From daeec0528be1984196823ef4fc65bdf68b5de264 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Tue, 8 May 2018 10:00:35 +0530 Subject: [PATCH] security: Fix issue with Plinth locked out from sudo Signed-off-by: Sunil Mohan Adapa Reviewed-by: Joseph Nuthalapati --- debian/postinst | 6 ++++++ plinth/modules/security/__init__.py | 8 ++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/debian/postinst b/debian/postinst index 639713c43..8f2c869cf 100755 --- a/debian/postinst +++ b/debian/postinst @@ -5,6 +5,12 @@ set -e daemonuser=plinth daemongroup=plinth +# Due to a change in sudo, now it runs PAM modules even on password-less +# invocations. This leads to plinth not being able to run root privileges. This +# is because of our own restrictions in /etc/security/access.conf. Since Plinth +# is locked out after upgrade, we need to do this in postinst. +sed -ie 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL+' /etc/security/access.conf + case "$1" in configure) addgroup --system --quiet plinth diff --git a/plinth/modules/security/__init__.py b/plinth/modules/security/__init__.py index 693b9ee4c..d6e08a832 100644 --- a/plinth/modules/security/__init__.py +++ b/plinth/modules/security/__init__.py @@ -23,7 +23,7 @@ from django.utils.translation import ugettext_lazy as _ from plinth import actions from plinth.menu import main_menu -version = 3 +version = 4 is_essential = True @@ -50,7 +50,11 @@ def init(): def setup(helper, old_version=None): """Install the required packages""" helper.install(managed_packages) - setup_fail2ban() + if not old_version: + setup_fail2ban() + + if get_restricted_access_enabled(): + set_restricted_access(True) def setup_fail2ban():