detect passwordless-root

This commit is contained in:
Christopher Laprise 2019-07-17 09:14:37 -04:00
parent d2bd2c0a0e
commit 62083ff7ba
No known key found for this signature in database
GPG Key ID: 448568C8B281C952

View File

@ -3,19 +3,27 @@
set -e set -e
[ `id -u` -eq 0 ] || exit [ `id -u` -eq 0 ] || exit
if [ ! -e /etc/debian_version ]; then
echo "Debian-based template required for autoconfiguration.
See qubes-os.org/doc/vm-sudo for manual instructions." if [ ! -e /etc/sudoers.d/qubes ]; then
echo "The 'qubes-core-agent-passwordless-root' package does not appear"
echo "to be present. Sudo autoconfiguration is unnecessary."
exit 0 exit 0
fi fi
if [ ! -e /etc/debian_version ]; then
echo "Debian-based template required for sudo autoconfiguration.
See qubes-os.org/doc/vm-sudo for manual instructions."
exit 1
fi
echo -e "\n--+ Enable yes/no authentication prompt for sudo +-- echo -e "\n--+ Enable yes/no authentication prompt for sudo +--
Warning: Before opting for this change a backup or clone Warning: Before opting for this change a backup or clone
should me made of this template!" should me made of this template!"
read -p "Configure sudo authentication prompt now? (y/n): " answer read -p "Configure sudo authentication prompt now? (y/n): " answer
if [[ $answer == @(y|Y) ]]; then if [[ $answer == @(y|Y) ]]; then
mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth.bak mv --backup=numbered -fb /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
cat >/etc/pam.d/common-auth <<_EOF cat >/etc/pam.d/common-auth <<_EOF
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
auth requisite pam_deny.so auth requisite pam_deny.so
@ -34,15 +42,6 @@ _EOF
mv -f /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla \ mv -f /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla \
/etc/polkit-1/localauthority_50-locald_qubes-allow-all.pkla.bak /etc/polkit-1/localauthority_50-locald_qubes-allow-all.pkla.bak
if [ -e /etc/whonix.d ]; then
cat >/etc/sudoers.d/zz99_sudoprompt <<_EOF
ALL ALL=NOPASSWD: /usr/sbin/virt-what
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck start
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck stop
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck status
_EOF
fi
echo "Done." echo "Done."
echo ' echo '