Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 168982 - sulogin lacks support for multiple root accounts
Summary: sulogin lacks support for multiple root accounts
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: util-linux
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karel Zak
QA Contact: Fedora Extras Quality Assurance
URL: http://www.openwall.com/msulogin/
Whiteboard:
Depends On: 135154
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2005-09-21 20:12 UTC by Bill Nottingham
Modified: 2014-03-17 02:56 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-29 11:50:03 UTC


Attachments (Terms of Use)

Description Bill Nottingham 2005-09-21 20:12:23 UTC
+++ This bug was initially created as a clone of Bug #135154 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020922

Description of problem:
There's a reasonable policy to avoid using username root logins, but
instead create multiple r_* (UID 0) accounts for whoever needs to have
root access to the server.  This improves accountability and allows
each person to change their authentication credentials without having
to negotiate with the others. Once that policy is in place, it is
natural to disable (usermod -L) the username root account.

Unfortunately, sulogin will only accept a password for username root.
This makes emergency console logins with alternate root accounts
impossible.

For that reason, I wrote an alternate implementation of sulogin,
available at:

http://www.openwall.com/msulogin/

This one will ask for a username, but will only accept root-privileged
ones.  So far, it's been fully integrated into Owl and ALT Linux. 
It'd be nice if Red Hat Linux did the same move.

There's an RPM spec file for msulogin included in the downloadable
tarballs.  SysVinit's spec file will need to be modified to not
package its local sulogin, but to Require: msulogin.  The way it's
been integrated into Owl can be seen here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/msulogin/msulogin/

and:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/SysVinit/

Version-Release number of selected component (if applicable):
SysVinit-2.85-4.2

How reproducible:
Always

Steps to Reproduce:
1. useradd -u 0 -o -g 0 -m r_admin1 && passwd r_admin1
2. usermod -L root
3. Cause some nasty filesystem breakage, reboot. ;-)

Actual Results:  Root password prompt upon bootup, with no ability to
make use of it since the username root account has been locked.

Expected Results:  Alternate root username prompt before the root
password one.

-- Additional comment from shillman@redhat.com on 2005-03-31 16:35 EST --
Internal RFE bug #153011 entered; will be considered for future releases.

Comment 1 Bill Nottingham 2005-09-21 20:13:26 UTC
Note that implementation of this may change due to SELinux considerations
(multiple users with sysadm_r role?)

Comment 2 David Lawrence 2007-06-22 02:11:09 UTC
Package name is now sysvinit in Fedora.

Comment 3 John Poelstra 2008-07-08 03:52:19 UTC
triaged

Comment 5 Fedora Admin XMLRPC Client 2013-03-01 14:37:06 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 6 Lukáš Nykrýn 2013-03-28 12:25:12 UTC
Sulogin is no longer in sysvinit, reassigning to util-linux.

Comment 7 Lukáš Nykrýn 2013-03-28 12:26:10 UTC
But probably it can be closed now.

Comment 8 Karel Zak 2013-03-29 11:50:03 UTC
Over-engineering. Closing.


Note You need to log in before you can comment on or make changes to this bug.