -a ! -r "$backupfile" ]; then + mv -f "$origfile" "$backupfile" +fi +ln -sf "$qubesfile" "$origfile" + %post # disable some Upstart services @@ -535,6 +545,13 @@ if [ $1 -eq 0 ]; then usermod -p '*' root fi +qubesfile=/etc/pam.d/su.qubes +origfile=${qubesfile%.qubes} +backupfile=${origfile}.qubes-orig +if [ -f "$backupfile" ]; then + mv -f "$backupfile" "$origfile" +fi + %posttrans /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : @@ -755,6 +772,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla %config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules %config(noreplace) /etc/sudoers.d/qubes +%config(noreplace) /etc/pam.d/su.qubes %package sysvinit Summary: Qubes unit files for SysV init style or upstart