Hi. I’ve configured https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt and it works well. Except… The
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
replacement in /etc/pam.d/common-auth breaks cron (and possibly other things I haven’t encountered yet).
I’m by no means a Linux Ninja and besides that would like to fix this in whatever would be the “Qubes way”, since the Qubes change is what broke it.
Appreciate all help/suggestions. Thanks.
1 Like
Well, no ideas yet, so I went ahead and implemented the following: Instead of the single line above from the docs, these 2 lines:
auth [success=2 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
auth [success=1 default=ignore] pam_unix.so nullok_secure
It works, but with the one annoyance that if one hits Cancel on the dom0 prompt one gets a sudo password prompt in the qube. If anyone more versed in PAM than I knows how to fix this, please advise.
1 Like
This may be a known bug. Have you tried looking for it on the known bugs list? Perhaps someone has already experienced it and reported a temporary fix.
1 Like
Thanks @deeplow.
Nothing that I saw on the bug list. Wouldn’t expect it anyway since don’t think this would be considered a bug given the statement in the above link is
A list of steps to do so is provided here without any guarantee of safety, accuracy, or completeness. Proceed at your own risk. Do not rely on this for extra security.
Just hoped someone else might have already hit this or know PAM/whatever better than me…
2 Likes
Ah. I see! I hope someone is able to help you, then 