Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use pam-configs to override Debian PAM config

Browse Source 
Instead of the old workaround that replaces the whole PAM config,
use Debian's framework (pam-configs) to add a rule for su. Enable it
for users in qubes group only.

PAM Config framework documentation:
  https://wiki.ubuntu.com/PAMConfigFrameworkSpec

Issue:
  QubesOS/qubes-issues#5799

Original PR this change is based on:
  QubesOS/qubes-core-agent-linux#171
This commit is contained in:
Paweł Marczewski 2020-05-07 14:10:04 +02:00
parent e52f4f1341
commit da2fa46551
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
8 changed files with 83 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/control vendored
View File

@ -160,6 +160,7 @@ Description: NetworkManager integration for Qubes VM
Package: qubes-core-agent-passwordless-root Package: qubes-core-agent-passwordless-root
Architecture: any Architecture: any
Depends: libpam-runtime
Replaces: qubes-core-agent (<< 4.0.0-1) Replaces: qubes-core-agent (<< 4.0.0-1)
Breaks: qubes-core-agent (<< 4.0.0-1) Breaks: qubes-core-agent (<< 4.0.0-1)
Provides: ${diverted-files} Provides: ${diverted-files}

2
debian/qubes-core-agent-passwordless-root.install vendored
View File

@ -1,4 +1,4 @@
etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
etc/polkit-1/rules.d/00-qubes-allow-all.rules etc/polkit-1/rules.d/00-qubes-allow-all.rules
etc/pam.d/su.qubes
etc/sudoers.d/qubes etc/sudoers.d/qubes
usr/share/pam-configs/su.qubes

31
debian/qubes-core-agent-passwordless-root.postinst vendored Normal file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# postinst script for qubes-core-agent-passwordless-root
#
# see: dh_installdeb(1)
set -e
# The postinst script may be called in the following ways:
# * <postinst> 'configure' <most-recently-configured-version>
# * <old-postinst> 'abort-upgrade' <new version>
# * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
# <new-version>
# * <postinst> 'abort-remove'
# * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
# <failed-install-package> <version> 'removing'
# <conflicting-package> <version>
#
# For details, see http://www.debian.org/doc/debian-policy/ or
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
# the debian-policy package
pam-auth-update --package
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
# vim: set ts=4 sw=4 sts=4 et :

43
debian/qubes-core-agent-passwordless-root.prerm vendored Normal file
View File

@ -0,0 +1,43 @@
#!/bin/sh
# prerm script for qubes-core-agent-passwordless-root
#
# see: dh_installdeb(1)
set -e
# The prerm script may be called in the following ways:
# * <prerm> 'remove'
# * <old-prerm> 'upgrade' <new-version>
# * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
# * <deconfigured's-prerm> 'deconfigure' 'in-favour' <package-being-installed>
# <version> [removing conflicting-package version]
#
# The package whose prerm is being called will be at least "Half-Installed".
# All package dependencies will at least be "Half-Installed" and will have
# previously been configured and not removed. If there was no error, all
# dependencies will at least be "Unpacked", but these actions may be called in
# various error states where dependencies are only "Half-Installed" due to a
# partial upgrade.
#
# * <new-prerm> 'failed-upgrade' <old-version>
#
# Called during error handling when prerm upgrade fails. The new package
# will not yet be unpacked, and all the same constraints as for preinst
# upgrade apply.
#
# For details, see http://www.debian.org/doc/debian-policy/ or
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
# the debian-policy package
if [ "$1" = remove ]; then
pam-auth-update --package --remove su.qubes
fi
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
# vim: set ts=4 sw=4 sts=4 et :

0
debian/qubes-core-agent-passwordless-root.displace → debian/qubes-core-agent-passwordless-root.undisplace vendored
View File

5
passwordless-root/debian/Makefile
View File

@ -1,7 +1,4 @@
SYSCONFDIR ?= /etc
PAMDIR ?= $(SYSCONFDIR)/pam.d
.PHONY: install .PHONY: install
install: install:
install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes install -D -m 0644 pam-configs_su.qubes $(DESTDIR)/usr/share/pam-configs/su.qubes

6
passwordless-root/debian/pam-configs_su.qubes Normal file
View File

@ -0,0 +1,6 @@
Name: allow su without password (by package qubes-core-agent-passwordless-root)
Default: yes
Priority: 258
Auth-Type: Primary
Auth:
sufficient pam_succeed_if.so use_uid user ingroup qubes service in su:su-l

66
passwordless-root/debian/pam.d_su.qubes
View File

@ -1,66 +0,0 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# {{ Qubes specific modifications being here
# Prevent 'su -' from asking for password in Debian [based] templates.
# https://github.com/QubesOS/qubes-issues/issues/1128
# Feel free to comment out the following line.
auth sufficient pam_permit.so
# }} Qubes specific modifications end here
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session