mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
Merge branch 'deathgrippin-sudo-patch'
This commit is contained in:
Andrew David Wong
commit
e1288c6349
@ -61,20 +61,20 @@ Background ([/etc/sudoers.d/qubes](https://github.com/QubesOS/qubes-core-agent-l
|
|||||||
|
|
||||||
Below is a complete list of configuration made according to the above statement, with (not necessary complete) list of mechanisms depending on each of them:
|
Below is a complete list of configuration made according to the above statement, with (not necessary complete) list of mechanisms depending on each of them:
|
||||||
|
|
||||||
1. sudo (/etc/sudoers.d/qubes):
|
1. sudo (`/etc/sudoers.d/qubes`):
|
||||||
|
|
||||||
user ALL=(ALL) NOPASSWD: ALL
|
user ALL=(ALL) NOPASSWD: ALL
|
||||||
(...)
|
(...)
|
||||||
|
|
||||||
- easy user->root access (main option for the user)
|
- Easy user -> root access (main option for the user).
|
||||||
- qvm-usb (not really working, as of R2)
|
- `qvm-usb` (not really working, as of R2).
|
||||||
|
|
||||||
2. PolicyKit (/etc/polkit-1/rules.d/00-qubes-allow-all.rules):
|
2. PolicyKit (`/etc/polkit-1/rules.d/00-qubes-allow-all.rules`):
|
||||||
|
|
||||||
//allow any action, detailed reasoning in sudoers.d/qubes
|
//allow any action, detailed reasoning in sudoers.d/qubes
|
||||||
polkit.addRule(function(action,subject) { return polkit.Result.YES; });
|
polkit.addRule(function(action,subject) { return polkit.Result.YES; });
|
||||||
|
|
||||||
and /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla:
|
and `/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla`:
|
||||||
|
|
||||||
[Qubes allow all]
|
[Qubes allow all]
|
||||||
Identity=*
|
Identity=*
|
||||||
@ -83,15 +83,15 @@ Below is a complete list of configuration made according to the above statement,
|
|||||||
ResultInactive=yes
|
ResultInactive=yes
|
||||||
ResultActive=yes
|
ResultActive=yes
|
||||||
|
|
||||||
- NetworkManager configuration from normal user (nm-applet)
|
- NetworkManager configuration from normal user (`nm-applet`).
|
||||||
- updates installation (gpk-update-viewer)
|
- Updates installation (`gpk-update-viewer`).
|
||||||
- user can use pkexec just like sudo Note: above is needed mostly because Qubes user GUI session isn't treated by PolicyKit/logind as "local" session because of the way in which X server and session is started.
|
- User can use pkexec just like sudo Note: above is needed mostly because Qubes user GUI session isn't treated by PolicyKit/logind as "local" session because of the way in which X server and session is started.
|
||||||
Perhaps we will address this issue in the future, but this is really low priority.
|
Perhaps we will address this issue in the future, but this is really low priority.
|
||||||
Patches welcomed anyway.
|
Patches welcomed anyway.
|
||||||
|
|
||||||
3. Empty root password
|
3. Empty root password:
|
||||||
- used for access to 'root' account from text console (qvm-console-dispvm) - the only way to access the VM when GUI isn't working
|
- Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working.
|
||||||
- can be used for easy 'su -' from user to root
|
- Can be used for easy 'su -' from user to root.
|
||||||
|
|
||||||
Replacing passwordless root access with Dom0 user prompt
|
Replacing passwordless root access with Dom0 user prompt
|
||||||
--------------------------------------------------------
|
--------------------------------------------------------
|
||||||
@ -111,14 +111,14 @@ Do not rely on this for extra security.**
|
|||||||
(Note: any VMs you would like still to have passwordless root access (e.g. TemplateVMs) can be specified in the second file with "\<vmname\> dom0 allow")
|
(Note: any VMs you would like still to have passwordless root access (e.g. TemplateVMs) can be specified in the second file with "\<vmname\> dom0 allow")
|
||||||
|
|
||||||
2. Configuring Fedora TemplateVM to prompt Dom0 for any authorization request:
|
2. Configuring Fedora TemplateVM to prompt Dom0 for any authorization request:
|
||||||
- In /etc/pam.d/system-auth, replace all lines beginning with "auth" with these lines:
|
- In `/etc/pam.d/system-auth`, replace all lines beginning with "auth" with these lines:
|
||||||
|
|
||||||
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
||||||
auth requisite pam_deny.so
|
auth requisite pam_deny.so
|
||||||
auth required pam_permit.so
|
auth required pam_permit.so
|
||||||
|
|
||||||
- Require authentication for sudo.
|
- Require authentication for sudo.
|
||||||
Replace the first line of /etc/sudoers.d/qubes with:
|
Replace the first line of `/etc/sudoers.d/qubes` with:
|
||||||
|
|
||||||
user ALL=(ALL) ALL
|
user ALL=(ALL) ALL
|
||||||
|
|
||||||
@ -128,14 +128,14 @@ Do not rely on this for extra security.**
|
|||||||
[root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
[root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
||||||
|
|
||||||
3. Configuring Debian/Whonix TemplateVM to prompt Dom0 for any authorization request:
|
3. Configuring Debian/Whonix TemplateVM to prompt Dom0 for any authorization request:
|
||||||
- In /etc/pam.d/common-auth, replace all lines beginning with "auth" with these lines:
|
- In `/etc/pam.d/common-auth`, replace all lines beginning with "auth" with these lines:
|
||||||
|
|
||||||
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
||||||
auth requisite pam_deny.so
|
auth requisite pam_deny.so
|
||||||
auth required pam_permit.so
|
auth required pam_permit.so
|
||||||
|
|
||||||
- Require authentication for sudo.
|
- Require authentication for sudo.
|
||||||
Replace the first line of /etc/sudoers.d/qubes with:
|
Replace the first line of `/etc/sudoers.d/qubes` with:
|
||||||
|
|
||||||
user ALL=(ALL) ALL
|
user ALL=(ALL) ALL
|
||||||
|
|
||||||
@ -144,11 +144,11 @@ Do not rely on this for extra security.**
|
|||||||
[root@debian-8]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
|
[root@debian-8]# rm /etc/polkit-1/rules.d/00-qubes-allow-all.rules
|
||||||
[root@debian-8]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
[root@debian-8]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
||||||
|
|
||||||
- In /etc/pam.d/su.qubes, comment out this line near the bottom of the file:
|
- In `/etc/pam.d/su.qubes`, comment out this line near the bottom of the file:
|
||||||
|
|
||||||
auth sufficient pam_permit.so
|
auth sufficient pam_permit.so
|
||||||
|
|
||||||
- For Whonix, if prompts appear during boot, create /etc/sudoers.d/zz99 and add these lines:
|
- For Whonix, if prompts appear during boot, create `/etc/sudoers.d/zz99` and add these lines:
|
||||||
|
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/virt-what
|
ALL ALL=NOPASSWD: /usr/sbin/virt-what
|
||||||
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart
|
ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user