archlinux: fix remaining loginctl privilege issues with invalid pam.d configuration

This commit is contained in:
Olivier MEDOC 2016-04-26 12:57:36 +02:00
parent 437680b731
commit ccb9a5b992

View File

@ -214,23 +214,39 @@ grep -q "$APPENDLINE" "$FILE" || sed "/$APPENDAFTERLINE/a$APPENDLINE" -i "$FILE"
update_finalize() {
# Archlinux specific: Prepare pacman.conf to add qubes specific config
QUBES_MARKER="### QUBES CONFIG MARKER ###"
config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
# Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then
# Also remove pam_unix.so from su configuration
# as system-login (which include system-auth) already gives pam_unix.so
# with more appropriate parameters (fix the missing nullok parameter)
if [ -n "`cat /etc/pam.d/su | grep pam_unix.so`" ] ; then
echo "Fixing pam.d"
sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
cat <<EOF > /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-login
account include system-login
session include system-login
EOF
cp /etc/pam.d/su /etc/pam.d/su-l
echo "Ensure pam.d will not be modified by archlinux package updates"
config_appendtomark '/etc/pacman.conf' "$QUBES_MARKER" 'NoUpgrade = etc/pam.d/su'
config_appendtomark '/etc/pacman.conf' "$QUBES_MARKER" 'NoUpgrade = etc/pam.d/su-l'
fi
# Archlinux specific: ensure tty1 is enabled
rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
systemctl enable getty\@tty1.service
# Archlinux specific: Prepare pacman.conf to add qubes specific config
QUBES_MARKER="### QUBES CONFIG MARKER ###"
config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
# Add Qubes setup script markers at the right place (this won't work at the end of pacman.conf)"
config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES END ###"
config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES BEGIN ###"