Web lists-archives.com

Re: Rescue mode when root account locked




On 2017-09-20, solitone <solitone@xxxxxxxx> wrote:
> When I boot in rescue mode, I get this message:
>
> Cannot open access to console, the root account is locked. See 
> sulogin(8) man page for more details
>
> When I press Enter to continue, it continues bootup in normal graphical 
> mode.
>
> Would it be wiser to unlock the root account, so that I can go into 
> single user mode? Or is there something I can do, without unlocking the 
> root account?
>

It seems this a "bug."

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211

Michael Biebl says (to explain why careful deliberation is called for before it's
"fixed"):

 Consider this: You have a laptop with a locked root account. By default
 the grub boot loader generates a boot entry for rescue mode.
 So, even if you lock down the bios to not allow booting from CD-Rom or
 USB, and you password protect grub, someone could easily get root access
 if you leave the laptop unattended for a moment.

Marga Manterola created a "drop-in" fix:

  cat /etc/systemd/system/rescue.service.d/sulogin.conf
  [Service]
  ExecStart=
  ExecStart=-/bin/sh -c "/sbin/sulogin --force; /bin/systemctl
  --job-mode=fail --no-block default"

the security implications of which ("/sbin/sulogin --force") are beyond my meager
abilities to comment upon.

-- 
"Time flies like an arrow. Fruit flies like a banana." Groucho