archlinux: fix remaining loginctl privilege issues with invalid pam.d configuration
This commit is contained in:
parent
437680b731
commit
ccb9a5b992
@ -214,23 +214,39 @@ grep -q "$APPENDLINE" "$FILE" || sed "/$APPENDAFTERLINE/a$APPENDLINE" -i "$FILE"
|
||||
|
||||
update_finalize() {
|
||||
|
||||
# Archlinux specific: Prepare pacman.conf to add qubes specific config
|
||||
QUBES_MARKER="### QUBES CONFIG MARKER ###"
|
||||
config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
|
||||
|
||||
# Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
|
||||
if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then
|
||||
# Also remove pam_unix.so from su configuration
|
||||
# as system-login (which include system-auth) already gives pam_unix.so
|
||||
# with more appropriate parameters (fix the missing nullok parameter)
|
||||
|
||||
if [ -n "`cat /etc/pam.d/su | grep pam_unix.so`" ] ; then
|
||||
echo "Fixing pam.d"
|
||||
sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
|
||||
sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
|
||||
sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
|
||||
cat <<EOF > /etc/pam.d/su
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
# Uncomment the following line to implicitly trust users in the "wheel" group.
|
||||
#auth sufficient pam_wheel.so trust use_uid
|
||||
# Uncomment the following line to require a user to be in the "wheel" group.
|
||||
#auth required pam_wheel.so use_uid
|
||||
auth include system-login
|
||||
account include system-login
|
||||
session include system-login
|
||||
EOF
|
||||
cp /etc/pam.d/su /etc/pam.d/su-l
|
||||
|
||||
echo "Ensure pam.d will not be modified by archlinux package updates"
|
||||
config_appendtomark '/etc/pacman.conf' "$QUBES_MARKER" 'NoUpgrade = etc/pam.d/su'
|
||||
config_appendtomark '/etc/pacman.conf' "$QUBES_MARKER" 'NoUpgrade = etc/pam.d/su-l'
|
||||
fi
|
||||
|
||||
# Archlinux specific: ensure tty1 is enabled
|
||||
rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
|
||||
systemctl enable getty\@tty1.service
|
||||
|
||||
# Archlinux specific: Prepare pacman.conf to add qubes specific config
|
||||
QUBES_MARKER="### QUBES CONFIG MARKER ###"
|
||||
config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
|
||||
|
||||
# Add Qubes setup script markers at the right place (this won't work at the end of pacman.conf)"
|
||||
config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES END ###"
|
||||
config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES BEGIN ###"
|
||||
|
Loading…
Reference in New Issue
Block a user