mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
detect passwordless-root
This commit is contained in:
parent
d2bd2c0a0e
commit
62083ff7ba
@ -3,19 +3,27 @@
|
|||||||
|
|
||||||
set -e
|
set -e
|
||||||
[ `id -u` -eq 0 ] || exit
|
[ `id -u` -eq 0 ] || exit
|
||||||
if [ ! -e /etc/debian_version ]; then
|
|
||||||
echo "Debian-based template required for autoconfiguration.
|
|
||||||
See qubes-os.org/doc/vm-sudo for manual instructions."
|
if [ ! -e /etc/sudoers.d/qubes ]; then
|
||||||
|
echo "The 'qubes-core-agent-passwordless-root' package does not appear"
|
||||||
|
echo "to be present. Sudo autoconfiguration is unnecessary."
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ ! -e /etc/debian_version ]; then
|
||||||
|
echo "Debian-based template required for sudo autoconfiguration.
|
||||||
|
See qubes-os.org/doc/vm-sudo for manual instructions."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
echo -e "\n--+ Enable yes/no authentication prompt for sudo +--
|
echo -e "\n--+ Enable yes/no authentication prompt for sudo +--
|
||||||
Warning: Before opting for this change a backup or clone
|
Warning: Before opting for this change a backup or clone
|
||||||
should me made of this template!"
|
should me made of this template!"
|
||||||
read -p "Configure sudo authentication prompt now? (y/n): " answer
|
read -p "Configure sudo authentication prompt now? (y/n): " answer
|
||||||
if [[ $answer == @(y|Y) ]]; then
|
if [[ $answer == @(y|Y) ]]; then
|
||||||
|
|
||||||
mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
|
mv --backup=numbered -fb /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
|
||||||
cat >/etc/pam.d/common-auth <<_EOF
|
cat >/etc/pam.d/common-auth <<_EOF
|
||||||
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
||||||
auth requisite pam_deny.so
|
auth requisite pam_deny.so
|
||||||
@ -34,15 +42,6 @@ _EOF
|
|||||||
mv -f /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla \
|
mv -f /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla \
|
||||||
/etc/polkit-1/localauthority_50-locald_qubes-allow-all.pkla.bak
|
/etc/polkit-1/localauthority_50-locald_qubes-allow-all.pkla.bak
|
||||||
|
|
||||||
if [ -e /etc/whonix.d ]; then
|
|
||||||
cat >/etc/sudoers.d/zz99_sudoprompt <<_EOF
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/virt-what
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck start
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck stop
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck status
|
|
||||||
_EOF
|
|
||||||
fi
|
|
||||||
echo "Done."
|
echo "Done."
|
||||||
|
|
||||||
echo '
|
echo '
|
||||||
|
Loading…
Reference in New Issue
Block a user