Bug#977358: release-notes: document how to make the rescue mode usable if no root password is set (buster)

Fri, 09 Apr 2021 23:12:42 -0700 

On Ma, 06 apr 21, 21:59:24, Paul Gevers wrote:
> Hi Andrei,
> 
> On 21-03-2021 08:33, Andrei POPESCU wrote:
> > On Jo, 18 mar 21, 11:56:16, Paul Gevers wrote:
> >> Control: tags -1 moreinfo
> >>
> >> On Mon, 14 Dec 2020 13:12:59 +0200 Andrei POPESCU
> >> <andreimpope...@gmail.com> wrote:
> >>> Some text based on below would make sense for the Release Notes for 
> >>> buster. If agreed I'll try to come up with a wording.
> >>
> >> Sure. Does this also apply for bullseye, or is the issue fix somehow?
> > 
> > Only if D-I was fixed in the meantime.
> > 
> >>> An untested patch to the Debian Installer exists to add both snippets 
> if 
> >>> the user chooses to leave the root password blank.
> > 
> > It will be a while until I can test this, maybe someone else on d-u can 
> 
> > do so faster (will ask in a separate message).
> 
> Did you already have inspiration for some text? Apparently it still
> applies to bullseye and its release is drawing nearer.


Ok, here is something, just to get the discussion started:


    The `rescue` boot option is unusable without a root password.


    If a password for the `root` account is not set the system will 
    still ask for the root password if booted with the `rescue` option, 
    effectively making the rescue mode unusable. In order to avoid this 
    it is possible to boot using the kernel parameter 
    `init=/sbin/sulogin --force`.

    To configure pkg:systemd to always to do the equivalent of this on 
    selecting the `rescue` option add `SYSTEMD_SULOGIN_FORCE=1` to the 
    Environment of the rescue.service unit (see 
    file:/usr/share/doc/systemd/ENVIRONMENT.md.gz). The `rescue.service` 
    unit is started by pkg:systemd in case it detects `single` in the 
    kernel command line (see man:systemd).

    It might be useful to do the same for the `emergency.service` unit 
    (or instead) which is started ''automatically'' in case of certain 
    errors (see man:systemd.special), or if `emergency` is added to the 
    kernel command line (e.g. in case the system can't be recovered by 
    using the `rescue` mode).

    For background and a discussion on the security implications see 
    bts:802211.


The pseudo-markup should be obvious. I'll try to come up with a patch 
later, unless Someone Else (TM) beats me to it ;)

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser

Attachment: signature.asc
Description: PGP signature

Reply via email to