Jon Ciesla (limb@jcomserv.net) said:
My thoughts exactly. What are the less simple fixes that don't change this behaviour?
Essentially, introducing new scripts solely for this purpose that can be given a special label and some policy. It's a hack.
Note that you can still do without-password recovery with init=/bin/bash.
Bill