mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-26 15:59:24 -05:00
Fix auth for 'su' command
This commit is contained in:
parent
4d392ac225
commit
b27f90d74f
@ -110,9 +110,11 @@ this for extra security.**
|
||||
(Note: any VMs you would like still to have password-less root access (e.g. TemplateVMs) can be specified in the second file with "\<vmname\> dom0 allow")
|
||||
|
||||
2. Configuring Fedora TemplateVM to prompt Dom0 for any authorization request:
|
||||
- In /etc/pam.d/system-auth, replace all lines beginning with "auth" with one line:
|
||||
- In /etc/pam.d/system-auth, replace all lines beginning with "auth" with these lines:
|
||||
|
||||
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /usr/bin/grep -q ^1$
|
||||
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
||||
auth requisite pam_deny.so
|
||||
auth required pam_permit.so
|
||||
|
||||
- Require authentication for sudo. Replace the first line of /etc/sudoers.d/qubes with:
|
||||
|
||||
@ -124,9 +126,11 @@ this for extra security.**
|
||||
[root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
||||
|
||||
3. Configuring Debian/Whonix TemplateVM to prompt Dom0 for any authorization request:
|
||||
- In /etc/pam.d/common-auth, replace all lines beginning with "auth" with one line:
|
||||
- In /etc/pam.d/common-auth, replace all lines beginning with "auth" with these lines:
|
||||
|
||||
auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
||||
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
||||
auth requisite pam_deny.so
|
||||
auth required pam_permit.so
|
||||
|
||||
- Require authentication for sudo. Replace the first line of /etc/sudoers.d/qubes with:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user