From b27f90d74ffb743c57c982e1cfe333cb4ae2e566 Mon Sep 17 00:00:00 2001 From: Christopher Laprise Date: Wed, 12 Jul 2017 15:07:13 -0400 Subject: [PATCH] Fix auth for 'su' command --- security/vm-sudo.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/vm-sudo.md b/security/vm-sudo.md index fd6c6b36..390efdfd 100644 --- a/security/vm-sudo.md +++ b/security/vm-sudo.md @@ -110,9 +110,11 @@ this for extra security.** (Note: any VMs you would like still to have password-less root access (e.g. TemplateVMs) can be specified in the second file with "\ dom0 allow") 2. Configuring Fedora TemplateVM to prompt Dom0 for any authorization request: - - In /etc/pam.d/system-auth, replace all lines beginning with "auth" with one line: + - In /etc/pam.d/system-auth, replace all lines beginning with "auth" with these lines: - auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /usr/bin/grep -q ^1$ + auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ + auth requisite pam_deny.so + auth required pam_permit.so - Require authentication for sudo. Replace the first line of /etc/sudoers.d/qubes with: @@ -124,9 +126,11 @@ this for extra security.** [root@fedora-20-x64]# rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla 3. Configuring Debian/Whonix TemplateVM to prompt Dom0 for any authorization request: - - In /etc/pam.d/common-auth, replace all lines beginning with "auth" with one line: + - In /etc/pam.d/common-auth, replace all lines beginning with "auth" with these lines: - auth [success=done default=die] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ + auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ + auth requisite pam_deny.so + auth required pam_permit.so - Require authentication for sudo. Replace the first line of /etc/sudoers.d/qubes with: