Implement optional admin authorization via qrexec

See included README for details.

Issue: QubesOS/qubes-issues#2695

Author: HW42

Makefile

@@ -24,6 +24,7 @@ all:
 ifeq ($(ENABLE_SELINUX),1)
 	$(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile -- $(selinux_policies)
 endif
+	$(MAKE) -C passwordless-root
 
 clean:
 	make -C misc clean

archlinux/PKGBUILD.in

@@ -38,7 +38,7 @@ build() {
     # Fix for archlinux sbindir
     sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock
 
-    for dir in qubes-rpc misc; do
+    for dir in qubes-rpc misc passwordless-root; do
         make -C "$dir" VERSION=${pkgver}
     done
 }

debian/qubes-core-agent-passwordless-root.displace-extension

@@ -1,3 +1,7 @@
-etc/polkit-1/rules.d/00-qubes-allow-all.rules
+etc/qubes/admin-authzd.conf
 etc/sudoers.d/qubes
-usr/share/pam-configs/su.qubes
+usr/share/pam-configs/qubes-admin-authz
+usr/bin/qubes-admin-authzd
+usr/lib/*/security/pam_qubes_admin_authz.so
+lib/systemd/system/qubes-admin-authzd.service
+usr/share/doc/qubes-core-agent-passwordless-root/README.md

debian/qubes-core-agent-passwordless-root.install

@@ -26,6 +26,18 @@ pam-auth-update --package
 
 #DEBHELPER#
 
+# If systemd is running try starting qubes-admin-authzd even if the user
+# blocked the normal start by dh (above) via policy-rc.d. Not running it will
+# break passwordless auth, so this is most likely not what the user wanted. But
+# if they really want to they still can mask the service.
+
+if [[ -e /run/systemd/system ]] &&
+   ! systemctl is-active --quiet qubes-admin-authzd.service &&
+   systemctl is-enabled --quiet qubes-admin-authzd.service
+then
+    systemctl start qubes-admin-authzd.service || true
+fi
+
 exit 0
 
 # vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent-passwordless-root.postinst

@@ -37,7 +37,8 @@ override_dh_fixperms:
 	dh_fixperms -a -Xqfile-unpacker
 
 override_dh_systemd_start:
-	dh_systemd_start --no-restart-on-upgrade
+	dh_systemd_start --package=qubes-core-agent-passwordless-root --restart-after-upgrade
+	dh_systemd_start --remaining-packages --no-restart-after-upgrade
 
 override_dh_install:
 	if [ "$(DISTRIBUTION)" = "Ubuntu" ]; then \

debian/rules

@@ -0,0 +1,2 @@
+pam_qubes_admin_authz.so
+qubes-admin-authzd

passwordless-root/.gitignore

@@ -0,0 +1,4 @@
+# This will be re-preset on package upgrade. If you really want you can
+# override this with a higher higher-priority preset file but that is probably
+# a bad idea since it will break the pam module.
+enable qubes-admin-authzd.service

passwordless-root/75-qubes-admin-authz.preset

@@ -1,10 +1,25 @@
+BINDIR ?= /usr/bin
 SYSCONFDIR ?= /etc
 SUDOERSDIR = $(SYSCONFDIR)/sudoers.d
-POLKIT1DIR = $(SYSCONFDIR)/polkit-1
 PAMDIR = $(SYSCONFDIR)/pam.d
 PAMCONFIGSDIR = /usr/share/pam-configs/
+SYSLIBDIR ?= /lib
 
-.PHONY: install install-debian install-rh
+ifneq ($(DEB_HOST_MULTIARCH),)
+  PAM_MOD_DIR = /usr/lib/$(DEB_HOST_MULTIARCH)/security
+else
+  PAM_MOD_DIR = /usr/lib64/security
+endif
+
+.PHONY: install install-debian install-rh all
+
+all: qubes-admin-authzd pam_qubes_admin_authz.so
+
+qubes-admin-authzd: qubes-admin-authzd.c qubes-admin-authz-common.h
+	gcc -O2 -Wall -Wextra -Werror -fPIC -pie $< -o $@
+
+pam_qubes_admin_authz.so: pam_qubes_admin_authz.c qubes-admin-authz-common.h
+	gcc -O2 -Wall -Wextra -Werror -fPIC -pie -shared $< -o $@ -lpam
 
 install:
 	install -d -m 0750 $(DESTDIR)$(SUDOERSDIR)
@@ -14,11 +29,36 @@ install:
 		sed -E '/^[^#]/s/\<(ROLE|TYPE)=[A-Za-z0-9_]+[[:space:]]+//g' qubes.sudoers | \
 		install -D -m 0440 /dev/stdin $(DESTDIR)$(SUDOERSDIR)/qubes; \
 	fi
-	install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d
-	install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules
+	install -D -t $(DESTDIR)$(PAM_MOD_DIR) pam_qubes_admin_authz.so
+	install -D -t $(DESTDIR)$(BINDIR) qubes-admin-authzd
+	install -D -m 0644 -t $(DESTDIR)$(SYSLIBDIR)/systemd/system qubes-admin-authzd.service
+	install -D -m 0644 -t $(DESTDIR)$(SYSCONFDIR)/qubes/ admin-authzd.conf
+	install -D -m 0644 -t $(DESTDIR)/usr/share/doc/qubes-core-agent-passwordless-root README.md
 
