Bug#802211: RFC: wip patch to force sulogin on locked root accounts

Andreas Henriksson andreas at fatal.se
Thu Oct 12 13:21:15 BST 2017


I'm attaching a completely untested patch against systemd packaging git.

@Stijn van Drongelen :
Maybe you can offer to test it (and maybe even finish it up)?

(Please note how I *intentionally* isn't setting a patch tag since
the patch is both untested and *unfinished*. This is mostly a RFC
if this method would be considered acceptable.)

Rather than shipping the dropins in /lib/systemd/system they
maybe should be installed in /etc/systemd/system instead (as
conffiles) to easier allow the sysadmin to remove them.
(Or even ship commented-out under secure-by-default mantra.)

Personally I don't really see much point in this. Why would you
expect passwordless root shells to be handed out if you lock
the root account?

If you only consider default debian installations getting a
root shell is as easy as adding init=/bin/sh in grub to kernel
command line.

(If you also consider secure boot environments, you likely don't
want to hand out passwordless root shells by default...)

The only thing I can really sympathise with is Ubuntu the root
account is always locked and the user never gets to choose, but
they have already implemented their own solution suitable for
their usecase (but IMHO not suitable for Debian).

Andreas Henriksson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-WIP-untested-changes-for-802211.patch
Type: text/x-diff
Size: 3608 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20171012/89e03ffa/attachment.patch>

More information about the Pkg-systemd-maintainers mailing list