Bug 135154 - sulogin lacks support for multiple root accounts
Summary: sulogin lacks support for multiple root accounts
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: SysVinit (Show other bugs)
(Show other bugs)
Version: 3.0
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
URL: http://www.openwall.com/msulogin/
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks: 153011 168982
TreeView+ depends on / blocked
 
Reported: 2004-10-09 12:03 UTC by Alexander Peslyak
Modified: 2014-03-17 02:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-21 20:14:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Alexander Peslyak 2004-10-09 12:03:12 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020922

Description of problem:
There's a reasonable policy to avoid using username root logins, but
instead create multiple r_* (UID 0) accounts for whoever needs to have
root access to the server.  This improves accountability and allows
each person to change their authentication credentials without having
to negotiate with the others. Once that policy is in place, it is
natural to disable (usermod -L) the username root account.

Unfortunately, sulogin will only accept a password for username root.
This makes emergency console logins with alternate root accounts
impossible.

For that reason, I wrote an alternate implementation of sulogin,
available at:

http://www.openwall.com/msulogin/

This one will ask for a username, but will only accept root-privileged
ones.  So far, it's been fully integrated into Owl and ALT Linux. 
It'd be nice if Red Hat Linux did the same move.

There's an RPM spec file for msulogin included in the downloadable
tarballs.  SysVinit's spec file will need to be modified to not
package its local sulogin, but to Require: msulogin.  The way it's
been integrated into Owl can be seen here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/msulogin/msulogin/

and:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/SysVinit/

Version-Release number of selected component (if applicable):
SysVinit-2.85-4.2

How reproducible:
Always

Steps to Reproduce:
1. useradd -u 0 -o -g 0 -m r_admin1 && passwd r_admin1
2. usermod -L root
3. Cause some nasty filesystem breakage, reboot. ;-)

Actual Results:  Root password prompt upon bootup, with no ability to
make use of it since the username root account has been locked.

Expected Results:  Alternate root username prompt before the root
password one.
Comment 1 Suzanne Hillman 2005-03-31 21:35:14 UTC 
Internal RFE bug #153011 entered; will be considered for future releases.
Comment 2 Bill Nottingham 2005-09-21 20:14:14 UTC 
This problem is being considered for a future major release of Red Hat
Enterprise Linux. Red Hat does not currently plan to provide a resolution for
this in a Red Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.
Note You need to log in before you can comment on or make changes to this bug.