-
-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix, forbid non-root users using 'su' #171
Conversation
(this changes nothing related to Qubes default passwordless sudo) port to /usr/share/pam-configs QubesOS/qubes-issues#1128
Codecov Report
@@ Coverage Diff @@
## master #171 +/- ##
=======================================
Coverage 65.48% 65.48%
=======================================
Files 2 2
Lines 394 394
=======================================
Hits 258 258
Misses 136 136 Continue to review full report at Codecov.
|
Can you make file It belongs into package |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you make file
misc/passwordless
end up in packagequbes-core-agent-passwordless-root
as/usr/share/pam-configs/passwordless
?
It's enough to add it to debian/qubes-core-agent-passwordless-root.install
. Note that right now, the package build fails, because this file isn't mentioned by any debian/*.install
.
But even with the above handled, this behaves strangely:
su -
from user logged inxl console
works - switches to root without password promptsu -
from user on xterm/gnome-terminal prompts for the password
I don't see why it's happening.
With or without package security-misc installed? security-misc has
higher priority. This interaction isn't perfectly sorted out yet.
Perhaps qubes-core-agent-passwordless-root should have higher priority.
Just now tested again to comment out "auth sufficient pam_permit.so"
from /etc/pam.d/su, to add file "passwordless" to
/usr/share/pam-configs/passwordless and then to run `sudo
pam-auth-update --package". Works both for me.
|
Without security-misc. I think I know what is going on here: |
What about using This would allow passwordless login on xl console to any user (including |
On the other hand, it will allow anything running on |
That would make package Not great but may be better then the very bad implementation right now that any non-root user is allowed to use su as a temporary solution if we cannot think of a proper solution and/or move towards QubesOS/qubes-issues#2695. My end goal is purging |
Instead of the old workaround that replaces the whole PAM config, use Debian's framework (pam-configs) to add a rule for su. Enable it for users in qubes group only. PAM Config framework documentation: https://wiki.ubuntu.com/PAMConfigFrameworkSpec Issue: QubesOS/qubes-issues#5799 Original PR this change is based on: QubesOS#171
This is handled in #228 |
fix, forbid non-root users using 'su'
(this changes nothing related to Qubes default passwordless sudo)
port to /usr/share/pam-configs
QubesOS/qubes-issues#1128 (comment)
Untested.