On Tue, Nov 30, 2021 at 9:49 AM Chris Adams <linux@xxxxxxxxxxx> wrote: > So, not directly related to the proposal, but jumping in here because it > goes with the above statement - the "root should be left locked" setup > is a problem that keeps single-user mode broken. I tried to follow the > Fedora (and other distros) default of root being a locked account, and > then found that it's a broken setup. > > I was changing some disk config and made a typo in /etc/fstab, so > filesystems wouldn't mount on boot. The boot process stopped and > prompted for the (non-existant) root password. The only way to proceed > at that point is to bypass the normal init (remember to load SELinux > policy manually or face a full relabel, which is irritating) and set a > root password. It is possible to boot such a system with 'systemd.debug-shell=1' boot parameter, and you'll get a root login on tty9, and from here you can run 'passwd' and enable the root account. Like, the fact we can do this so easily is something of a security risk, which is also ironic that the #1 reason I'm aware of and use this work around is because I'm locked out of maintenance mode boot due to the root user not having a password which is ostensibly more secure. From one fire into the next... While I agree that the options are suboptimal, the whole fall over behavior when something doesn't assemble correctly is more suboptimal. There aren't that many folks who can troubleshoot such things in the initramfs, it's such a severely limited environment, and requires esoteric knowledge to even figure out why things don't assemble let alone fix them. A few ideas have been floated to make it better: * enabling read-only rootfs startup * possibly use overlayfs with a read/write layer on volatile /run, and somehow indicating to the user things are running in a degraded/safe/emergency read-only startup. * a recovery partition to enable starting up a more complete and user friendly environment * could be based on Live media used for doing installations > This IMHO should have been addressed before making "root account locked" > a default. At a minimum, you shouldn't be prompted for a password that > doesn't exist. It used to be possible to edit the sulogin options to > add --force (so that a locked root account bypassed the password > request), but then systemd removed that. There's a possibility that systemd-homed is available soon after a read-only mount of rootfs, and could be used to authenticate a user in the wheel group to login to the maintenance mode prompt. But right now, none of the user authentication stuff is running by the time early startup file system assembly tends to fail, and also needs rw mount for whatever reason. So I guess it's not such a simple problem to solve at the moment. -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
