1. 19 Jan, 2019 5 commits
    • Andreas Henriksson's avatar
      UNTESTED: Use sulogin --force when locking root account · bc5ca2de
      Andreas Henriksson authored
      Some users have found the new behaviour really surprising and
      unconvenient, since we switched from using the src:sysvinit to
      using the src:util-linux sulogin implementation.
      
      The src:sysvinit implementation used to have a patch that allowed
      passwordless root shell when the root account was locked.
      The src:util-linux had no such functionality initially, but then
      later added it under the --force flag which needs to be passed
      explicitly.
      Since systemd 240 there's now a simple way to enable passing the
      flag if desired.
      
      This commit restores the previous Debian behaviour for new installs
      which disables the root account. Since debian by default doesn't
      have a locked down secure boot, it's trivial to just pass
      init=/bin/bash on the kernel command line in the bootloader.
      Someone might however want to manually secure and lock down their system
      so by using the overrides hopefully it should be discoverable enough
      (via systemd-delta) while also making it possible to avoid sulogin
      using --force if desired.
      
      See comments committed in the code for more verbose explanation.
      
      !!!!! BEWARE THIS CHANGE IS COMPLETELY UNTESTED !!!!!
      
      TODO: maybe db_input passwd/sulogin-force should only be run if
      db_get passwd/root-locked is TRUE? The question mostly exists
      to make it possible for people to disable via preseeding though.
      bc5ca2de
    • Andreas Henriksson's avatar
      Drop test script again now that everything passes · 916a36a0
      Andreas Henriksson authored
      Could have been used as a base for a regression test suite, but
      if someone is interested in that they can just revive it
      from git history instead of having dead code floating around
      (and likely bitrot).
      916a36a0
    • Andreas Henriksson's avatar
      root_password: fix safeguard against locked password · 8ba24444
      Andreas Henriksson authored
      The previous logic would compare the (shadow) password field
      _literally_ against '!*' which makes no sense.
      What was likely intended is to check if it starts with !.
      
      (A locked accounts password field is either literally '!' or the
      exclamation mark followed by crypted password.)
      
      Note: this changes the return value of the root_password function
      in this case, but hopefully noone relies on the old buggy behaviour.
      8ba24444
    • Andreas Henriksson's avatar
      root_password: improve NIS matching rules · a9a7d1b8
      Andreas Henriksson authored
      Users can explicitly be included or excluded from NIS lookup, so don't
      assume root is set just because NIS is used at all.
      
      (There are likely more cases to cover, but this should fix atleast
      some. eg. root is a local user, nis is used but root doesn't exist in
      nis.)
      
      See nsswitch.conf(5)
      a9a7d1b8
    • Andreas Henriksson's avatar
      Add a simple script testing root_password function · ece79d1c
      Andreas Henriksson authored
      This script is not hooked up anywhere, but could possibly be used
      as an automated test-suite if desired.
      ece79d1c
  2. 07 Jan, 2019 1 commit
  3. 02 Jan, 2019 1 commit
  4. 31 Oct, 2018 1 commit
  5. 29 Oct, 2018 1 commit
  6. 16 Oct, 2018 1 commit
  7. 13 Aug, 2018 1 commit
  8. 24 Jul, 2018 1 commit
  9. 19 Jun, 2018 1 commit
  10. 01 May, 2018 1 commit
  11. 27 Apr, 2018 1 commit
  12. 12 Apr, 2018 1 commit
  13. 20 Mar, 2018 1 commit
  14. 20 Feb, 2018 1 commit
  15. 09 Feb, 2018 1 commit
  16. 08 Feb, 2018 1 commit
  17. 07 Feb, 2018 1 commit
  18. 29 Jan, 2018 1 commit
  19. 21 Jan, 2018 1 commit
  20. 19 Jan, 2018 1 commit
  21. 12 Jan, 2018 1 commit
  22. 03 Jan, 2018 1 commit
  23. 17 Dec, 2017 1 commit
  24. 27 Nov, 2017 1 commit
  25. 26 Nov, 2017 1 commit
  26. 25 Nov, 2017 1 commit
  27. 20 Nov, 2017 1 commit
  28. 16 Sep, 2017 3 commits
  29. 13 Sep, 2017 1 commit
  30. 04 Sep, 2017 1 commit
  31. 21 Jul, 2017 1 commit
  32. 07 Jul, 2017 1 commit
  33. 03 Jul, 2017 1 commit
  34. 11 Jun, 2017 1 commit