Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Lock out root and user passwords; provide passwordless login on the serial console

Browse Source
This commit is contained in:
Rafal Wojtczuk 2010-05-20 15:16:07 +02:00 committed by Joanna Rutkowska
parent 940cae99d6
commit e9f3414ef6
4 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
common/qubes_eventd_serial Normal file
View File

@ -0,0 +1,42 @@
# Automatically start a configured serial console
#
# How this works:
#
# On boot, a udev helper examines /dev/console. If a serial console is the
# primary console (last console on the commandline in grub), the event
# 'fedora.serial-console-available <port name> <speed>' is emitted, which
# triggers this script. It waits for the runlevel to finish, ensures
# the proper port is in /etc/securetty, and starts the getty.
#
# If your serial console is not the primary console, or you want a getty
# on serial even if it's not the console, create your own event by copying
# /etc/event.d/tty[2-6], and changing the getty line in that file.
start on fedora.serial-console-available *
stop on runlevel [016]
instance
pre-start script
while /bin/true ; do
LANG=C /sbin/initctl status rcS | grep -wq "rcS (stop) waiting" && break
sleep 1
done
while /bin/true ; do
runlevel=$(/sbin/runlevel | /bin/awk '{ print $2 }')
case "$runlevel" in
2|3|4|5)
LANG=C /sbin/initctl status rc$runlevel | grep -wq "rc$runlevel (stop) waiting" && break
;;
*)
;;
esac
sleep 1
done
/sbin/securetty $1
end script
exec /sbin/agetty -l /sbin/qubes_serial_login /dev/$1 $2 vt100-nav
post-stop script
if [ "$UPSTART_EVENT" != "${UPSTART_EVENT##fedora.serial-console-available}" ]; then
initctl emit --no-wait fedora.serial-console-available $1 $2
fi
end script

7
common/qubes_serial_login Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
if /bin/ls -l /proc/self/fd/0 | grep -q /dev/hvc0 ; then
exec su - $2
exit
else
exec /bin/login "$@"
fi

17
rpm_spec/core-appvm.spec
View File

@ -69,10 +69,23 @@ mkdir -p $RPM_BUILD_ROOT/mnt/outgoing
mkdir -p $RPM_BUILD_ROOT/mnt/removable mkdir -p $RPM_BUILD_ROOT/mnt/removable
mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
mkdir -p $RPM_BUILD_ROOT/sbin
cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin
mkdir -p $RPM_BUILD_ROOT/etc
cp ../common/qubes_eventd_serial $RPM_BUILD_ROOT/etc/
%triggerin -- initscripts
cp /etc/qubes_eventd_serial /etc/event.d/serial
%post %post
usermod -L root
usermod -L user
if ! [ -f /var/lib/qubes/serial.orig ] ; then
cp /etc/event.d/serial /var/lib/qubes/serial.orig
fi
if [ "$1" != 1 ] ; then if [ "$1" != 1 ] ; then
# do this whole %post thing only when updating for the first time... # do this whole %post thing only when updating for the first time...
exit 0 exit 0
@ -132,7 +145,6 @@ do
mv $f /var/lib/qubes/removed-udev-scripts/ mv $f /var/lib/qubes/removed-udev-scripts/
done done
mkdir -p /rw mkdir -p /rw
#rm -f /etc/mtab #rm -f /etc/mtab
echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
@ -145,6 +157,7 @@ if [ "$1" = 0 ] ; then
chkconfig qubes_core off chkconfig qubes_core off
mv /var/lib/qubes/fstab.orig /etc/fstab mv /var/lib/qubes/fstab.orig /etc/fstab
mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
mv /var/lib/qubes/serial.orig /etc/event.d
fi fi
%clean %clean
@ -166,3 +179,5 @@ rm -rf $RPM_BUILD_ROOT
%dir /mnt/outgoing %dir /mnt/outgoing
%dir /mnt/removable %dir /mnt/removable
/etc/yum.repos.d/qubes.repo /etc/yum.repos.d/qubes.repo
/sbin/qubes_serial_login
/etc/qubes_eventd_serial

10
rpm_spec/core-netvm.spec
View File

@ -63,6 +63,13 @@ mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
mkdir -p $RPM_BUILD_ROOT/sbin
cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin
mkdir -p $RPM_BUILD_ROOT/etc
cp ../common/qubes_eventd_serial $RPM_BUILD_ROOT/etc/
%triggerin -- initscripts
cp /etc/qubes_eventd_serial /etc/event.d/serial
%post %post
@ -144,6 +151,7 @@ if [ "$1" = 0 ] ; then
chkconfig qubes_core off chkconfig qubes_core off
mv /var/lib/qubes/fstab.orig /etc/fstab mv /var/lib/qubes/fstab.orig /etc/fstab
mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
mv /var/lib/qubes/serial.orig /etc/event.d
fi fi
%clean %clean
@ -159,3 +167,5 @@ rm -rf $RPM_BUILD_ROOT
/etc/dhclient.d/qubes_setup_dnat_to_ns.sh /etc/dhclient.d/qubes_setup_dnat_to_ns.sh
/etc/NetworkManager/dispatcher.d/qubes_nmhook /etc/NetworkManager/dispatcher.d/qubes_nmhook
/etc/yum.repos.d/qubes.repo /etc/yum.repos.d/qubes.repo
/sbin/qubes_serial_login
/etc/qubes_eventd_serial