-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Override default systemd emergency service behavior with coreos-su-login-force.conf #470
Comments
@travier you asked for someone to reach out in your comment. I started poking around https://github.com/coreos/fedora-coreos-config/blob/stable/overlay.d/05core/usr/lib/systemd/system/emergency.service.d/coreos-sulogin-force.conf to see how this was being done on CoreOS. But I'm unsure how to get started adding this into the atomic desktops. We can connect however you prefer, here, discord, email. My email is on my Fedora people profile ( Thank you for the offer to assist! |
So I've dived into this more and I've found coreos/fedora-coreos-tracker#805 (comment), which makes it a harder sell for switching it on for all Fedora desktops. It would probably be a good idea to start with a discussion thread on https://discussion.fedoraproject.org/ or on fedora-devel to get more ideas on how this could be safely done. |
In general, the process to get such a change in Fedora is to make a Change Request to have it be visible to the community and force the discussion to happen (and a decision to be taken). Writing / drafting a change page following the instructions in https://docs.fedoraproject.org/en-US/program_management/changes_policy/ is good first step. |
I read through the linked issue and coreos/fedora-coreos-config#311 plus again reading through the discussion which spawned this current issue The context was: how to reset a root password on atomic desktops when locked out/can't boot/etc. I dare assume, the REASON one wishes to do this is almost always a need to boot single user, which requires the root user to have their password set. cgwalters provided a known good solution for how to accomplish the root password reset, but also suggested use of I hope this is a fair assessment of the history/situation:
So, my view:
I needed to get that documented for my own understanding, as I had a few gaps in what/why was going on. Please let me know if I'm missing something @travier and @cgwalters. If this is reasonably correct assessment, I'll probably proceed by implementing this in our ublue-os images, but also start a Fedora discussion thread. |
The main problem is that the work around (auto su-login for For systems that don't have a GRUB password set, this is not an issue as someone can edit the GRUB command line and get a shell anyway. But for those that have, this will become something else to harden / change. I agree that we can argue that not a lot of systems have a GRUB password set right now but it would be nice to find a configuration option that only triggers when |
Thank you for restating this... In my attempt to see the big picture, I'd missed the clear detail... the auto su-login DOES bypass GRUB passwords if a fsck fails. But yes, I agree...
This clarifies the scope of recommendation... those deploying "secure" systems/kiosks/etc, after this suggested change, would need to do both:
|
We can probably ask the systemd folks how to do that. |
It can be done in a systemd generator |
The idea is to get this into all of ublue-os' images, and then push for upstream inclusion. Relates: ublue-os/main#470
This uses a systemd-generator to dyamically write a drop-in config for the rescue and emergency services only when they are requested via the kernel cmdline, which requires console/grub access. This allows use of these modes with the default Fedora state of a password locked root user, but does not auto-allow root access in the case of a failed fsck-check, which can also drop into the emergency shell. Relates: #470
I was inspired this, @cgwalters and created #488 I've spent some time testing this on a modified FCOS installation, plus my custom Silverblue image. It seems to be working as expected. While this doesn't go so far as to create a protocol, I believe it generally meets the goal suggested here: #469 (comment) Also, @travier , though not a full solution to overall hardening, it seems to provide the intent of the Based on the discussions above, I expect this approach would be more acceptable across all Fedora varieties. Happy to get any feedback from you both as well as uBlue contributors on this. |
Closing this as we've merged #488 and I'll work on upstream contributions separately. |
Thanks a lot @bsherman for driving those fixes! |
I support adding the
coreos-sulogin-force.conf
from https://github.com/coreos/fedora-coreos-config/blob/17b7f15f49c00ba1e522f15a72f6df70db01fdcc/overlay.d/05core/usr/lib/systemd/system/emergency.service.d/coreos-sulogin-force.conf#L1 to our desktop builds, from main on up.This avoids current hassle for users which doesn't provide any real security benefit.
Originally posted by @bsherman in #469 (comment)
The text was updated successfully, but these errors were encountered: