[Mageia-dev] Handling single user/rescue/failsafe mode

Thu Apr 26 13:05:19 CEST 2012

2012/4/26 Guillaume Rousse <guillomovitch at gmail.com>:
+> Le 26/04/2012 12:12, Thierry Vignaud a écrit :
+>
+>> On 26 April 2012 11:38, Colin Guthrie<mageia at colin.guthr.ie>  wrote:
+>>>
+>>> It seems that in mga1 single user mode just gave a shell without
+>>> requiring root password.
+>>>
+>>> I'm not sure when this was added, but in the initscripts changelog, I
+>>> see it has come from the big mdvconf patch[1].
+>>>
+>>> Can anyone remember the reason for this (perhaps it was related to tcb
+>>> support?) and whether or not we should do the same thing in systemd
+>>> which currently (now that I've fixed it) uses whatever SINGLE says in
+>>> /etc/sysconfig/init.
+>>
+>>
+>> This has been like this forever...
+>> At least for the past decade.
+>> I think other distros do/did it too.
+>
+> Some of them force the use of a password for single mode. Given the ease of
+> bypassing it through init=/bin/sh, unless the bootloader is also protected,
+> I'm a bit sceptic about the interest.
+
+For ages (Mandrakelinux/Mandriva) it has been
+
+SINGLE=/sbin/sushell
+
+as default. IMHO this default setting is a security issue. Someone
+with access to your machine (in an office or whereever) can simply
+turn it on (or first turn it off with the power button), select
+failsafe from the boot menue and has all the privileges he wants
+without any hurdles to jump. So I've been advocating to change this
+entry in /etc/sysconfig/init.
+
+I've been also recommending users to change the matching line in
+/etc/inittab accordingly:
+
+#Single user mode
+~~:S:wait:/sbin/sulogin
+
+which does the same. Unfortunately Mandrake/Mandriva developpers did
+not share my view.
+
+-- 
+wobo
+