I hate regexes

2024-10-07 20:33:21 +02:00 · 2024-10-07 20:33:21 +02:00 · 7c31b6a073
commit 7c31b6a073
parent 219b89e85f
4 changed files with 63 additions and 2 deletions
--- a/17
+++ b/17
@ -0,0 +1,17 @@
+# Generated by authselect
+# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
+# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
+# See authselect(8) for more details.
+
+
+account     required                                     pam_unix.so
+
+password    requisite                                    pam_pwquality.so
+password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
+password    required                                     pam_deny.so
+
+session     optional                                     pam_keyinit.so revoke
+session     required                                     pam_limits.so
+-session    optional                                     pam_systemd.so
+session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+session     required                                     pam_unix.so
--- a/sudo-dom0.sh
+++ b/sudo-dom0.sh
@ -2,8 +2,10 @@ sudo authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --
 sudo mv /etc/authselect/custom/sudo-dom0-prompt/system-auth /etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside
 sudo cp /etc/authselect/system-auth /etc/authselect/custom/sudo-dom0-prompt

-sudo sed -i '/^auth/d' /etc/authselect/custom/sudo-dom0-prompt/system-auth
-sed -i '/^account/{0,/auth/s/^auth /&\n        auth  [success=1 default=ignore]  pam_exec.so seteuid \ /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth \ /bin/grep -q ^1$/&\n        auth  requisite  pam_deny.so\n        auth  required   pam_permit.so\n\n/' /etc/authselect/custom/sudo-dom0-prompt/system-auth
+sudo sed -i '/^auth/d'  /etc/authselect/custom/sudo-dom0-prompt/system-auth
+
+sed -i '/^account/ i auth  [success=1 default=ignore]  pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAAuth /bin/grep -q ^1$\nauth  requisite  pam_deny.so\nauth  required   pam_permit.so' /etc/authselect/custom/sudo-dom0-prompt/system-auth
+
 sudo authselect select custom/sudo-dom0-prompt

 sudo sed -i '/^%qubes/s/.*/user ALL=(ALL) ALL/' /etc/sudoers.d/qubes
--- a/20
+++ b/20
@ -0,0 +1,20 @@
+# Generated by authselect
+# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
+# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
+# See authselect(8) for more details.
+
+
+auth  [success=1 default=ignore]  pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAAuth /bin/grep -q ^1$
+auth  requisite  pam_deny.so
+auth  required   pam_permit.so
+account     required                                     pam_unix.so
+
+password    requisite                                    pam_pwquality.so
+password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
+password    required                                     pam_deny.so
+
+session     optional                                     pam_keyinit.so revoke
+session     required                                     pam_limits.so
+-session    optional                                     pam_systemd.so
+session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+session     required                                     pam_unix.so
--- a/test.txt
+++ b/test.txt
@ -0,0 +1,22 @@
+# Generated by authselect
+# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
+# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
+# See authselect(8) for more details.
+
+auth        required                                     pam_env.so
+auth        required                                     pam_faildelay.so delay=2000000
+auth        sufficient                                   pam_fprintd.so
+auth        sufficient                                   pam_unix.so nullok
+auth        required                                     pam_deny.so
+
+account     required                                     pam_unix.so
+
+password    requisite                                    pam_pwquality.so
+password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
+password    required                                     pam_deny.so
+
+session     optional                                     pam_keyinit.so revoke
+session     required                                     pam_limits.so
+-session    optional                                     pam_systemd.so
+session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+session     required                                     pam_unix.so