From 665453da76d4c072852fc579cc035c98cc2cd477 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 13 Sep 2015 17:19:25 +0000 Subject: [PATCH 1/2] - Prevent 'su -' from asking for password in Debian [based] templates. Thanks to @unman and @marmarek for suggesting the fix! Fixes https://github.com/QubesOS/qubes-issues/issues/1128. - Changed 'ifeq (1,${DEBIANBUILD})' to 'ifeq ($(shell lsb_release -is), Debian)' to make the build work outside of Qubes Builder as well. --- Makefile | 5 +- debian/control | 5 +- debian/qubes-core-agent.displace | 5 ++ debian/qubes-core-agent.displace-extension | 1 + debian/rules | 2 +- misc/pam.d_su.qubes | 66 ++++++++++++++++++++++ 6 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 debian/qubes-core-agent.displace create mode 100644 debian/qubes-core-agent.displace-extension create mode 100644 misc/pam.d_su.qubes diff --git a/Makefile b/Makefile index b3a3c5a..2fe81ca 100644 --- a/Makefile +++ b/Makefile @@ -205,7 +205,8 @@ install-common: install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)/usr/bin/qubes-desktop-run mkdir -p $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/ -ifeq (1,${DEBIANBUILD}) + +ifeq ($(shell lsb_release -is), Debian) install -m 0644 misc/xdg.py $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/ else install -m 0644 misc/xdg.py* $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/ @@ -230,5 +231,7 @@ install-deb: install-common install-systemd install-systemd-dropins install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ install -D -m 644 misc/profile.d_qt_x11_no_mitshm.sh $(DESTDIR)/etc/profile.d/qt_x11_no_mitshm.sh install -D -m 440 misc/sudoers.d_umask $(DESTDIR)/etc/sudoers.d/umask + install -d $(DESTDIR)/etc/pam.d + install -m 0644 misc/pam.d_su.qubes $(DESTDIR)/etc/pam.d/su.qubes install-vm: install-rh install-common diff --git a/debian/control b/debian/control index bce4791..91b9f16 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: qubes-core-agent Section: admin Priority: extra Maintainer: Davíð Steinn Geirsson -Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5), lsb-release +Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5), lsb-release, config-package-dev Standards-Version: 3.9.5 Homepage: http://www.qubes-os.org Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git @@ -56,7 +56,8 @@ Recommends: xsettingsd, yum, yum-utils -Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit +Provides: ${diverted-files} +Conflicts: ${diverted-files}, qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent This package includes various daemons necessary for qubes domU support, such as qrexec. diff --git a/debian/qubes-core-agent.displace b/debian/qubes-core-agent.displace new file mode 100644 index 0000000..7dde451 --- /dev/null +++ b/debian/qubes-core-agent.displace @@ -0,0 +1,5 @@ +## This file is part of Whonix. +## Copyright (C) 2012 - 2014 Patrick Schleizer +## See the file COPYING for copying conditions. + +/etc/pam.d/su.qubes diff --git a/debian/qubes-core-agent.displace-extension b/debian/qubes-core-agent.displace-extension new file mode 100644 index 0000000..7ff75d6 --- /dev/null +++ b/debian/qubes-core-agent.displace-extension @@ -0,0 +1 @@ +.qubes diff --git a/debian/rules b/debian/rules index eab1567..d8c7c1a 100755 --- a/debian/rules +++ b/debian/rules @@ -8,7 +8,7 @@ include /usr/share/dpkg/default.mk export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: - dh $@ --with systemd + dh $@ --with systemd --with=config-package override_dh_auto_build: make all diff --git a/misc/pam.d_su.qubes b/misc/pam.d_su.qubes new file mode 100644 index 0000000..fdeda5f --- /dev/null +++ b/misc/pam.d_su.qubes @@ -0,0 +1,66 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + +# {{ Qubes specific modifications being here +# Prevent 'su -' from asking for password in Debian [based] templates. +# https://github.com/QubesOS/qubes-issues/issues/1128 +# Feel free to comment out the following line. +auth sufficient pam_permit.so +# }} Qubes specific modifications end here From e18a32d5087462ed33741eb13a5e85ab0fcfbcaf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 13 Sep 2015 18:36:18 +0000 Subject: [PATCH 2/2] Fixed /etc/pam.d/su.qubes. (Moved line 'auth sufficient pam_permit.so' up. May not be low '@include' lines.) --- misc/pam.d_su.qubes | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/misc/pam.d_su.qubes b/misc/pam.d_su.qubes index fdeda5f..99b6c22 100644 --- a/misc/pam.d_su.qubes +++ b/misc/pam.d_su.qubes @@ -51,16 +51,16 @@ session optional pam_mail.so nopen # (Replaces the use of /etc/limits in old login) session required pam_limits.so -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -@include common-auth -@include common-account -@include common-session - # {{ Qubes specific modifications being here # Prevent 'su -' from asking for password in Debian [based] templates. # https://github.com/QubesOS/qubes-issues/issues/1128 # Feel free to comment out the following line. auth sufficient pam_permit.so # }} Qubes specific modifications end here + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session