43 Replies
GitHub
Documentation or Functionality for Resetting Root Password · Issue ...
Upstream has documentation on this: https://docs.fedoraproject.org/en-US/quick-docs/reset-root-password/ for Fedora Workstation and other non-atomic Fedora variants. However, this sparked discussio...
Really good conversation going on in this issue with Colin about systemd emergency target.
Also he added best practice for how to reset the root password in the thread as well
@bsherman @j0rge @Kyle Gospo @nickname pinged all of you in the above issue.
before i put this public, does everything look correct here:
https://universal-blue.discourse.group/t/reset-your-forgotten-password/161
i never really messed around the GRUB prompt. Let me know if I should add or correct anything if anyone has time to read this
Universal Blue
Reset Your Forgotten Password
Boot with init=/bin/bash on the kernel command line (e.g. edit grub prompt) Once you are in the GRUB command line: mount -t selinuxfs selinuxfs /sys/fs/selinux /sbin/load_policy passwd → type new password sync /sbin/reboot -ff Thanks to Colin Walters for the solution
I would do numbered steps instead of bullets. Also I can get a screenshot of what a grub prompt should look like with the additional statement on the end of it.
Likely can't do that until tonight.
Very good to credit Colin for his contribution!
thanks you can post it here if it's easier for you (when you can no hurry)
take your time
im glad this was figured out
and we gave it some attention
yes! I never really thought about this until someone ran into it.
also one other edit to the passwd statement, I would do
passwd [INSERT USERNAME HERE] i.e. passwd nick to reset your user's password.
otherwise you will reset the root accounts password.yeah just publish it, we'll make it a wiki, and that'll be fine!
ok i will publish it and make it a wiki right now
here are some relevant screenshots.
Thanks!
4th picture is selecting your entry
oh hang on.
im here
I didn't annotate the 4th one correctly.
make it obvious what to do.
alright thanks again for the screenshots
@nickname we should probably propose this getting added to the upstream Silverblue wiki as well since it is relevant to them too!
im not exactly sure where to propose that
agreed though
There should be a Fedora docs page for Silverblue. I'll see if I can track it down.
Fedora Docs
Fedora Silverblue User Guide
Learn more about Fedora Linux, the Fedora Project & the Fedora Community.
click the edit button top right
yeah i see now i wanted to make sure this was the correct place
ok
Yup. A sub page would probably be relevant.
ah nice it's on github
Might be good to link it from the main Fedora workstation page as well.
So people don't get confused.
Like we did! 😄
this will be my plan for later. gotta do something real quick, but i will get this done by the end of the day. very happy this was figured out and we have proper documentation on it
their markup standard is AsciiDoc i see lol
i will reformat it to that
Yeah, I forgot that minor detail X_X
yeah thats ok. i actually made the commit but im going to return to it and PR it either tonight or tomorrow because i'm not done yet
I got some feed back from
travier on the emergency boot target... and i did my own research to try to put a complete picture together...
TL;DR
I think we should do this in ublue, and I'll also try to push it upstream, but they will probably have a pissing match about security theater
https://github.com/ublue-os/main/issues/470#issuecomment-1889695964
(they: just meaning lots of Fedora peoples in general, not meaning travier or cgwalters, specifically)
@Noel i think i have an idea on how to make this single/emergency/rescue boot mode work safely
it's based on what Timothee and Colin suggested in my ticket
if we put a hard override on the filesystem like CoreOS does... we will drop into a non-password protected root shell on a fsck-fail, even if a root password is set
that's what Timothee is trying to guard against
but Colin suggests a systemd generator
I'm pretty sure i can write one of those which inspects the kernel command line and looks for the 3 keywords: emergency, rescue, single
if any one is present, this means that the user had access to grub cmdline, so it wasn't password protected, or they knew the password...
if so, the generator could dynamically write the SULOGIN_FORCE override ... allowing no password required login
and THAT would be worth contributing upstreamthat would be excellent!
have you tested at all or is it purely theoretical at this point?
i showed you my comment of testing out the current coreos method https://github.com/bsherman/ublue-custom/commit/ea7551735f2b9c765eadefe6df895ba8a091435a
i needed to do that to tinker and test
the system-generator is only an idea at the moment, but i read the docs and some samples, and it seems very, very doable
i'm excited!
that would be sick!
oh dude
i think it's working!
GitHub
feat: allow rescue/emergency boot with grub cmdline args by bsherma...
This uses a systemd-generator to dyamically write a drop-in config for the rescue and emergency services only when they are requested via the kernel cmdline, which requires console/grub access. Thi...
yeah, so... this is what i came up with from the discussion
https://github.com/ublue-os/main/issues/470
GitHub
Override default systemd emergency service behavior with coreos-su-...
In the short term I'd definitely advocate for Fedora and derivatives to carry that change by default and tell anyone making kisoks etc. that they need to disable it. We just chose to carry it i...
i did add some notes in a comment here for anyone who wants to digin on how this actually works
this is so cool I didn't even know this existed
yeah, i didn't know much about any of this 3 weeks ago either ;D
the systemd generator thing via a kernel arg
well, a systemd-generator has nothing to do with kernel args in general...
but one can READ kernel cmdline from within a generator
turns out, coreos has several custom systemd-generator scripts... they were very informative
yeah, I didn't know there was a rescue state either
this is pretty awesome
rescue state is literally
single ... single user mode