#!/bin/bash
# From https://github.com/tasket/Qubes-VM-hardening

set -e
[ `id -u` -eq 0 ] || exit


if [ ! -e /etc/sudoers.d/qubes ]; then
    echo "The 'qubes-core-agent-passwordless-root' package does not appear"
    echo "to be present or configured; sudo autoconfiguration skipped."
    exit 0
fi

if [ ! -e /etc/debian_version ]; then
    echo "Debian-based template required for sudo autoconfiguration. 
See https://qubes-os.org/doc/vm-sudo for manual instructions."
    exit 1
fi

echo -e "\n--+  Enable yes/no authentication prompt for sudo  +--
Warning: Before opting for this change a backup or clone
should me made of this template!"
read -p "Configure sudo authentication prompt now? (y/n): " answer
if [[ $answer == @(y|Y) ]]; then

    mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth~
    cat >/etc/pam.d/common-auth <<_EOF
auth  [success=1 default=ignore]  pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
auth  requisite  pam_deny.so
auth  required   pam_permit.so
_EOF


#    sed -i 's/^user ALL=(ALL) NOPASSWD: ALL/user ALL=(ALL) ALL/' /etc/sudoers.d/qubes
    sed -i 's/^user/#user/' /etc/sudoers.d/qubes
    echo 'user ALL=(ALL) ALL' >>/etc/sudoers.d/qubes

    sed -ri 's/^(auth[[:space:]]sufficient[[:space:]]pam_permit.so)/#\1/' /etc/pam.d/su

    mv -f /etc/polkit-1/rules.d/00-qubes-allow-all.rules \
      /etc/polkit-1/rulesd_00-qubes-allow-all.rules.bak || true
    mv -f /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla \
      /etc/polkit-1/localauthority_50-locald_qubes-allow-all.pkla.bak || true

    echo "Done."

    echo '
Next.... Enable auth prompts in dom0 with the following commands:
  [user@dom0 ~]$ sudo su -
  [root@dom0 /]# echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
  [root@dom0 /]# echo "\$anyvm dom0 ask,default_target=dom0" \
    >/etc/qubes-rpc/policy/qubes.VMAuth

'
fi