Use pam-configs to override Debian PAM config

Instead of the old workaround that replaces the whole PAM config,
use Debian's framework (pam-configs) to add a rule for su. Enable it
for users in qubes group only.

PAM Config framework documentation:
  https://wiki.ubuntu.com/PAMConfigFrameworkSpec

Issue:
  QubesOS/qubes-issues#5799

Original PR this change is based on:
  QubesOS/qubes-core-agent-linux#171

debian/control

@@ -160,6 +160,7 @@ Description: NetworkManager integration for Qubes VM
 
 Package: qubes-core-agent-passwordless-root
 Architecture: any
+Depends: libpam-runtime
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Provides: ${diverted-files}

debian/qubes-core-agent-passwordless-root.install

@@ -1,4 +1,4 @@
 etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 etc/polkit-1/rules.d/00-qubes-allow-all.rules
-etc/pam.d/su.qubes
 etc/sudoers.d/qubes
+usr/share/pam-configs/su.qubes

debian/qubes-core-agent-passwordless-root.postinst

@@ -0,0 +1,31 @@
+#!/bin/bash
+# postinst script for qubes-core-agent-passwordless-root
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The postinst script may be called in the following ways:
+#   * <postinst> 'configure' <most-recently-configured-version>
+#   * <old-postinst> 'abort-upgrade' <new version>
+#   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
+#     <new-version>
+#   * <postinst> 'abort-remove'
+#   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
+#     <failed-install-package> <version> 'removing'
+#     <conflicting-package> <version>
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+pam-auth-update --package
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent-passwordless-root.prerm

@@ -0,0 +1,43 @@
+#!/bin/sh
+# prerm script for qubes-core-agent-passwordless-root
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The prerm script may be called in the following ways:
+#   * <prerm> 'remove'
+#   * <old-prerm> 'upgrade' <new-version>
+#   * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
+#   * <deconfigured's-prerm> 'deconfigure' 'in-favour' <package-being-installed>
+#     <version> [removing conflicting-package version]
+#
+#     The package whose prerm is being called will be at least "Half-Installed".
+# All package dependencies will at least be "Half-Installed" and will have
+# previously been configured and not removed. If there was no error, all
+# dependencies will at least be "Unpacked", but these actions may be called in
+# various error states where dependencies are only "Half-Installed" due to a
+# partial upgrade.
+#
+#   * <new-prerm> 'failed-upgrade' <old-version>
+#
+#     Called during error handling when prerm upgrade fails. The new package
+# will not yet be unpacked, and all the same constraints as for preinst
+# upgrade apply.
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "$1" = remove ]; then
+    pam-auth-update --package --remove su.qubes
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

passwordless-root/debian/Makefile

@@ -1,7 +1,4 @@
-SYSCONFDIR ?= /etc
-PAMDIR ?= $(SYSCONFDIR)/pam.d
-
 .PHONY: install
 
 install:
-	install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes
+	install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes

passwordless-root/debian/pam-configs_su.qubes

@@ -0,0 +1,6 @@
+Name: allow su without password (by package qubes-core-agent-passwordless-root)
+Default: yes
+Priority: 258
+Auth-Type: Primary
+Auth:
+	sufficient	pam_succeed_if.so	use_uid user ingroup qubes service in su:su-l

passwordless-root/debian/pam.d_su.qubes

@@ -1,66 +0,0 @@
-#
-# The PAM configuration file for the Shadow `su' service
-#
-
-# This allows root to su without passwords (normal operation)
-auth       sufficient pam_rootok.so
-
-# Uncomment this to force users to be a member of group root
-# before they can use `su'. You can also add "group=foo"
-# to the end of this line if you want to use a group other
-# than the default "root" (but this may have side effect of
-# denying "root" user, unless she's a member of "foo" or explicitly
-# permitted earlier by e.g. "sufficient pam_rootok.so").
-# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
-# auth       required   pam_wheel.so
-
-# Uncomment this if you want wheel members to be able to
-# su without a password.
-# auth       sufficient pam_wheel.so trust
-
-# Uncomment this if you want members of a specific group to not
-# be allowed to use su at all.
-# auth       required   pam_wheel.so deny group=nosu
-
-# Uncomment and edit /etc/security/time.conf if you need to set
-# time restrainst on su usage.
-# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
-# as well as /etc/porttime)
-# account    requisite  pam_time.so
-
-# This module parses environment configuration file(s)
-# and also allows you to use an extended config
-# file /etc/security/pam_env.conf.
-#
-# parsing /etc/environment needs "readenv=1"
-session       required   pam_env.so readenv=1
-# locale variables are also kept into /etc/default/locale in etch
-# reading this file *in addition to /etc/environment* does not hurt
-session       required   pam_env.so readenv=1 envfile=/etc/default/locale
-
-# Defines the MAIL environment variable
-# However, userdel also needs MAIL_DIR and MAIL_FILE variables
-# in /etc/login.defs to make sure that removing a user
-# also removes the user's mail spool file.
-# See comments in /etc/login.defs
-#
-# "nopen" stands to avoid reporting new mail when su'ing to another user
-session    optional   pam_mail.so nopen
-
-# Sets up user limits according to /etc/security/limits.conf
-# (Replaces the use of /etc/limits in old login)
-session    required   pam_limits.so
-
-# {{ Qubes specific modifications being here
-#    Prevent 'su -' from asking for password in Debian [based] templates.
-#    https://github.com/QubesOS/qubes-issues/issues/1128
-#    Feel free to comment out the following line.
-auth sufficient pam_permit.so
-# }} Qubes specific modifications end here
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session