Jon Ciesla (limb(a)jcomserv.net) said:
My thoughts exactly. What are the less simple fixes that don't
change
this behaviour?
Essentially, introducing new scripts solely for this purpose that can
be given a special label and some policy. It's a hack.
Note that you can still do without-password recovery with
init=/bin/bash.
Bill