Hi, so, the other day we had a major regression in the PAM stack[1] that, unfortunately, ended up hitting rawhide and the Fedora 33 testing (not stable) repository before being unpushed. In this case it was easy to work around as SSH was still working fine. But, it seems that rescue mode requires having a root password set, which we do not always do during the Fedora install. So, I think we should have an obvious way for users to enter recovery mode even with a locked root account. Currently rescue.service is executing "systemd-sulogin-shell" which in turn runs "sulogin" (part of util-linux). A workaround is to set SYSTEMD_SULOGIN_FORCE=1 in rescue.service, but that just disables authentication entirely. I suppose to improve this, we would need a kind of "sudologin" that accepts any user in the "wheel" group. Or maybe some other more rigid requirement like configuring the first admin user that was created. Anyone has a good idea on how to solve this? Benjamin [1] What happened was that pam_fprintd would crash if you had no fingerprint reader in the system. That was an ugly regression that got into a cleanup patch. The regression only happened if you had *no* fingerprint reader, a scenario that managed to sneak by both automated and manual testing. The upstream automated tests have of course been fixed by now: https://gitlab.freedesktop.org/libfprint/fprintd/-/commit/ca216a32aff07a841c1a65d3ee48b6f221ee96eb
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
