initscripts: Restore locked root account access by using sulogin --force

Thu Nov 15 09:47:03 GMT 2018

Greetings Mr. Andreas Henriksson,

Andreas Henriksson <andreas at fatal.se> writes:

> I'll comment in more detail below, but in general I have to start out by
> saying I think you've misunderstood this gravely. You should probably
> try to clear your mind and start over on trying to understand this.

Thanks.

> [...]

snip

> On Thu, Nov 15, 2018 at 12:13:26PM +0800, Benda Xu wrote:
>> Hi Andreas,
>> 
>> Dmitry Bogatov <KAction at debian.org> writes:
>> 
>> > [2016-05-07 11:12] Andreas Henriksson <andreas at fatal.se>
>> >> [...]
>> >> The initscripts package (src:sysvinit) needs equivalent changes to
>> >> restore the old status quo (and thus ignoring potential kiosk mode usecase
>> >> problems -- kiosk mode users should alter their init scripts and remove
>> >> the --force flag to be secure).
>> >
>> > Sounds convincing to me. So I prepared commit wip/bug-823660.  Dear
>> > co-maintainers, any objections?
>> 
>> 
>> @Andreas, what do you mean by "kiosk mode"?  Could you please define it
>> precisely?
>
> I think others will explain it better than I can, so I'll just refer
> to first and second hit I get on google for kiosk mode:
>
> https://www.kioware.com/resources.aspx?resid=45
>
> https://en.wikipedia.org/wiki/Kiosk_software

I see. It is a common concept I am not aware of.  Now I understand what
you mean.  Much appreciated.

>> I don't think sysvinit should blindly follow behaviors of systemd.
>
> This has absolutely nothing to do with systemd. This is about sulogin
> move from (debian patched version of) sysvinit sulogin to debian using
> sulogin from util-linux.

Okay, let's forget about systemd.  That's generally a good idea to use
util-linux version of sulogin to align the behavior with upstream.
Debian-specific hacks should either accepted upstream or ultimately
abandoned.

>> Entering the system as root without password prompt is a severe security
>> hole.
>
> A "severe security hole" that's been present in sysvinit sulogin for
> decades (in debian atleast, IIRC upstream is not to blame for it).
> It was "closed" by moving to util-linux sulogin, but that also left
> those who have a locked root account (using sudo) being unable to login
> via sulogin.

I think it a common Debian practice to set root passwords.  Disabling
root login and put everything on `sudo` feels very Ubuntu.  Therefore I
think you are right saying "it was 'closed' by moving to util-linux
sulogin".

> This bug report is limited in scope to just restoring the old status quo
> by adding a flag when sysvinit invokes sulogin to get behaviour similar
> to the old sysvinit sulogin version. (You're welcome that I helped out
> with shephearding the needed util-linux changes upstream for your
> convenience.)

Good job for bringing it upstream.  Thank you.

> Implementing flexibility in sysvinit to be able to accomodate for both
> use-cases is left as an excersise to the reader. 

We already have that flexibility: if your system is absolutely
physically safe, add --force to `sulogin` in the sysvinit configuration
files. If not, leave it alone.

I might be wrong and I am all ears to counter arguments.  But the
"Debian previous status quo", "Many users do not set root passwords" and
"systemd has put sulogin --force everywhere" did not convince me. I am
sorry.

> I'm not interested in sysvinit feature development myself. I'm only
> interested in trying to avoid it deteriorating too much.

You are being very nice and considerative, Mr. Henriksson.  We all have
more to worry in daily lives.  I will not waste your precious
intellectual power anymore, and will keep the discussion within the
interested party.

> [... rest of message snipped as is seems to go further into
> misunderstanding land ...]

Thanks again for baring with my grave misunderstanding and good luck!
Benda