Bug#802211: RFC: wip patch to force sulogin on locked root accounts

Felipe Sateler fsateler at debian.org
Sun Oct 15 15:30:34 BST 2017

On Thu, Oct 12, 2017 at 7:07 PM, Stijn van Drongelen <rhymoid at gmail.com> wrote:
> Hi,
>> TL;DR...
> Yes, I knew about that risk. But shorter messages have failed to draw
> attention to a supposedly "important" bug.
> I expected that the original patch was good to go, but I somehow forgot
> that a 720+ day old patch is subject to bitrot. Please correct me if
> I'm wrong, but wouldn't we now need (at least) three patches now to fix
> this problem?
> * We have to patch src/sulogin-shell/rescue.service.in and
>   src/sulogin-shell/emergency.service.in in version 232 (the version in
>   stretch).
> * We have to patch src/sulogin-shell/systemd-sulogin-shell.in in
>   version 234 (the version currently in stretch-backports and buster).
> * We have to patch src/sulogin-shell/sulogin-shell.c in version 235
>   (the version currently in sid).
> I can probably find some more time in the coming week to contribute
> to a solution

Excellent. I would suggest though to fix this first for 235, and
upstream. That way whatever solution is implemented for stretch[1] can
be designed with compatibility with buster in mind.

[1] If the release team ACKs the change, too.

>. I do have a few comments in advance:
> 1) I want to stress that I believe that the only correct solution is
>    an unconditional --force. Patches that do just that do not reduce
>    the boot security of any plausible installation in any way, and are
>    also much easier to implement correctly. The points below can be
>    mostly ignored if we do this.
> 2) The "You are in rescue/emergency mode" message has to change
>    depending on the setting: the mentioned login prompt won't be there
>    when using --force.

It is my understanding that sulogin --force will still ask for
password if getpwnam works.

> 3) I think it's much simpler to build two separate binaries (one that
>    forces, one that doesn't) instead of dynamically adjusting
>    a command line and a message based on the value of an environment
>    variable.

This has the drawback of requiring to modify ExecStart, and thus risk
becoming incompatible if the sulogin wrapper changes interface.

> 4) If you think it's likely (not merely possible) that supplying other
>    options to sulogin will become necessary, then I think it makes more
>    sense to pass sulogin-shell's arguments to sulogin and use getenv()
>    to decide the label of the mode (rescue/emergency/potato), rather
>    than the other way around.

I don't have an opinion here.


Felipe Sateler

More information about the Pkg-systemd-maintainers mailing list