Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rescue mode and emergency mode won't work when the root account is locked #7115

Closed
rhymoid opened this Issue Oct 17, 2017 · 3 comments

Comments

3 participants
@rhymoid
Copy link

rhymoid commented Oct 17, 2017

Submission type

  • Bug report

systemd version the issue has been seen with

235 (and many versions before it).

Used distribution

Debian sid (as well as Debian stretch and Debian buster)

In case of bug report: Expected behaviour you didn't see

Rescue mode and emergency mode should give me a shell with root permissions.

In case of bug report: Unexpected behaviour you saw

Rescue mode and emergency mode won't give me any shell. After telling me that the root account is locked, they will only allow me to boot into default mode.

In case of bug report: Steps to reproduce the problem

For rescue mode:

  1. Lock your system's root account, if you haven't already done so.
  2. Reboot to GRUB.
  3. Start rescue mode.

For emergency mode:

  1. Lock your system's root account, if you haven't already done so.
  2. Corrupt your /etc/fstab.
  3. Reboot.
@grawity

This comment has been minimized.

Copy link
Contributor

grawity commented Oct 17, 2017

The emergency login prompt is done by sulogin, which is part of either "util-linux" or "shadow" – not a systemd component.

@rhymoid

This comment has been minimized.

Copy link
Author

rhymoid commented Oct 17, 2017

Some further notes:

@rhymoid

This comment has been minimized.

Copy link
Author

rhymoid commented Oct 17, 2017

@grawity And two years ago, util-linux added an option to sulogin specifically for this kind of cases. The defect is that systemd is not using that option.

andhe added a commit to andhe/systemd that referenced this issue Oct 14, 2018

sulogin-shell: Use force in rescue if ENABLE_FORCED_SULOGIN set
When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the ENABLE_FORCED_SULOGIN environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service':

[Service]
Environment=ENABLE_FORCED_SULOGIN=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: systemd#7115
Addresses: https://bugs.debian.org/802211

andhe added a commit to andhe/systemd that referenced this issue Oct 16, 2018

sulogin-shell: Use force in rescue if ENABLE_FORCED_SULOGIN set
When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the ENABLE_FORCED_SULOGIN environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service':

[Service]
Environment=ENABLE_FORCED_SULOGIN=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: systemd#7115
Addresses: https://bugs.debian.org/802211

andhe added a commit to andhe/systemd that referenced this issue Oct 16, 2018

sulogin-shell: Use force in rescue if ENABLE_FORCED_SULOGIN set
When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the ENABLE_FORCED_SULOGIN environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service':

[Service]
Environment=ENABLE_FORCED_SULOGIN=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: systemd#7115
Addresses: https://bugs.debian.org/802211

andhe added a commit to andhe/systemd that referenced this issue Oct 16, 2018

sulogin-shell: Use force in rescue if SYSTEMD_SULOGIN_FORCE set
When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the SYSTEMD_SULOGIN_FORCE environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service':

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: systemd#7115
Addresses: https://bugs.debian.org/802211

andhe added a commit to andhe/systemd that referenced this issue Oct 16, 2018

sulogin-shell: Use force in rescue if SYSTEMD_SULOGIN_FORCE set
When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the SYSTEMD_SULOGIN_FORCE environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service':

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: systemd#7115
Addresses: https://bugs.debian.org/802211

andhe added a commit to andhe/systemd that referenced this issue Oct 17, 2018

sulogin-shell: Use force if SYSTEMD_SULOGIN_FORCE set
When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the SYSTEMD_SULOGIN_FORCE environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service' (or emergency.service):

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: systemd#7115
Addresses: https://bugs.debian.org/802211

poettering added a commit that referenced this issue Oct 17, 2018

sulogin-shell: Use force if SYSTEMD_SULOGIN_FORCE set
When the root account is locked sulogin will either inform you of
this and not allow you in or if --force is used it will hand
you passwordless root (if using a recent enough version of util-linux).

Not being allowed a shell is ofcourse inconvenient, but at the same
time handing out passwordless root unconditionally is probably not
a good idea everywhere.

This patch thus allows to control which behaviour you want by
setting the SYSTEMD_SULOGIN_FORCE environment variable to true
or false to control the behaviour, eg. via adding this to
'systemctl edit rescue.service' (or emergency.service):

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

Distributions who used locked root accounts and want the passwordless
behaviour could thus simply drop in the override file in
/etc/systemd/system/rescue.service.d/override.conf

Fixes: #7115
Addresses: https://bugs.debian.org/802211
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.