diff --git a/amogus b/amogus new file mode 100644 index 0000000..cfa065e --- /dev/null +++ b/amogus @@ -0,0 +1,17 @@ +# Generated by authselect +# Do not modify this file manually, use authselect instead. Any user changes will be overwritten. +# You can stop authselect from managing your configuration by calling 'authselect opt-out'. +# See authselect(8) for more details. + + +account required pam_unix.so + +password requisite pam_pwquality.so +password sufficient pam_unix.so yescrypt shadow nullok use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/sudo-dom0.sh b/sudo-dom0.sh index 9c78313..d018d4d 100644 --- a/sudo-dom0.sh +++ b/sudo-dom0.sh @@ -2,8 +2,10 @@ sudo authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta -- sudo mv /etc/authselect/custom/sudo-dom0-prompt/system-auth /etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside sudo cp /etc/authselect/system-auth /etc/authselect/custom/sudo-dom0-prompt -sudo sed -i '/^auth/d' /etc/authselect/custom/sudo-dom0-prompt/system-auth -sed -i '/^account/{0,/auth/s/^auth /&\n auth [success=1 default=ignore] pam_exec.so seteuid \ /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth \ /bin/grep -q ^1$/&\n auth requisite pam_deny.so\n auth required pam_permit.so\n\n/' /etc/authselect/custom/sudo-dom0-prompt/system-auth +sudo sed -i '/^auth/d' /etc/authselect/custom/sudo-dom0-prompt/system-auth + +sed -i '/^account/ i auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAAuth /bin/grep -q ^1$\nauth requisite pam_deny.so\nauth required pam_permit.so' /etc/authselect/custom/sudo-dom0-prompt/system-auth + sudo authselect select custom/sudo-dom0-prompt sudo sed -i '/^%qubes/s/.*/user ALL=(ALL) ALL/' /etc/sudoers.d/qubes diff --git a/sus b/sus new file mode 100644 index 0000000..2adc653 --- /dev/null +++ b/sus @@ -0,0 +1,20 @@ +# Generated by authselect +# Do not modify this file manually, use authselect instead. Any user changes will be overwritten. +# You can stop authselect from managing your configuration by calling 'authselect opt-out'. +# See authselect(8) for more details. + + +auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAAuth /bin/grep -q ^1$ +auth requisite pam_deny.so +auth required pam_permit.so +account required pam_unix.so + +password requisite pam_pwquality.so +password sufficient pam_unix.so yescrypt shadow nullok use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/test.txt b/test.txt new file mode 100644 index 0000000..265883a --- /dev/null +++ b/test.txt @@ -0,0 +1,22 @@ +# Generated by authselect +# Do not modify this file manually, use authselect instead. Any user changes will be overwritten. +# You can stop authselect from managing your configuration by calling 'authselect opt-out'. +# See authselect(8) for more details. + +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth sufficient pam_fprintd.so +auth sufficient pam_unix.so nullok +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so +password sufficient pam_unix.so yescrypt shadow nullok use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so