Hello Kevin Locke.
Thanks for highlighting this issue.
On Tue, Dec 01, 2015 at 02:35:50PM -0800, Kevin Locke wrote:
> Hello util-linux Maintainers,
>
> Although this bug has been closed for a few months, I just encountered
[...]
> fails, since --force is not passed to sulogin by
> /lib/systemd/system/{console-shell,emergency,rescue}.service (from
> systemd) and /etc/init.d/checkroot.sh (from initscripts) and
> presumably others. This can be particularly problematic since it may
> be difficult for users to add a root password when they are first
> presented with this problem by whatever issue necessitated a recovery
> shell.
>
> Is there a way that we can avoid booby-trapping systems in this way?
[...]
We originally discussed using force in the systemd rescue/emergency
system, but there where also further discussions about the problem
of a locked account not being really locked. Another idea was finally
concieved that it would be better if d-i shipped the override snippet
to enable sulogin with --force when it locks the root account via
/etc/systemd/system/foo.d/ "drop-in".
I think that might be the best idea. Then it's easily spottable that
the system isn't really locked down by using systemd-delta.
If someone manually locks the root account, then they get an actual
locked down system (as would be expected).
I'm not sure anymore if/where we're tracking this. Please consider
opening a bug report against debian-installer if you can't already
find an open one (against it or systemd) and refer to this one.
Bonus points if you also suggest a way to handle sysvinit as well
as finding someone interested in implementing it. My suggestion
would be just hacking the init script to add --force there as
that would restore the old status quo of system not (ever) being
properly locked down.
Regards,
Andreas Henriksson
