Re: Rescue mode when root account locked
On 2017-09-20, solitone <solitone@mail.com> wrote:
> When I boot in rescue mode, I get this message:
>
> Cannot open access to console, the root account is locked. See
> sulogin(8) man page for more details
>
> When I press Enter to continue, it continues bootup in normal graphical
> mode.
>
> Would it be wiser to unlock the root account, so that I can go into
> single user mode? Or is there something I can do, without unlocking the
> root account?
>
It seems this a "bug."
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
Michael Biebl says (to explain why careful deliberation is called for before it's
"fixed"):
Consider this: You have a laptop with a locked root account. By default
the grub boot loader generates a boot entry for rescue mode.
So, even if you lock down the bios to not allow booting from CD-Rom or
USB, and you password protect grub, someone could easily get root access
if you leave the laptop unattended for a moment.
Marga Manterola created a "drop-in" fix:
cat /etc/systemd/system/rescue.service.d/sulogin.conf
[Service]
ExecStart=
ExecStart=-/bin/sh -c "/sbin/sulogin --force; /bin/systemctl
--job-mode=fail --no-block default"
the security implications of which ("/sbin/sulogin --force") are beyond my meager
abilities to comment upon.
--
"Time flies like an arrow. Fruit flies like a banana." Groucho
Reply to: