Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2,667 Commits 1 Branch 0 Tags 6.4 MiB
16f48b6298
Commit Graph

6 Commits

Author SHA1 Message Date
Demi Marie Obenour
16f48b6298
Only give the “qubes” group full Polkit access 
This is consistent with the rest of qubes-core-agent-passwordless-root,
and helps prevent sandbox escapes by daemons with dbus access.
 2020-12-24 15:46:08 -05:00
Peter Gerber
42fb54da20 passwordless-root: sudo: grant access for group qubes 
For consistency with `su` and policykit, grant access to group
qubes rather than user user.
 2020-09-13 14:17:06 +00:00
Peter Gerber
a8b29c3fa6 passwordless-root: policykit: restrict access to group qubes 
Without this restriction system users can start processes with
root privileges:

  $ sudo -u mail systemd-run --pipe -q id
  uid=0(root) gid=0(root) groups=0(root)
 2020-09-13 14:16:07 +00:00
Paweł Marczewski
969ec301d5
Override PAM config for su in RPM package 
In Red Hat based distributions, there is no pam-configs like
mechanism (authselect seems too heavy and is not configured by
default), so instead, we replace the PAM file.

Enable su for users in the qubes group, same as in the Debian
package.
 2020-05-07 17:01:02 +02:00
Paweł Marczewski
da2fa46551
Use pam-configs to override Debian PAM config 
Instead of the old workaround that replaces the whole PAM config,
use Debian's framework (pam-configs) to add a rule for su. Enable it
for users in qubes group only.

PAM Config framework documentation:
  https://wiki.ubuntu.com/PAMConfigFrameworkSpec

Issue:
  QubesOS/qubes-issues#5799

Original PR this change is based on:
  QubesOS/qubes-core-agent-linux#171
 2020-05-07 15:31:47 +02:00
Amadeusz Piotr Żołnowski
4de377bc3b
Split items in misc directory by topic 2020-02-04 23:59:09 +00:00