From ccb9a5b992d63620d7b6cf30fd828b1054dbc79a Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Tue, 26 Apr 2016 12:57:36 +0200 Subject: [PATCH] archlinux: fix remaining loginctl privilege issues with invalid pam.d configuration --- archlinux/PKGBUILD.install | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index 4f17442..4233c9a 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -214,22 +214,38 @@ grep -q "$APPENDLINE" "$FILE" || sed "/$APPENDAFTERLINE/a$APPENDLINE" -i "$FILE" update_finalize() { + # Archlinux specific: Prepare pacman.conf to add qubes specific config + QUBES_MARKER="### QUBES CONFIG MARKER ###" + config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER" + # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper - if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then + # Also remove pam_unix.so from su configuration + # as system-login (which include system-auth) already gives pam_unix.so + # with more appropriate parameters (fix the missing nullok parameter) + + if [ -n "`cat /etc/pam.d/su | grep pam_unix.so`" ] ; then echo "Fixing pam.d" - sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su - sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su - sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su + cat < /etc/pam.d/su +#%PAM-1.0 +auth sufficient pam_rootok.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +#auth required pam_wheel.so use_uid +auth include system-login +account include system-login +session include system-login +EOF cp /etc/pam.d/su /etc/pam.d/su-l + + echo "Ensure pam.d will not be modified by archlinux package updates" + config_appendtomark '/etc/pacman.conf' "$QUBES_MARKER" 'NoUpgrade = etc/pam.d/su' + config_appendtomark '/etc/pacman.conf' "$QUBES_MARKER" 'NoUpgrade = etc/pam.d/su-l' fi # Archlinux specific: ensure tty1 is enabled rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service systemctl enable getty\@tty1.service - - # Archlinux specific: Prepare pacman.conf to add qubes specific config - QUBES_MARKER="### QUBES CONFIG MARKER ###" - config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER" # Add Qubes setup script markers at the right place (this won't work at the end of pacman.conf)" config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES END ###"