 install-rh:
-	install -D -m 0644 pam.d_su.qubes $(DESTDIR)$(PAMDIR)/su.qubes
+	install -D -m 0644 -t $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset 75-qubes-admin-authz.preset
+	install -d $(DESTDIR)/usr/share/authselect/vendor
+	for i in \
+		local \
+		nis \
+		sssd \
+		winbind \
+		; do \
+		install -D -t $(DESTDIR)/usr/share/authselect/vendor/$$i \
+			authselect/$$i/system-auth authselect/$$i/password-auth || exit 1; \
+		for j in \
+			README \
+			REQUIREMENTS \
+			dconf-db \
+			dconf-locks \
+			fingerprint-auth \
+			nsswitch.conf \
+			postlogin \
+			smartcard-auth \
+			; do \
+			ln -s ../../default/$$i/$$j $(DESTDIR)/usr/share/authselect/vendor/$$i/$$j || exit 1; \
+		done; \
+	done
 
 install-debian:
-	install -D -m 0644 pam-configs_su.qubes $(DESTDIR)$(PAMCONFIGSDIR)/su.qubes
+	install -D -m 0644 pam-configs-qubes-admin-authz $(DESTDIR)$(PAMCONFIGSDIR)/qubes-admin-authz

passwordless-root/Makefile

@@ -0,0 +1,82 @@
+# Passwordless in-qubqube admin authorization
+
+By default all users in the `qubes` group (usually only the standard `user`
+user) are allowed to execute things as root via sudo/su/pkexec. This is allowed
+without a password prompt.
+
+Separating the user isn't that meaningfull since Qubes' primary
+compartimentalization layer are qubes and `user` in a qube has access most
+things there anyway (user data, GUI I/O, etc). But some advanced users want
+more options therefore this mechanism has been extended.
+
+## Modes
+
+There are 3 modes:
+
+ - `allow`: Always allow admin access.
+ - `deny`: Always deny admin access.
+ - `qrexec`: Make a qrexec call and use it's result to allow/deny. The main
+   usage is to have a trivial qrexec service in dom0 and use the qrexex policy
+   with the ask action to allow only after prompting.
+
+"Admin access" here means being able to run things as another user (including
+root), via sudo, su and polkit. This is always limited to users in the `qubes`
+group.
+
+
+## Config
+
+When the `qubes-core-agent-passwordless-root` is installed the
+pam_qubes_admin_authz.so is always enabled. This module asks the
+`qubes-admin-authzd` daemon which does the actual logic (see below for
+technical details).
+
+The mode can be set via /usr/local/etc/qubes/admin-authzd.conf for per-qube
+setting or more common via /etc/qubes/admin-authzd.conf in a template (setting
+in /usr/local has precendce).
+
+There config file have a very simpley syntax. The first line needs to contain
+one of the listed mode above without anythings else. Currently the rest of the
+file is ignored. Please prefix comments with `#` to allow extension of this
+configuration file should the need arise.
+
+
+## qrexec policy
+
+After setting the mode to qrexec, you need to configure the qrexec policy in
+dom0. For example:
+
+```
+qubes.AuthorizeInVMAdminAccess * * @default ask target=dom0 default_target=dom0
+```
+
+asks for requests from any VM.
+
+Note that in dom0 only a trivial service is run that returns a fixed string
+such that the qube knows the result of the policy evaluation. The idea here is
+that this way the existing qrexec policy can be reused, including it's ask
+prompt.
+
+
+## Limitaions
+
+Keep in mind that if you have allowed admin access and the qube was compromised
+at that point persistence is trivial.
+
+
+## Technical details
+
+We implement a PAM module named `pam_qubes_admin_authz.so` to permit the
+access. Since PAM modules can be run in a setuid context (when called by
+sudo/su) we want to keep the code simple there. Therefore we use just some
+existing PAM helper functions to check for the requsting users group membership
+and check the PAM "service" (`sudo`, `su-l`, etc.) and if they match we make a
+connection to an abstract unix socket. With `SO_PEERCRED` we check that this
+socket has been opened by root. The rest, including config file handling and
+invoking qrexec-client-vm is then handled by the `qubes-admin-authzd` at the
+other end of the socket (started by qubes-admin-authzd.service).
+
+## Recovery
+
+Should you have locked you self out you should still be able to use
+`qvm-console-dispvm` and login as root there without a password.