From e9f3414ef615e1be98e2d5b70c1957136d69bc44 Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Thu, 20 May 2010 15:16:07 +0200 Subject: [PATCH] Lock out root and user passwords; provide passwordless login on the serial console --- common/qubes_eventd_serial | 42 ++++++++++++++++++++++++++++++++++++++ common/qubes_serial_login | 7 +++++++ rpm_spec/core-appvm.spec | 17 ++++++++++++++- rpm_spec/core-netvm.spec | 10 +++++++++ 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 common/qubes_eventd_serial create mode 100755 common/qubes_serial_login diff --git a/common/qubes_eventd_serial b/common/qubes_eventd_serial new file mode 100644 index 0000000..dba1f32 --- /dev/null +++ b/common/qubes_eventd_serial @@ -0,0 +1,42 @@ +# Automatically start a configured serial console +# +# How this works: +# +# On boot, a udev helper examines /dev/console. If a serial console is the +# primary console (last console on the commandline in grub), the event +# 'fedora.serial-console-available ' is emitted, which +# triggers this script. It waits for the runlevel to finish, ensures +# the proper port is in /etc/securetty, and starts the getty. +# +# If your serial console is not the primary console, or you want a getty +# on serial even if it's not the console, create your own event by copying +# /etc/event.d/tty[2-6], and changing the getty line in that file. + +start on fedora.serial-console-available * +stop on runlevel [016] + +instance +pre-start script + while /bin/true ; do + LANG=C /sbin/initctl status rcS | grep -wq "rcS (stop) waiting" && break + sleep 1 + done + while /bin/true ; do + runlevel=$(/sbin/runlevel | /bin/awk '{ print $2 }') + case "$runlevel" in + 2|3|4|5) + LANG=C /sbin/initctl status rc$runlevel | grep -wq "rc$runlevel (stop) waiting" && break + ;; + *) + ;; + esac + sleep 1 + done + /sbin/securetty $1 +end script +exec /sbin/agetty -l /sbin/qubes_serial_login /dev/$1 $2 vt100-nav +post-stop script + if [ "$UPSTART_EVENT" != "${UPSTART_EVENT##fedora.serial-console-available}" ]; then + initctl emit --no-wait fedora.serial-console-available $1 $2 + fi +end script diff --git a/common/qubes_serial_login b/common/qubes_serial_login new file mode 100755 index 0000000..09f6802 --- /dev/null +++ b/common/qubes_serial_login @@ -0,0 +1,7 @@ +#!/bin/sh +if /bin/ls -l /proc/self/fd/0 | grep -q /dev/hvc0 ; then + exec su - $2 + exit +else + exec /bin/login "$@" +fi diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec index bf02b5f..5961b0a 100644 --- a/rpm_spec/core-appvm.spec +++ b/rpm_spec/core-appvm.spec @@ -69,10 +69,23 @@ mkdir -p $RPM_BUILD_ROOT/mnt/outgoing mkdir -p $RPM_BUILD_ROOT/mnt/removable mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d +mkdir -p $RPM_BUILD_ROOT/sbin +cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin +mkdir -p $RPM_BUILD_ROOT/etc +cp ../common/qubes_eventd_serial $RPM_BUILD_ROOT/etc/ + +%triggerin -- initscripts +cp /etc/qubes_eventd_serial /etc/event.d/serial %post +usermod -L root +usermod -L user +if ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/event.d/serial /var/lib/qubes/serial.orig +fi + if [ "$1" != 1 ] ; then # do this whole %post thing only when updating for the first time... exit 0 @@ -132,7 +145,6 @@ do mv $f /var/lib/qubes/removed-udev-scripts/ done - mkdir -p /rw #rm -f /etc/mtab echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" @@ -145,6 +157,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core off mv /var/lib/qubes/fstab.orig /etc/fstab mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + mv /var/lib/qubes/serial.orig /etc/event.d fi %clean @@ -166,3 +179,5 @@ rm -rf $RPM_BUILD_ROOT %dir /mnt/outgoing %dir /mnt/removable /etc/yum.repos.d/qubes.repo +/sbin/qubes_serial_login +/etc/qubes_eventd_serial diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 7ee2fa8..3349aac 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -63,6 +63,13 @@ mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d +mkdir -p $RPM_BUILD_ROOT/sbin +cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin +mkdir -p $RPM_BUILD_ROOT/etc +cp ../common/qubes_eventd_serial $RPM_BUILD_ROOT/etc/ + +%triggerin -- initscripts +cp /etc/qubes_eventd_serial /etc/event.d/serial %post @@ -144,6 +151,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core off mv /var/lib/qubes/fstab.orig /etc/fstab mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + mv /var/lib/qubes/serial.orig /etc/event.d fi %clean @@ -159,3 +167,5 @@ rm -rf $RPM_BUILD_ROOT /etc/dhclient.d/qubes_setup_dnat_to_ns.sh /etc/NetworkManager/dispatcher.d/qubes_nmhook /etc/yum.repos.d/qubes.repo +/sbin/qubes_serial_login +/etc/qubes_eventd_serial