Commit bc5ca2de authored by Andreas Henriksson's avatar Andreas Henriksson

UNTESTED: Use sulogin --force when locking root account

Some users have found the new behaviour really surprising and
unconvenient, since we switched from using the src:sysvinit to
using the src:util-linux sulogin implementation.

The src:sysvinit implementation used to have a patch that allowed
passwordless root shell when the root account was locked.
The src:util-linux had no such functionality initially, but then
later added it under the --force flag which needs to be passed
Since systemd 240 there's now a simple way to enable passing the
flag if desired.

This commit restores the previous Debian behaviour for new installs
which disables the root account. Since debian by default doesn't
have a locked down secure boot, it's trivial to just pass
init=/bin/bash on the kernel command line in the bootloader.
Someone might however want to manually secure and lock down their system
so by using the overrides hopefully it should be discoverable enough
(via systemd-delta) while also making it possible to avoid sulogin
using --force if desired.

See comments committed in the code for more verbose explanation.


TODO: maybe db_input passwd/sulogin-force should only be run if
db_get passwd/root-locked is TRUE? The question mostly exists
to make it possible for people to disable via preseeding though.
parent 916a36a0
......@@ -30,6 +30,23 @@ _Description: Allow login as root?
If you choose not to allow root to log in, then a user account will be
created and given the power to become root using the 'sudo' command.
Template: passwd/sulogin-force
Type: boolean
Default: true
# :sl1:
_Description: Use force with sulogin?
If the system ever needs to do a single-user login (e.g. in recovery
or emergency boot situations), using force will allow you to log in
as root even though the root account is locked. Without force sulogin
would not allow you to login and recover the system, so you would need
to use another method to do so (e.g. boot the system with init=/bin/bash
on the kernel command line from the bootloader).
Disabling this option might be useful in an environment where you've
enabled secure boot and want the system to be locked down (and never hand
out passwordless root in any situation ever).
Note: the answer to this question will only be relevant if you chose
to disallow root logins (lock root account), otherwise it's ignored.
Template: passwd/root-password
Type: password
# :sl1:
......@@ -88,6 +88,30 @@ else
db_set passwd/root-password-again ''
# When root account is locked, allow passwordless root shell in recovery
# and emergency bootups. Otherwise there will be no way to sulogin.
# (The src:sysvinit sulogin debian used before had a patch which did
# this unconditionally. The patch was not carried over when debian
# switched to src:util-linux sulogin. Instead you explicitly need to
# pass --force if you want to allow passwordless root shell when the
# root account is locked.)
if root_is_locked && db_get passwd/sulogin-force && [ "$RET" = "true" ]; then
# See
# See
# See in systemd docs
# See also for sysvinit case.
mkdir -p "$ROOT/$(dirname $OVERRIDEFILE)"
db_get passwd/make-user
if [ "$RET" = true ] && ! is_system_user; then
if db_get passwd/user-password-crypted && [ "$RET" ]; then
......@@ -23,6 +23,8 @@ while :; do
db_input low passwd/shadow || true
# Ask if root should be allowed to login.
db_input medium passwd/root-login || true
# Ask if sulogin should use force
db_input medium passwd/sulogin-force || true
db_get passwd/root-login
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment