[RFC PATCH] use sulogin in single-user mode

[Chris Adams]

Once upon a time, Bill Nottingham <notting at redhat.com> said:
> However, this changes behavior that has existed since the dawn
> of time in Red Hat/Fedora systems; with this change, single-user
> mode would now require the root password. This is both when
> booting with 'linux single/linux S', or going to runlevel 1
> with 'telinit 1'.

Well, that would make changing an unknown root password more annoying.
At a minimum, you should add the -e option (so if the files are
corrupted you can still get in).

How about moving /usr/bin/runcon to /bin and using that to call bash
instead?

In any case, the same method should be used for fsck failures, which
right now is sulogin, without the -e (but SELinux is disabled for that
shell, which doesn't seem like a good idea to me).

I have some old (ancient?) Cobalt RaQs that use sulogin instead of just
calling bash, and it is just an annoyance; it doesn't really secure
anything (physical access trumps all).  If you are trying to secure a
system, you need to password-protect the boot loader anyway.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.