diff --git a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-sulogin-force-generator b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-sulogin-force-generator new file mode 100755 index 0000000000..a38da85a01 --- /dev/null +++ b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-sulogin-force-generator @@ -0,0 +1,66 @@ +#!/usr/bin/bash + +# This systemd.generator(7) detects if rescue or emergency targets were +# requested from the kernel cmdline; if so, it overrides the respective +# target to set force sulogin, allowing use of rescue/emergency targets +# on systems with locked root password (as is Fedora default). +# +# This does NOT bypass locked root password on a fsck failure, but WILL +# bypass when rescue/emergency targets are chosen from kernel cmdline. +# Since this requires console/grub access, it is assumed to be at least +# as secure as a user reset of the root password using grub to modify +# the kernel cmdline with init=/bin/bash . +# +# NOTE: the SYSTEMD_SULOGIN_FORCE method used here does not bypass any +# assigned password; root password is only bypassed when locked/unset. + +export PATH="/usr/bin:/usr/sbin:${PATH}" +if [ -n "$1" ]; then + # If invoked with arguments (not testing) log to kmsg + # https://github.com/systemd/systemd/issues/15638 + exec 1>/dev/kmsg; exec 2>&1 +fi + +# If invoked with no arguments (for testing) write to /tmp +UNIT_DIR="${1:-/tmp}" + +set -euo pipefail + +have_some_karg() { + local args=("$@") + IFS=" " read -r -a cmdline <<< "$( "${out_dir}/sulogin-force.conf" <