Clean up root access

Makefile

@@ -54,7 +54,7 @@ USER_DROPIN_DIR ?= "usr/lib/systemd/user"
 
 SYSTEM_DROPINS := boot.automount chronyd.service crond.service
 SYSTEM_DROPINS += cups.service cups-browsed.service cups.path cups.socket ModemManager.service
-SYSTEM_DROPINS += getty@tty.service
+SYSTEM_DROPINS += getty@tty.service serial-getty@.service
 SYSTEM_DROPINS += tmp.mount
 SYSTEM_DROPINS += org.cups.cupsd.service org.cups.cupsd.path org.cups.cupsd.socket
 SYSTEM_DROPINS += systemd-random-seed.service

archlinux/PKGBUILD.install

@@ -35,7 +35,7 @@ pre_install() {
     # Add qubes core related fstab entries
     echo "xen	/proc/xen	xenfs	defaults	0 0" >> /etc/fstab
 
-    usermod -p '' root
+    usermod -L root
     usermod -L user
 }
 

debian/control

@@ -160,6 +160,7 @@ Description: NetworkManager integration for Qubes VM
 
 Package: qubes-core-agent-passwordless-root
 Architecture: any
+Depends: libpam-runtime
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Provides: ${diverted-files}

debian/qubes-core-agent-passwordless-root.install

@@ -1,4 +1,4 @@
 etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 etc/polkit-1/rules.d/00-qubes-allow-all.rules
-etc/pam.d/su.qubes
 etc/sudoers.d/qubes
+usr/share/pam-configs/su.qubes

debian/qubes-core-agent-passwordless-root.postinst

@@ -0,0 +1,31 @@
+#!/bin/bash
+# postinst script for qubes-core-agent-passwordless-root
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The postinst script may be called in the following ways:
+#   * <postinst> 'configure' <most-recently-configured-version>
+#   * <old-postinst> 'abort-upgrade' <new version>
+#   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
+#     <new-version>
+#   * <postinst> 'abort-remove'
+#   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
+#     <failed-install-package> <version> 'removing'
+#     <conflicting-package> <version>
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+pam-auth-update --package
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent-passwordless-root.preinst

@@ -33,8 +33,8 @@ set -e
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 
-if [ "$1" = "install" ] ; then
-    usermod -p '' root
+if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
+    usermod -L root
 fi
 
 # dh_installdeb will replace this with shell code automatically

debian/qubes-core-agent-passwordless-root.prerm

@@ -0,0 +1,43 @@
+#!/bin/sh
+# prerm script for qubes-core-agent-passwordless-root
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The prerm script may be called in the following ways:
+#   * <prerm> 'remove'
+#   * <old-prerm> 'upgrade' <new-version>
+#   * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
+#   * <deconfigured's-prerm> 'deconfigure' 'in-favour' <package-being-installed>
+#     <version> [removing conflicting-package version]
+#
+#     The package whose prerm is being called will be at least "Half-Installed".
+# All package dependencies will at least be "Half-Installed" and will have
+# previously been configured and not removed. If there was no error, all
+# dependencies will at least be "Unpacked", but these actions may be called in
+# various error states where dependencies are only "Half-Installed" due to a
+# partial upgrade.
+#
+#   * <new-prerm> 'failed-upgrade' <old-version>
+#
+#     Called during error handling when prerm upgrade fails. The new package
+# will not yet be unpacked, and all the same constraints as for preinst
+# upgrade apply.
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "$1" = remove ]; then
+    pam-auth-update --package --remove su.qubes
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent.install

@@ -88,6 +88,7 @@ lib/systemd/system/qubes-updates-proxy-forwarder@.service
 lib/systemd/system/qubes-updates-proxy-forwarder.socket
 lib/systemd/system/qubes-sync-time.service
 lib/systemd/system/qubes-sync-time.timer
+lib/systemd/system/serial-getty@.service.d/30_qubes.conf
 lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf
 lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf
 lib/systemd/system/tmp.mount.d/30_qubes.conf

debian/rules

@@ -23,8 +23,7 @@ override_dh_auto_install:
 	make -C network install
 	make -C package-managers install
 	make -C package-managers install-apt
-	make -C passwordless-root install
-	make -C passwordless-root/debian install
+	make -C passwordless-root install install-debian
 	make -C qubes-rpc install
 	make -C qubes-rpc/kde install
 	make -C qubes-rpc/nautilus install

passwordless-root/Makefile

@@ -1,12 +1,20 @@
 SYSCONFDIR ?= /etc
 SUDOERSDIR = $(SYSCONFDIR)/sudoers.d
 POLKIT1DIR = $(SYSCONFDIR)/polkit-1
+PAMDIR = $(SYSCONFDIR)/pam.d
+PAMCONFIGSDIR = /usr/share/pam-configs/
 
