Re: F36 Change: Make Rescue Mode Work With Locked Root (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Di, 07.12.21 15:39, Zbigniew Jędrzejewski-Szmek (zbyszek@xxxxxxxxx) wrote:

> Latest systemd versions have been getting some support for the low-level
> parts, i.e. the low-level encrypted-secret storage. But we're missing the
> upper parts, i.e. how to actually use and update the passwords. I didn't
> even mention this, because we don't have a comprehensive story yet.
> I think it'd be necessary to write some pam module and/or authentication
> helper from scratch. It's probably not too much work, but nobody has
> signed up to do this.

So here's what I'd suggest: let's define a group (my suggestion: let's
repurpose "wheel" for that) that has the effect that the passwords of
any user in it are also accepted as password for the root user,
implicitly. We'd have to add some small infra to collect these
passwords, and encrypt/sign them with TPM2, then propagate to the ESP
or to some EFI var or so, so that they can be honoured already in the
initrd.

With such a mechanism we would have quite nice semantics: if a user is
designated to have admin privs, then that's sufficient to be able to
log into the root account, no further manual work necessary, and it
applies to the whole runtime of the OS: from initrd to regular system,
to sudo.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux