Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean up root access #228

Merged
merged 4 commits into from
May 9, 2020
Merged

Clean up root access #228

merged 4 commits into from
May 9, 2020

Conversation

pwmarcz
Copy link
Contributor

@pwmarcz pwmarcz commented May 6, 2020
edited
Loading

@pwmarcz
Enable root autologin on serial console
212df1d 
See QubesOS/qubes-issues#5799.

Use an option to agetty:
  https://wiki.archlinux.org/index.php/Getty#Automatic_login_to_virtual_console

The --login-pause causes agetty to wait for Enter key. This is
important, because otherwise the root session prevents systemd from
shutting down, and probably causes other side effect.
@pwmarcz
Lock root password in passwordless-root package
e52f4f1 
See QubesOS/qubes-issues#5799.

Undo the change to empty password previously performed by that
package.
@codecov
Copy link

codecov bot commented May 6, 2020
edited
Loading

Codecov Report

Merging #228 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #228   +/-   ##
=======================================
  Coverage   72.65%   72.65%           
=======================================
  Files           3        3           
  Lines         512      512           
=======================================
  Hits          372      372           
  Misses        140      140

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f023afd...969ec30. Read the comment docs.

@pwmarcz
Use pam-configs to override Debian PAM config
da2fa46 
Instead of the old workaround that replaces the whole PAM config,
use Debian's framework (pam-configs) to add a rule for su. Enable it
for users in qubes group only.

PAM Config framework documentation:
  https://wiki.ubuntu.com/PAMConfigFrameworkSpec

Issue:
  QubesOS/qubes-issues#5799

Original PR this change is based on:
  QubesOS#171
@pwmarcz pwmarcz changed the title WIP: Clean up root access Clean up root access May 7, 2020
@pwmarcz
Override PAM config for su in RPM package
969ec30 
In Red Hat based distributions, there is no pam-configs like
mechanism (authselect seems too heavy and is not configured by
default), so instead, we replace the PAM file.

Enable su for users in the qubes group, same as in the Debian
package.
@marmarek marmarek merged commit bb1a6eb into QubesOS:master May 9, 2020
This was referenced May 25, 2020
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmarek marmarek marmarek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pwmarcz @marmarek