[Mageia-dev] Handling single user/rescue/failsafe mode
Wolfgang Bornath
molch.b at googlemail.com
Thu Apr 26 13:05:19 CEST 2012
2012/4/26 Guillaume Rousse <guillomovitch at gmail.com>:
> Le 26/04/2012 12:12, Thierry Vignaud a écrit :
>
>> On 26 April 2012 11:38, Colin Guthrie<mageia at colin.guthr.ie> wrote:
>>>
>>> It seems that in mga1 single user mode just gave a shell without
>>> requiring root password.
>>>
>>> I'm not sure when this was added, but in the initscripts changelog, I
>>> see it has come from the big mdvconf patch[1].
>>>
>>> Can anyone remember the reason for this (perhaps it was related to tcb
>>> support?) and whether or not we should do the same thing in systemd
>>> which currently (now that I've fixed it) uses whatever SINGLE says in
>>> /etc/sysconfig/init.
>>
>>
>> This has been like this forever...
>> At least for the past decade.
>> I think other distros do/did it too.
>
> Some of them force the use of a password for single mode. Given the ease of
> bypassing it through init=/bin/sh, unless the bootloader is also protected,
> I'm a bit sceptic about the interest.
For ages (Mandrakelinux/Mandriva) it has been
SINGLE=/sbin/sushell
as default. IMHO this default setting is a security issue. Someone
with access to your machine (in an office or whereever) can simply
turn it on (or first turn it off with the power button), select
failsafe from the boot menue and has all the privileges he wants
without any hurdles to jump. So I've been advocating to change this
entry in /etc/sysconfig/init.
I've been also recommending users to change the matching line in
/etc/inittab accordingly:
#Single user mode
~~:S:wait:/sbin/sulogin
which does the same. Unfortunately Mandrake/Mandriva developpers did
not share my view.
--
wobo
More information about the Mageia-dev
mailing list