-.PHONY: install
+.PHONY: install install-debian install-rh
 
 install:
 	install -d -m 0750 $(DESTDIR)$(SUDOERSDIR)
 	install -D -m 0440 qubes.sudoers $(DESTDIR)$(SUDOERSDIR)/qubes
 	install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla
 	install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d
 	install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules
+
+install-rh:
+	install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes
+
+install-debian:
+	install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes

passwordless-root/pam-configs_su.qubes

@@ -0,0 +1,6 @@
+Name: allow su without password (by package qubes-core-agent-passwordless-root)
+Default: yes
+Priority: 258
+Auth-Type: Primary
+Auth:
+	sufficient	pam_succeed_if.so	use_uid user ingroup qubes service in su:su-l

passwordless-root/pam.d_su.qubes

@@ -0,0 +1,21 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+
+# {{ Qubes specific modifications begin here
+#    Prevent su from asking for password
+#    (by package qubes-core-agent-passwordless-root).
+auth    	sufficient	pam_succeed_if.so use_uid user ingroup qubes
+# }} Qubes specific modifications end here
+
+auth		substack	system-auth
+auth		include		postlogin
+account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		include		postlogin
+session		optional	pam_xauth.so

rpm_spec/core-agent.spec.in

@@ -288,7 +288,7 @@ usermod -L user
 
 %pre passwordless-root
 
-usermod -p '' root
+usermod -L root
 
 %install
 
@@ -299,7 +299,7 @@ make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install
 make -C filesystem DESTDIR=$RPM_BUILD_ROOT install
 make -C misc DESTDIR=$RPM_BUILD_ROOT install
 make -C network DESTDIR=$RPM_BUILD_ROOT install
-make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install
+make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install install-rh
 make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install
 make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install
 make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install
@@ -333,6 +333,16 @@ if ! grep -q /etc/default/grub.qubes /etc/default/grub 2>/dev/null; then
     echo '. /etc/default/grub.qubes' >> /etc/default/grub
 fi
 
+%triggerin passwordless-root -- util-linux
+
+qubesfile=/etc/pam.d/su.qubes
+origfile=${qubesfile%.qubes}
+backupfile=${origfile}.qubes-orig
+if [ -r "$origfile" -a ! -r "$backupfile" ]; then
+	mv -f "$origfile" "$backupfile"
+fi
+ln -sf "$qubesfile" "$origfile"
+
 %post
 
 # disable some Upstart services
@@ -535,6 +545,13 @@ if [ $1 -eq 0 ]; then
     usermod -p '*' root
 fi
 
+qubesfile=/etc/pam.d/su.qubes
+origfile=${qubesfile%.qubes}
+backupfile=${origfile}.qubes-orig
+if [ -f "$backupfile" ]; then
+    mv -f "$backupfile" "$origfile"
+fi
+
 %posttrans
     /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 
@@ -755,6 +772,7 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 %config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
 %config(noreplace) /etc/sudoers.d/qubes
+%config(noreplace) /etc/pam.d/su.qubes
 
 %package sysvinit
 Summary:        Qubes unit files for SysV init style or upstart
@@ -869,6 +887,7 @@ The Qubes core startup configuration for SystemD init.
 /lib/systemd/system/ModemManager.service.d/30_qubes.conf
 /lib/systemd/system/NetworkManager.service.d/30_qubes.conf
 /lib/systemd/system/NetworkManager-wait-online.service.d/30_qubes.conf
+/lib/systemd/system/serial-getty@.service.d/30_qubes.conf
 /lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf
 /lib/systemd/system/systemd-timesyncd.service.d/30_qubes.conf
 /lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf

vm-systemd/serial-getty@.service.d/30_qubes.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin root --login-pause --keep-baud 115200,38400,9600 %I $TERM