Bug#802211: RFC: wip patch to force sulogin on locked root accounts
fsateler at debian.org
Thu Oct 12 14:00:39 BST 2017
On Thu, Oct 12, 2017 at 9:21 AM, Andreas Henriksson <andreas at fatal.se> wrote:
> I'm attaching a completely untested patch against systemd packaging git.
> @Stijn van Drongelen :
> Maybe you can offer to test it (and maybe even finish it up)?
> (Please note how I *intentionally* isn't setting a patch tag since
> the patch is both untested and *unfinished*. This is mostly a RFC
> if this method would be considered acceptable.)
Indeed, it is lacking some error checking.
I think the overall idea is sane, however I think the
systemd-sulogin-shell patch should go upstream. I rewrote the previous
small shell wrapper in C precisely so that these sort of patches have
a better chance at acceptance upstream. I have just a few comments on
1. Error checking on the strv_* operations is missing.
2. I would have a single `fork_wait` call point, and have
`sulogin_cmdline_args = sulogin_cmdline` when the envvar is not
present or empty.
3. I'm not sure if it is best to have a single SULOGIN_ARGS envvar or
multiple SULOGIN_FORCE, SULOGIN_OTHER_ARG flags. The strv_split
operation is naive in that then arguments with spaces can't be passed.
OTOH, sulogin does not accept any argument where spaces make sense, so
it doesn't have a practical impact here.
Only comment 1 really needs to be addressed before presenting
upstream, as 2 and 3 are more stylistic and upstream might have
different preferences than me.
> Rather than shipping the dropins in /lib/systemd/system they
> maybe should be installed in /etc/systemd/system instead (as
> conffiles) to easier allow the sysadmin to remove them.
> (Or even ship commented-out under secure-by-default mantra.)
> Personally I don't really see much point in this. Why would you
> expect passwordless root shells to be handed out if you lock
> the root account?
I do. For many (most?) computers, physical access means game lost
security-wise, as you can just disassemble the box and get the hard
drive. Making the rescue and emergency shells unusable in the (now
default?) passwordless-root environments d-i generates is not very
user friendly. So I think d-i should generate this snippet in /etc if
the root account was not configured.
More information about the Pkg-systemd-maintainers