Hello, I'm attaching a completely untested patch against systemd packaging git.
@Stijn van Drongelen : Maybe you can offer to test it (and maybe even finish it up)? (Please note how I *intentionally* isn't setting a patch tag since the patch is both untested and *unfinished*. This is mostly a RFC if this method would be considered acceptable.) Rather than shipping the dropins in /lib/systemd/system they maybe should be installed in /etc/systemd/system instead (as conffiles) to easier allow the sysadmin to remove them. (Or even ship commented-out under secure-by-default mantra.) Personally I don't really see much point in this. Why would you expect passwordless root shells to be handed out if you lock the root account? If you only consider default debian installations getting a root shell is as easy as adding init=/bin/sh in grub to kernel command line. (If you also consider secure boot environments, you likely don't want to hand out passwordless root shells by default...) The only thing I can really sympathise with is Ubuntu the root account is always locked and the user never gets to choose, but they have already implemented their own solution suitable for their usecase (but IMHO not suitable for Debian). Regards, Andreas Henriksson
>From 00085bca85faaf62c352ad1e1d5301a705fe9bc3 Mon Sep 17 00:00:00 2001 From: Andreas Henriksson <andr...@fatal.se> Date: Thu, 12 Oct 2017 14:05:42 +0200 Subject: [PATCH] WIP: untested changes for #802211 Maybe would be better if the dropins where installed in /etc/systemd/system (i.e. as a conffile) to allow admin to more easily remove it...... or maybe even the dropins should be commented out by default as shipped (under the secure-by-default mantra)? --- .../extra/units/emergency.service.d/sulogin.conf | 3 ++ debian/extra/units/rescue.service.d/sulogin.conf | 1 + debian/patches/debian/sulogin-allow-args.patch | 41 ++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 46 insertions(+) create mode 100644 debian/extra/units/emergency.service.d/sulogin.conf create mode 120000 debian/extra/units/rescue.service.d/sulogin.conf create mode 100644 debian/patches/debian/sulogin-allow-args.patch diff --git a/debian/extra/units/emergency.service.d/sulogin.conf b/debian/extra/units/emergency.service.d/sulogin.conf new file mode 100644 index 000000000..99691cda4 --- /dev/null +++ b/debian/extra/units/emergency.service.d/sulogin.conf @@ -0,0 +1,3 @@ +# emergency.service and rescue.service dropin, see #802211 +[Service] +Environment=SULOGIN_ARGS=--force diff --git a/debian/extra/units/rescue.service.d/sulogin.conf b/debian/extra/units/rescue.service.d/sulogin.conf new file mode 120000 index 000000000..73a838abe --- /dev/null +++ b/debian/extra/units/rescue.service.d/sulogin.conf @@ -0,0 +1 @@ +../emergency.service.d/sulogin.conf \ No newline at end of file diff --git a/debian/patches/debian/sulogin-allow-args.patch b/debian/patches/debian/sulogin-allow-args.patch new file mode 100644 index 000000000..825c6ddb9 --- /dev/null +++ b/debian/patches/debian/sulogin-allow-args.patch @@ -0,0 +1,41 @@ +WIP: completely untested (and unfinished). + +Allow setting sulogin arguments via rescue.service and emergency.service +dropins that contains Environment=SULOGIN_ARGS=--force. This is useful +to allow passwordless root login even when root account is disabled +(which is the case when you don't give the password in debian-installer +and also every ubuntu installation). + +See https://bugs.debian.org/802211 + +--- a/src/sulogin-shell/sulogin-shell.c ++++ b/src/sulogin-shell/sulogin-shell.c +@@ -89,6 +89,7 @@ + + int main(int argc, char *argv[]) { + static const char* const sulogin_cmdline[] = {SULOGIN, NULL}; ++ char *env_sulogin_args; + int r; + + log_set_target(LOG_TARGET_AUTO); +@@ -97,7 +98,19 @@ + + print_mode(argc > 1 ? argv[1] : ""); + +- fork_wait(sulogin_cmdline); ++ env_sulogin_args = getenv("SULOGIN_ARGS"); ++ if (env_sulogin_args) { ++ char **sulogin_cmdline_args; ++ ++ sulogin_cmdline_args = strv_split(env_sulogin_args, " "); ++ // FIXME: if (... == NULL) ... ++ strv_push_prepend(&sulogin_cmdline_args, SULOGIN); ++ ++ fork_wait(sulogin_cmdline_args); ++ ++ strv_free_free(sulogin_cmdline_args); ++ } else ++ fork_wait(sulogin_cmdline); + + r = start_default_target(); + diff --git a/debian/patches/series b/debian/patches/series index 508749322..bbba7a39d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -24,3 +24,4 @@ debian/Add-env-variable-for-machine-ID-path.patch debian/Mark-test-timesync-as-manual.patch debian/Avoid-requiring-a-kvm-system-group.patch debian/Revert-tests-when-running-a-manager-object-in-a-test-migr.patch +debian/sulogin-allow-args.patch -- 2.11.0
_______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
