adding dom0 sudo prompt
This commit is contained in:
mustard
parent
97fdf67c56
commit
d00ff8da7d
3 changed files with 61 additions and 0 deletions
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Generated by authselect
|
||||||
|
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
|
||||||
|
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
|
||||||
|
# See authselect(8) for more details.
|
||||||
|
|
||||||
|
|
||||||
|
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
|
||||||
|
auth requisite pam_deny.so
|
||||||
|
auth required pam_permit.so
|
||||||
|
account required pam_unix.so
|
||||||
|
|
||||||
|
password requisite pam_pwquality.so
|
||||||
|
password sufficient pam_unix.so yescrypt shadow nullok use_authtok
|
||||||
|
password required pam_deny.so
|
||||||
|
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
|
session required pam_limits.so
|
||||||
|
-session optional pam_systemd.so
|
||||||
|
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||||
|
session required pam_unix.so
|
||||||
4
roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
Normal file
4
roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
Defaults !requiretty
|
||||||
|
user ALL=(ALL) ALL
|
||||||
|
|
||||||
|
# vim: ft=sudoers
|
||||||
|
|
@ -226,3 +226,40 @@
|
||||||
regexp: '^(metalink=.*)$'
|
regexp: '^(metalink=.*)$'
|
||||||
line: '\1&protocol=https'
|
line: '\1&protocol=https'
|
||||||
loop: '{{ found_files.files }}'
|
loop: '{{ found_files.files }}'
|
||||||
|
|
||||||
|
- name: Create authselect profile
|
||||||
|
shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
|
||||||
|
|
||||||
|
- name: Copy authselect file
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
|
||||||
|
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
- name: Copy authselect folder
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: '/etc/authselect/system-auth'
|
||||||
|
dest: '/etc/authselect/custom/sudo-dom0-prompt'
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Copy authselect file
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
|
||||||
|
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
|
||||||
|
- name: Select authselect profile
|
||||||
|
shell: authselect authselect select custom/sudo-dom0-prompt
|
||||||
|
|
||||||
|
- name: Fix sudoers.d
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: 'etc/sudoers.d/qubes'
|
||||||
|
dest: '/etc/sudoers.d/qubes'
|
||||||
|
mode: '0440'
|
||||||
|
|
||||||
|
- name: Delete allow all rule
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
|
||||||
|
state: 'absent'
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue