-
-
Notifications
You must be signed in to change notification settings - Fork 106
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Override PAM config for su in RPM package
In Red Hat based distributions, there is no pam-configs like mechanism (authselect seems too heavy and is not configured by default), so instead, we replace the PAM file. Enable su for users in the qubes group, same as in the Debian package.
- Loading branch information
Showing
6 changed files
with
50 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,20 @@ | ||
SYSCONFDIR ?= /etc | ||
SUDOERSDIR = $(SYSCONFDIR)/sudoers.d | ||
POLKIT1DIR = $(SYSCONFDIR)/polkit-1 | ||
PAMDIR = $(SYSCONFDIR)/pam.d | ||
PAMCONFIGSDIR = /usr/share/pam-configs/ | ||
|
||
.PHONY: install | ||
.PHONY: install install-debian install-rh | ||
|
||
install: | ||
install -d -m 0750 $(DESTDIR)$(SUDOERSDIR) | ||
install -D -m 0440 qubes.sudoers $(DESTDIR)$(SUDOERSDIR)/qubes | ||
install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla | ||
install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d | ||
install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules | ||
|
||
install-rh: | ||
install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes | ||
|
||
install-debian: | ||
install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes |
This file was deleted.
Oops, something went wrong.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#%PAM-1.0 | ||
auth sufficient pam_rootok.so | ||
# Uncomment the following line to implicitly trust users in the "wheel" group. | ||
#auth sufficient pam_wheel.so trust use_uid | ||
# Uncomment the following line to require a user to be in the "wheel" group. | ||
#auth required pam_wheel.so use_uid | ||
|
||
# {{ Qubes specific modifications begin here | ||
# Prevent su from asking for password | ||
# (by package qubes-core-agent-passwordless-root). | ||
auth sufficient pam_succeed_if.so use_uid user ingroup qubes | ||
# }} Qubes specific modifications end here | ||
|
||
auth substack system-auth | ||
auth include postlogin | ||
account sufficient pam_succeed_if.so uid = 0 use_uid quiet | ||
account include system-auth | ||
password include system-auth | ||
session include system-auth | ||
session include postlogin | ||
session optional pam_xauth.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters