Hi, On Thu, 2020-12-10 at 12:20 -0700, Chris Murphy wrote: > On Thu, Dec 10, 2020 at 5:40 AM Benjamin Berg <bb...@redhat.com> > wrote: > > Hi, > > > > so, the other day we had a major regression in the PAM stack[1] > > that, > > unfortunately, ended up hitting rawhide and the Fedora 33 testing > > (not > > stable) repository before being unpushed. > > > > In this case it was easy to work around as SSH was still working > > fine. > > But, it seems that rescue mode requires having a root password set, > > which we do not always do during the Fedora install. > > > > > > So, I think we should have an obvious way for users to enter > > recovery > > mode even with a locked root account. > > > > Currently rescue.service is executing "systemd-sulogin-shell" which > > in > > turn runs "sulogin" (part of util-linux). A workaround is to > > set SYSTEMD_SULOGIN_FORCE=1 in rescue.service, but that just > > disables > > authentication entirely. > > > > I suppose to improve this, we would need a kind of "sudologin" that > > accepts any user in the "wheel" group. Or maybe some other more > > rigid > > requirement like configuring the first admin user that was created. > > > > Anyone has a good idea on how to solve this? > > I solve it with early debug shell using boot param > systemd.debug-shell=1 but that presents a root login on tty9 without > needing a password.
Yeah, if you are able to modify the command line and have the background, then it is really simple to bypass the authentication. > I'm under the impression authentication services aren't even available > for emergency or rescue targets (?). I also wonder what happens if we > move to systemd-homed and whether that can start sooner and provide > the ability to use rescue target? Or if it starts late enough that it > can't be used for rescue and then also what that means for non-root > use of rescue because with systemd-home, there are no (human) users in > /etc at all. True, systemd-homed could be a problem. Maybe at the end of the day this is a lost cause? I mean, if you need to drop into rescue mode, you already need to have quite in-depth knowledge. So it could be better to focus on having more versatile solutions. Like being able to revert back to a known good state of the OS instead of providing a rescue shell. Benjamin
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
