Bug#766050: systemd: Please look at a read-only implementation of debug-shell.service
Martin Pitt
mpitt at debian.org
Mon Oct 20 20:01:46 BST 2014
Hello all,
Marco d'Itri [2014-10-20 19:07 +0200]:
> On Oct 20, Richard Hartmann <richih.mailinglist at gmail.com> wrote:
>
> > similar to zack's #766039, I would like to ask if it's possible to
> > always enable a read-only version of debug-shell.service.
> debug-shell.service pretty much just starts a shell.
Right, so a read-only version of that makes little sense.
> To enable it by default we would need to use a wrapper which asks the
> root password with minimal interactions with the rest of the system,
> ideally by just checking it against /etc/shadow (hence no PAM, no NSS,
> etc).
There might not even be a root password. Many systems disable it for
good reason (makes the attack surface smaller wrt. brute-forcing).
TBH, this will quickly start getting complicated enough that you might
just as well log into a normal getty.
Perhaps a better thing would be to always log systemd events/changes
to tty9? There is no scrollback buffer while its logging in the
background (i. e. you are looking at a different tty), but usually the
last 20-something lines should give you an idea what it's hanging on.
Thanks,
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20141020/7746ba90/attachment-0002.sig>
More information about the Pkg-systemd-maintainers
mailing list