Re: Working recovery with locked root user (rescue.service)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Thu, 2020-12-10 at 12:20 -0700, Chris Murphy wrote:
> On Thu, Dec 10, 2020 at 5:40 AM Benjamin Berg <bberg@xxxxxxxxxx>
> wrote:
> > Hi,
> > 
> > so, the other day we had a major regression in the PAM stack[1]
> > that,
> > unfortunately, ended up hitting rawhide and the Fedora 33 testing
> > (not
> > stable) repository before being unpushed.
> > 
> > In this case it was easy to work around as SSH was still working
> > fine.
> > But, it seems that rescue mode requires having a root password set,
> > which we do not always do during the Fedora install.
> > 
> > 
> > So, I think we should have an obvious way for users to enter
> > recovery
> > mode even with a locked root account.
> > 
> > Currently rescue.service is executing "systemd-sulogin-shell" which
> > in
> > turn runs "sulogin" (part of util-linux). A workaround is to
> > set SYSTEMD_SULOGIN_FORCE=1 in rescue.service, but that just
> > disables
> > authentication entirely.
> > 
> > I suppose to improve this, we would need a kind of "sudologin" that
> > accepts any user in the "wheel" group. Or maybe some other more
> > rigid
> > requirement like configuring the first admin user that was created.
> > 
> > Anyone has a good idea on how to solve this?
> 
> I solve it with early debug shell using boot param
> systemd.debug-shell=1 but that presents a root login on tty9 without
> needing a password.

Yeah, if you are able to modify the command line and have the
background, then it is really simple to bypass the authentication.

> I'm under the impression authentication services aren't even available
> for emergency or rescue targets (?). I also wonder what happens if we
> move to systemd-homed and whether that can start sooner and provide
> the ability to use rescue target? Or if it starts late enough that it
> can't be used for rescue and then also what that means for non-root
> use of rescue because with systemd-home, there are no (human) users in
> /etc at all.

True, systemd-homed could be a problem.

Maybe at the end of the day this is a lost cause?

I mean, if you need to drop into rescue mode, you already need to have
quite in-depth knowledge. So it could be better to focus on having more
versatile solutions. Like being able to revert back to a known good
state of the OS instead of providing a rescue shell.

Benjamin

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux