Re: Passwordless root shell is offered when boot problem occurs.
Sthu Deus (email@example.com on 2011-12-01 23:54 +0700):
> >fsck errors should drop into a sulogin shell, which asks for the
> >password. The only way you could get a root shell is if your root
> >device cannot be found. In that case, there is no way to ask for a
> >password because there is no password file.
> Well. There is root device - if You mean / mount point. Otherwise
> whence sulogin comes from?
sulogin should be in /sbin on your filesystem, but that is not
the first filesystem where programs are started from. Google "early
userspace" and "initramfs' for background info.
From here it's all guesswork. You'd need to provide a full bootlog up
to the point where the shell is started to get any meaningful answers.
> >If you must, there might be a way to get what you want by adding
> >files to the initramfs by dropping a file
> >in /etc/initramfs-tools/hooks/ or
> Ahh. I have the dir. empty.
> >the like. But if you find yourself needing to secure against that,
> >then you must also set a bootloader password, lock out alternative
> >boot methods, set a BIOS password and put your machine behind lock
> >and key. Do you really need that?
> At least I want that. Do You know how to do that?
I know the theory, that is all I know. The Debian initramfs is generated
from scripts in /usr/share/initramfs-tools. To add files to it, you
need to create a file in /etc/initramfs-tools/hooks that copies the
required files (/sbin/sulogin, /etc/passwd and /etc/shadow) into the
initramfs, and then you need to edit the panic() function
scipts/functions to spawn sulogin instead of a shell.