diff --git a/Makefile b/Makefile index f3895dd..a60bf9d 100644 --- a/Makefile +++ b/Makefile @@ -206,7 +206,8 @@ install-common: install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)/usr/bin/qubes-desktop-run mkdir -p $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/ -ifeq (1,${DEBIANBUILD}) + +ifeq ($(shell lsb_release -is), Debian) install -m 0644 misc/xdg.py $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/ else install -m 0644 misc/xdg.py* $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/ @@ -231,5 +232,7 @@ install-deb: install-common install-systemd install-systemd-dropins install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ install -D -m 644 misc/profile.d_qt_x11_no_mitshm.sh $(DESTDIR)/etc/profile.d/qt_x11_no_mitshm.sh install -D -m 440 misc/sudoers.d_umask $(DESTDIR)/etc/sudoers.d/umask + install -d $(DESTDIR)/etc/pam.d + install -m 0644 misc/pam.d_su.qubes $(DESTDIR)/etc/pam.d/su.qubes install-vm: install-rh install-common diff --git a/debian/control b/debian/control index fbddc8f..4fcd83a 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: qubes-core-agent Section: admin Priority: extra Maintainer: Davíð Steinn Geirsson -Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5), lsb-release, xserver-xorg-dev +Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5), lsb-release, xserver-xorg-dev, config-package-dev Standards-Version: 3.9.5 Homepage: http://www.qubes-os.org Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git @@ -58,7 +58,8 @@ Recommends: xsettingsd, yum, yum-utils -Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit +Provides: ${diverted-files} +Conflicts: ${diverted-files}, qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent This package includes various daemons necessary for qubes domU support, such as qrexec. diff --git a/debian/qubes-core-agent.displace b/debian/qubes-core-agent.displace new file mode 100644 index 0000000..7dde451 --- /dev/null +++ b/debian/qubes-core-agent.displace @@ -0,0 +1,5 @@ +## This file is part of Whonix. +## Copyright (C) 2012 - 2014 Patrick Schleizer +## See the file COPYING for copying conditions. + +/etc/pam.d/su.qubes diff --git a/debian/qubes-core-agent.displace-extension b/debian/qubes-core-agent.displace-extension new file mode 100644 index 0000000..7ff75d6 --- /dev/null +++ b/debian/qubes-core-agent.displace-extension @@ -0,0 +1 @@ +.qubes diff --git a/debian/rules b/debian/rules index eab1567..d8c7c1a 100755 --- a/debian/rules +++ b/debian/rules @@ -8,7 +8,7 @@ include /usr/share/dpkg/default.mk export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: - dh $@ --with systemd + dh $@ --with systemd --with=config-package override_dh_auto_build: make all diff --git a/misc/pam.d_su.qubes b/misc/pam.d_su.qubes new file mode 100644 index 0000000..99b6c22 --- /dev/null +++ b/misc/pam.d_su.qubes @@ -0,0 +1,66 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# {{ Qubes specific modifications being here +# Prevent 'su -' from asking for password in Debian [based] templates. +# https://github.com/QubesOS/qubes-issues/issues/1128 +# Feel free to comment out the following line. +auth sufficient pam_permit.so +# }} Qubes specific modifications end here + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session