adding dom0 sudo prompt

2025-02-28 12:11:20 +01:00 · 2025-02-28 12:11:20 +01:00 · d00ff8da7d
commit d00ff8da7d
parent 97fdf67c56
3 changed files with 61 additions and 0 deletions
--- a/roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
+++ b/roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
@ -0,0 +1,20 @@
+# Generated by authselect
+# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
+# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
+# See authselect(8) for more details.
+
+
+auth        [success=1 default=ignore]                   pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
+auth        requisite                                    pam_deny.so
+auth        required                                     pam_permit.so
+account     required                                     pam_unix.so
+
+password    requisite                                    pam_pwquality.so
+password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
+password    required                                     pam_deny.so
+
+session     optional                                     pam_keyinit.so revoke
+session     required                                     pam_limits.so
+-session    optional                                     pam_systemd.so
+session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+session     required                                     pam_unix.so
--- a/roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
+++ b/roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
@ -0,0 +1,4 @@
+Defaults !requiretty
+user ALL=(ALL) ALL
+
+# vim: ft=sudoers
--- a/roles/qubes-f41-gnome/tasks/main.yaml
+++ b/roles/qubes-f41-gnome/tasks/main.yaml
@ -226,3 +226,40 @@
       regexp: '^(metalink=.*)$'
       line: '\1&protocol=https'
     loop: '{{ found_files.files }}'
+
+   - name: Create authselect profile
+     shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
+
+   - name: Copy authselect file
+     ansible.builtin.copy:
+      src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
+      dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
+      mode: '0644'
+
+   - name: Copy authselect folder
+     ansible.builtin.copy:
+      src: '/etc/authselect/system-auth'
+      dest: '/etc/authselect/custom/sudo-dom0-prompt'
+      mode: '0755'
+
+   - name: Copy authselect file
+     ansible.builtin.copy:
+      src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
+      dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
+      mode: '0644'
+
+
+   - name: Select authselect profile
+     shell: authselect authselect select custom/sudo-dom0-prompt
+
+   - name: Fix sudoers.d
+     ansible.builtin.copy:
+      src: 'etc/sudoers.d/qubes'
+      dest: '/etc/sudoers.d/qubes'
+      mode: '0440'
+
+   - name: Delete allow all rule
+     ansible.builtin.file:
+      path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
+      state: 'absent'
+