Comments (10)
@travier you asked for someone to reach out in your comment.
I started poking around https://github.com/coreos/fedora-coreos-config/blob/stable/overlay.d/05core/usr/lib/systemd/system/emergency.service.d/coreos-sulogin-force.conf to see how this was being done on CoreOS. But I'm unsure how to get started adding this into the atomic desktops.
We can connect however you prefer, here, discord, email. My email is on my Fedora people profile (@bsherman1
not the same as my github handle).
Thank you for the offer to assist!
from main.
So I've dived into this more and I've found coreos/fedora-coreos-tracker#805 (comment), which makes it a harder sell for switching it on for all Fedora desktops.
It would probably be a good idea to start with a discussion thread on https://discussion.fedoraproject.org/ or on fedora-devel to get more ideas on how this could be safely done.
from main.
In general, the process to get such a change in Fedora is to make a Change Request to have it be visible to the community and force the discussion to happen (and a decision to be taken).
Writing / drafting a change page following the instructions in https://docs.fedoraproject.org/en-US/program_management/changes_policy/ is good first step.
from main.
So I've dived into this more and I've found coreos/fedora-coreos-tracker#805 (comment), which makes it a harder sell for switching it on for all Fedora desktops.
I read through the linked issue and coreos/fedora-coreos-config#311 plus again reading through the discussion which spawned this current issue The context was: how to reset a root password on atomic desktops when locked out/can't boot/etc. I dare assume, the REASON one wishes to do this is almost always a need to boot single user, which requires the root user to have their password set.
cgwalters provided a known good solution for how to accomplish the root password reset, but also suggested use of emergency.target
as an alternative. #469 (comment)
I hope this is a fair assessment of the history/situation:
- Fedora has had a non-usable
single
mode or systemdemergency
/rescue
boot due to a root password not being assigned - In general, this is addressed by root password reset workarounds, which though common in the linux desktop world, look a bit different with selinux in the mix
- with selinux in play, resetting the root password with
init=/bin/bash
but NOT loading selinux policies, will break labels (I've done this myself), but on traditional Fedora, the user can request an.autorelabel
so that's the workaround there - however, on atomic desktops and the immutable root filesystem, relabeling is not possible, thus we have the situation which likely resulted in...
- coreos/fedora-coreos-config#311 provided a way boot
emergency
/rescue
- coreos/fedora-coreos-tracker#805 (comment) addresses hardening the post boot-loader process, though it is in conflict (for the moment) with the working implementation from coreos/fedora-coreos-config#311
- #469 (comment) shares the idea of a protocol which could assist in the hardening implementation, but also the reality of not yet having that ability, and the need for less secure su-login-force, but also warnings and workarounds for hardening on a case by case basis.
So, my view:
- hardened by default is absolutely desirable, but on all Fedora systems, the current default is "unhardened"
- on all Fedora (except FCOS derivatives), there is a way to gain root access with console access, by: rebooting, modifying boot options, resetting root password. but, it happens to be more likely that the uninformed user will break their atomic system's labels when attempting this
- on FCOS, we have su-login-force, which by enabling
emergency/rescue
systemd targets, provides the same level of root access with lower risk a user damaging their system, by not requiring the user to forcibly set a root password. (one less step to root access; a single reboot instead of two) - It sounds like solving "hardened by default" is a bigger scope problem, but for the moment, we're trying to give users the ability to recover systems from the console without creating further problems, and the "su-login-force" solution does that without truly increasing security risk.
I needed to get that documented for my own understanding, as I had a few gaps in what/why was going on.
Please let me know if I'm missing something @travier and @cgwalters.
If this is reasonably correct assessment, I'll probably proceed by implementing this in our ublue-os images, but also start a Fedora discussion thread.
from main.
Related Issues (20)
- [Package Request] firefoxpwa - A tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox HOT 1
- Add /etc/vconsole.conf to initramfs HOT 4
- missing emoji font for swaybar in sericea HOT 4
- Seems it's not possible to remove package added by Universal Blue HOT 1
- Add Epub thumbnails package to silverblue images HOT 2
- Report an issue with an ISO HOT 1
- [Membership Request] HikariKnight HOT 3
- Universal Blue Sericea distrobox permission errors HOT 5
- podman build /bin/sh: error while loading shared libraries: /lib64/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
- unknown Group nintendo_switch, ignoring HOT 1
- libheif-tools not generating thumbnails HOT 4
- Bluefin 2.0.0 ISO: too many WLANs, can't confirm selection HOT 1
- nix-install fails error code 1
- Prune lxqt builds for Fedora 39
- Selinux Troubleshooting Tools HOT 5
- Tracker: New Universal Blue Installer HOT 5
- Documentation or Functionality for Resetting Root Password HOT 22
- [Membership Request] @noelmiller HOT 3
- Add contributor action HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from main.