adding dom0 sudo prompt
This commit is contained in:
		
							parent
							
								
									97fdf67c56
								
							
						
					
					
						commit
						d00ff8da7d
					
				
					 3 changed files with 61 additions and 0 deletions
				
			
		|  | @ -0,0 +1,20 @@ | ||||||
|  | # Generated by authselect | ||||||
|  | # Do not modify this file manually, use authselect instead. Any user changes will be overwritten. | ||||||
|  | # You can stop authselect from managing your configuration by calling 'authselect opt-out'. | ||||||
|  | # See authselect(8) for more details. | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | auth        [success=1 default=ignore]                   pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ | ||||||
|  | auth        requisite                                    pam_deny.so | ||||||
|  | auth        required                                     pam_permit.so | ||||||
|  | account     required                                     pam_unix.so | ||||||
|  | 
 | ||||||
|  | password    requisite                                    pam_pwquality.so | ||||||
|  | password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok | ||||||
|  | password    required                                     pam_deny.so | ||||||
|  | 
 | ||||||
|  | session     optional                                     pam_keyinit.so revoke | ||||||
|  | session     required                                     pam_limits.so | ||||||
|  | -session    optional                                     pam_systemd.so | ||||||
|  | session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid | ||||||
|  | session     required                                     pam_unix.so | ||||||
							
								
								
									
										4
									
								
								roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,4 @@ | ||||||
|  | Defaults !requiretty | ||||||
|  | user ALL=(ALL) ALL | ||||||
|  | 
 | ||||||
|  | # vim: ft=sudoers | ||||||
|  | @ -226,3 +226,40 @@ | ||||||
|        regexp: '^(metalink=.*)$' |        regexp: '^(metalink=.*)$' | ||||||
|        line: '\1&protocol=https' |        line: '\1&protocol=https' | ||||||
|      loop: '{{ found_files.files }}' |      loop: '{{ found_files.files }}' | ||||||
|  | 
 | ||||||
|  |    - name: Create authselect profile | ||||||
|  |      shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam | ||||||
|  | 
 | ||||||
|  |    - name: Copy authselect file | ||||||
|  |      ansible.builtin.copy: | ||||||
|  |       src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' | ||||||
|  |       dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' | ||||||
|  |       mode: '0644' | ||||||
|  | 
 | ||||||
|  |    - name: Copy authselect folder | ||||||
|  |      ansible.builtin.copy: | ||||||
|  |       src: '/etc/authselect/system-auth' | ||||||
|  |       dest: '/etc/authselect/custom/sudo-dom0-prompt' | ||||||
|  |       mode: '0755' | ||||||
|  | 
 | ||||||
|  |    - name: Copy authselect file | ||||||
|  |      ansible.builtin.copy: | ||||||
|  |       src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' | ||||||
|  |       dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' | ||||||
|  |       mode: '0644' | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  |    - name: Select authselect profile | ||||||
|  |      shell: authselect authselect select custom/sudo-dom0-prompt | ||||||
|  | 
 | ||||||
|  |    - name: Fix sudoers.d | ||||||
|  |      ansible.builtin.copy: | ||||||
|  |       src: 'etc/sudoers.d/qubes' | ||||||
|  |       dest: '/etc/sudoers.d/qubes' | ||||||
|  |       mode: '0440' | ||||||
|  | 
 | ||||||
|  |    - name: Delete allow all rule | ||||||
|  |      ansible.builtin.file: | ||||||
|  |       path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' | ||||||
|  |       state: 'absent' | ||||||
|  | 
 | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 mustard
						mustard