feat: Phase 1 - Plan 9 namespace privilege drop + branding

- login.rs: drop privileges via setresugid after authentication
- login.rs: add namespace isolation to password auth path (was missing)
- login.rs: add drm, input schemes to DEFAULT_SCHEMES
- sudo service: rename 00_sudo -> 12_sudo, type daemon (no boot block)
- Branded login screen with figlet RedBear OS v0.2.2 'Liliya'
- Root user kept but not advertised on login screen
- P6-login-privilege-drop.patch generated and wired

Implements Phase 1 of Plan 9 namespace privilege model:
login creates restricted namespace (mkns/setns) then drops
uid/gid to authenticated user before spawning shell.
This commit is contained in:
2026-05-29 09:54:28 +03:00
parent 61135b0cce
commit bb3ae6e63f
8 changed files with 83 additions and 27 deletions
-7
View File
@@ -1,7 +0,0 @@
[unit]
description = "Sudo background handler"
[service]
cmd = "sudo"
args = ["--daemon"]
type = "oneshot_async"
+7
View File
@@ -0,0 +1,7 @@
[unit]
description = "Sudo privilege escalation daemon"
[service]
cmd = "sudo"
args = ["--daemon"]
type = "daemon"
+1 -1
View File
@@ -63,7 +63,7 @@ installs = [
"/usr/lib/init.d/00_ipcd.service",
"/usr/lib/init.d/00_pcid-spawner.service",
"/usr/lib/init.d/00_ptyd.service",
"/usr/lib/init.d/00_sudo.service",
"/usr/lib/init.d/12_sudo.service",
"/usr/lib/init.d/00_tmp",
"/usr/lib/init.d/05_boot_essential.target",
"/usr/lib/init.d/10_dhcpd.service",
+1 -1
View File
@@ -1,6 +1,6 @@
[source]
git = "https://gitlab.redox-os.org/redox-os/userutils.git"
patches = ["P5-redbear-branding.patch"]
patches = ["P5-redbear-branding.patch", "P6-login-privilege-drop.patch"]
[build]
template = "custom"
Submodule recipes/core/userutils/source updated: 0c5274faa9...9c37ba8c19