fix, forbid non-root users using 'su'

Makefile

@@ -310,7 +310,7 @@ install-common: install-doc
 
 	install -D -m 0644 misc/marker-vm $(DESTDIR)/usr/share/qubes/marker-vm
 	cut -f 1,2 -d . version >> $(DESTDIR)/usr/share/qubes/marker-vm
-	
+
 	install -m 0755 misc/tinyproxy-wrapper $(DESTDIR)/usr/lib/qubes/tinyproxy-wrapper
 
 	install -m 0755 misc/qvm-console $(DESTDIR)$(BINDIR)/qvm-console
@@ -391,8 +391,8 @@ install-deb: install-common install-systemd install-systemd-dropins install-syst
 	install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
 	install -D -m 644 misc/profile.d_qt_x11_no_mitshm.sh $(DESTDIR)/etc/profile.d/qt_x11_no_mitshm.sh
 	install -D -m 440 misc/sudoers.d_umask $(DESTDIR)/etc/sudoers.d/umask
-	install -d $(DESTDIR)/etc/pam.d
-	install -m 0644 misc/pam.d_su.qubes $(DESTDIR)/etc/pam.d/su.qubes
+	install -d $(DESTDIR)/usr/share/pam-configs
+	install -m 0644 misc/passwordless $(DESTDIR)/usr/share/pam-configs/passwordless
 	install -d $(DESTDIR)/etc/needrestart/conf.d
 	install -D -m 0644 misc/50_qubes.conf $(DESTDIR)/etc/needrestart/conf.d/50_qubes.conf
 	install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.d/30-qubes.cfg

debian/control

@@ -159,6 +159,7 @@ Description: NetworkManager integration for Qubes VM
 
 Package: qubes-core-agent-passwordless-root
 Architecture: any
+Depends: libpam-runtime
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Provides: ${diverted-files}

debian/qubes-core-agent-passwordless-root.install

@@ -1,4 +1,3 @@
 etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 etc/polkit-1/rules.d/00-qubes-allow-all.rules
-etc/pam.d/su.qubes
 etc/sudoers.d/qubes

debian/qubes-core-agent-passwordless-root.postinst

@@ -0,0 +1,31 @@
+#!/bin/bash
+# postinst script for qubes-core-agent-passwordless-root
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The postinst script may be called in the following ways:
+#   * <postinst> 'configure' <most-recently-configured-version>
+#   * <old-postinst> 'abort-upgrade' <new version>
+#   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
+#     <new-version>
+#   * <postinst> 'abort-remove'
+#   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
+#     <failed-install-package> <version> 'removing'
+#     <conflicting-package> <version>
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+pam-auth-update --package
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent-passwordless-root.prerm

@@ -0,0 +1,43 @@
+#!/bin/sh
+# prerm script for qubes-core-agent-passwordless-root
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The prerm script may be called in the following ways:
+#   * <prerm> 'remove'
+#   * <old-prerm> 'upgrade' <new-version>
+#   * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
+#   * <deconfigured's-prerm> 'deconfigure' 'in-favour' <package-being-installed>
+#     <version> [removing conflicting-package version]
+#
+#     The package whose prerm is being called will be at least "Half-Installed".
+# All package dependencies will at least be "Half-Installed" and will have
+# previously been configured and not removed. If there was no error, all
+# dependencies will at least be "Unpacked", but these actions may be called in
+# various error states where dependencies are only "Half-Installed" due to a
+# partial upgrade.
+#
+#   * <new-prerm> 'failed-upgrade' <old-version>
+#
+#     Called during error handling when prerm upgrade fails. The new package
+# will not yet be unpacked, and all the same constraints as for preinst
+# upgrade apply.
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "$1" = remove ]; then
+   pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

misc/passwordless

@@ -0,0 +1,6 @@
+Name: prevent 'su -' from asking for password (by package qubes-core-agent-passwordless-root)
+Default: yes
+Priority: 258
+Auth-Type: Primary
+Auth:
+	sufficient	pam_wheel.so debug group=sudo trust