/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debian Templates: 'su -' asks for password #1128

Closed
adrelanos opened this Issue Aug 17, 2015 · 9 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.1
4 participants
@adrelanos @nrgaway @unman @marmarek
@adrelanos
Member

adrelanos commented Aug 17, 2015

su - asks for password.

A user was confused by this:
https://groups.google.com/forum/#!topic/qubes-users/DQwXOrzwdWE

This is specifically confusing in Whonix, because there ~/.bashrc tells one, that the default password is changeme. (That text could be omitted.) Anyhow. This issue equally applies to the Debian templates.

Since Qubes allows passwordless sudo anyhow (See: https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes.sudoers)... I suggest making su - passwordless. Or does anything speak against that?

Does someone know how to configure /etc/pam.d or is this TODO research?
@nrgaway

This comment has been minimized.

Show comment
Hide comment
@nrgaway

nrgaway Aug 17, 2015

Can a user just not use sudo su?

Otherwise I will let @marmarek answer

nrgaway commented Aug 17, 2015

Can a user just not use sudo su?

Otherwise I will let @marmarek answer
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Aug 17, 2015

Member

They can. But what causes confusion for one user, probably accustomed to non-Debian distributions, will cause confusion for another user. If we're lucky, this would be just one more file with one to three lines of code.
Member

adrelanos commented Aug 17, 2015

They can. But what causes confusion for one user, probably accustomed to non-Debian distributions, will cause confusion for another user. If we're lucky, this would be just one more file with one to three lines of code.
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Aug 17, 2015

Member

Debian doesnt have wheel group, but you could create it, add user to it and then uncomment this line in pam.d/su:
auth sufficient pam_wheel.so trust
Member

unman commented Aug 17, 2015

Debian doesnt have wheel group, but you could create it, add user to it and then uncomment this line in pam.d/su:
auth sufficient pam_wheel.so trust
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Aug 17, 2015

Member
Member

adrelanos commented Aug 17, 2015

@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Aug 17, 2015

Member

I think you have to edit the pam.d/su file.
If you dont want to add a group you could add - auth sufficient pam_permit.so
Member

unman commented Aug 17, 2015

I think you have to edit the pam.d/su file.
If you dont want to add a group you could add - auth sufficient pam_permit.so
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Aug 18, 2015

Member

Nice.
Appending to /etc/pam.d/su:

auth sufficient pam_permit.so

Works for me.
Member

adrelanos commented Aug 18, 2015

Nice.
Appending to /etc/pam.d/su:

auth sufficient pam_permit.so

Works for me.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Aug 18, 2015

Member

If this is fine to implement, I could provide a pull request. Using https://packages.debian.org/jessie/config-package-dev. A clean way to create diversions / config packages. That way the Qubes specific file would not cause an interactive dpkg conflict resolution dialog if upstream's /etc/pam.d/su gets updated.
Member

adrelanos commented Aug 18, 2015

If this is fine to implement, I could provide a pull request. Using https://packages.debian.org/jessie/config-package-dev. A clean way to create diversions / config packages. That way the Qubes specific file would not cause an interactive dpkg conflict resolution dialog if upstream's /etc/pam.d/su gets updated.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Aug 26, 2015

Member

On Fedora template we have simply empty root password (usermod -p '' root), which does the trick. Apparently it doesn't work on Debian,
because pam_unix have nullok_secure option instead of nullok.

Anyway I don't think it can be changed without modifying some file in
/etc/pam.d (either su - as above, or common-auth -
s/nullok_secure/nullok/), so config-package-dev is probably the way to
go.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Member

marmarek commented Aug 26, 2015

On Fedora template we have simply empty root password (usermod -p '' root), which does the trick. Apparently it doesn't work on Debian,
because pam_unix have nullok_secure option instead of nullok.

Anyway I don't think it can be changed without modifying some file in
/etc/pam.d (either su - as above, or common-auth -
s/nullok_secure/nullok/), so config-package-dev is probably the way to
go.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

@marmarek marmarek added enhancement C: templates P: minor C: Debian labels Aug 31, 2015

@marmarek marmarek added this to the Release 3.1 milestone Sep 1, 2015

@adrelanos adrelanos referenced this issue in marmarek/old-qubes-core-agent-linux Sep 13, 2015

Merged

Prevent 'su -' from asking for password in Debian [based] templates. #31

@adrelanos

@marmarek marmarek closed this in marmarek/old-qubes-core-agent-linux#31 Sep 29, 2015

marmarek added a commit to marmarek/old-qubes-core-agent-linux that referenced this issue Sep 29, 2015

@marmarek
Merge remote-tracking branch 'origin/pr/31' 
* origin/pr/31:
  Fixed /etc/pam.d/su.qubes. (Moved line 'auth sufficient pam_permit.so' up. May not be low '@include' lines.)
  - Prevent 'su -' from asking for password in Debian [based] templates. Thanks to @unman and @marmarek for suggesting the fix! Fixes QubesOS/qubes-issues#1128. - Changed 'ifeq (1,${DEBIANBUILD})' to 'ifeq ($(shell lsb_release -is), Debian)' to make the build work outside of Qubes Builder as well.

Conflicts:
	debian/control
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
ca35c7e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment