Skip to content

Allow logging in to rescue/emergency shell as root #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow logging in to rescue/emergency shell as root #526

wants to merge 1 commit into from

Conversation

@DemiMarie
Copy link
Contributor

In Qubes OS guests, the console is always the Xen console. There are never untrusted entities with access to this under any circumstances. The only supported way to get access to this from a VM is the admin.vm.Console service, which is (by design) equivalent to root access in the destination VM.

Therefore, set SYSTEMD_SULOGIN_FORCE=1 to tell systemd-sulogin-shell to pass --force to sulogin(8). Since the root account is locked in Qubes VMs, this causes sulogin(8) to allow login as root without a password.

@codecov
Copy link

codecov bot commented Oct 31, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.57%. Comparing base (1783677) to head (ecdb763).
Report is 29 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #526   +/-   ##
=======================================
  Coverage   70.57%   70.57%           
=======================================
  Files           3        3           
  Lines         469      469           
=======================================
  Hits          331      331           
  Misses        138      138

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@marmarek
Copy link
Member

marmarek commented Nov 4, 2024

Should those drop-ins be included in initramfs (when generated in VM) too? Or maybe they already are there?

@DemiMarie
Copy link
Contributor Author

Should those drop-ins be included in initramfs (when generated in VM) too? Or maybe they already are there?

Yes, they should. Dracut module?

@DemiMarie DemiMarie force-pushed the sulogin-force branch 2 times, most recently from 757ef06 to 9e612aa Compare November 4, 2024 21:13
@marmarek
Copy link
Member

marmarek commented Nov 6, 2024 

19:36:45 [qb.build_rpm.core-agent-linux.vm-fc40.build] DEBUG: RPM build errors:
19:36:45 [qb.build_rpm.core-agent-linux.vm-fc40.build] DEBUG: error: File not found: /builddir/build/BUILDROOT/qubes-core-agent-4.3.11-1.1.fc40.x86_64/usr/lib/dracut/modules.d/99qubes/module-setup.sh

@DemiMarie
Copy link
Contributor Author

Should this be conditional on the VM not being sys-usb? sys-usb might get an untrusted USB serial port plugged into it.

@marmarek
Copy link
Member

marmarek commented Nov 6, 2024

Should this be conditional on the VM not being sys-usb? sys-usb might get an untrusted USB serial port plugged into it.

Similar issue may apply to other VM too. Can you make it specifically for hvc0 console only instead?

@marmarek
Copy link
Member

marmarek commented Nov 6, 2024

Should this be conditional on the VM not being sys-usb? sys-usb might get an untrusted USB serial port plugged into it.

But actually does other consoles matter here? Isn't rescue/emergency started only on the primary console (as configured with console= kernel param)?

@DemiMarie
Copy link
Contributor Author

Should this be conditional on the VM not being sys-usb? sys-usb might get an untrusted USB serial port plugged into it.

But actually does other consoles matter here? Isn't rescue/emergency started only on the primary console (as configured with console= kernel param)?

It should be indeed. I can check.

@DemiMarie
Copy link
Contributor Author

Should this be conditional on the VM not being sys-usb? sys-usb might get an untrusted USB serial port plugged into it.

But actually does other consoles matter here? Isn't rescue/emergency started only on the primary console (as configured with console= kernel param)?

It should be indeed. I can check.

Addressed much more simply by explicitly setting /dev/hvc0 as the terminal path.

@DemiMarie DemiMarie force-pushed the sulogin-force branch 2 times, most recently from e9dc9ed to 7043815 Compare December 23, 2024 02:16
@DemiMarie DemiMarie marked this pull request as draft December 23, 2024 02:16
marmarek
marmarek requested changes Dec 24, 2024
View reviewed changes
@DemiMarie DemiMarie force-pushed the sulogin-force branch 2 times, most recently from 45bd08f to f9c1fdf Compare December 28, 2024 02:11
@DemiMarie DemiMarie requested a review from marmarek December 28, 2024 03:00
@marmarek
Copy link
Member

I'd like to have a test for this feature, I can write one, but I need few primitives for it:

  • how to break the boot in initramfs stage, preferably without involving the default 2min (?) timeout for rootfs mount
  • how to break the boot after initramfs (mask some unit via kernel cmdline? remove some file?)

@DemiMarie
Copy link
Contributor Author

I'd like to have a test for this feature, I can write one, but I need few primitives for it:

  • how to break the boot in initramfs stage, preferably without involving the default 2min (?) timeout for rootfs mount

rd.rescue or rd.emergency on kernel command line with an in-VM kernel.

  • how to break the boot after initramfs (mask some unit via kernel cmdline? remove some file?)

rescue or emergency on kernel command line, with either dom0-provided or in-VM kernel.

@DemiMarie
Allow logging in to rescue/emergency shell as root
ecdb763 
In Qubes OS guests, the console is _always_ the Xen console.  There are
_never_ untrusted entities with access to this under _any_
circumstances.  The only supported way to get access to this from a VM
is the admin.vm.Console service, which is (by design) equivalent to root
access in the destination VM.  Other consoles, such as a USB serial
console, are not supported as domU consoles under Qubes OS.

Therefore, set SYSTEMD_SULOGIN_FORCE=1 to tell systemd-sulogin-shell to
pass --force to sulogin(8).  Since the root account is locked in Qubes
VMs, this causes sulogin(8) to allow login as root without a password.
Use TTYPath= to enforce that the console is, in fact, the Xen console
and not some other console, in case the assumption in the previous
paragraph turns out false for some reason.  This will break if the Xen
drivers are not included in the guest kernel config, but an HVM guest
with Qubes tools but no Xen drivers is not a supported configuration.
@DemiMarie DemiMarie marked this pull request as ready for review December 29, 2024 22:56
@DemiMarie
Copy link
Contributor Author

I tested this.

@marmarek
Copy link
Member

I've (finally) written a test for this (will open a PR in a moment). Summary of running it:

  • works fine with Fedora 41 xfce template and dom0-provided kernel
  • is unnecessary with Fedora 41 xfce template and in-vm kernel for emergency mode in initramfs (this one gives shell already, without any of the changes here)
  • doesn't work with Debian 12 xfce template (still says "Cannot open access to console, the root account is locked")
  • adding rd.emergency to kernel cmdline on Debian doesn't trigger emergency shell in initrd at all (with in-vm kernel), so I don't know if it works or if it's necessary

@marmarek
Copy link
Member

I haven't ran the test on Whonix yet, I guess results will be similar to Debian.

marmarek added a commit to marmarek/qubes-core-admin that referenced this pull request Feb 13, 2025
@marmarek
tests: add test for password-less emergency console
2c9232f 
It shouldn't prompt for the password, as the root account is locked.

Related to QubesOS/qubes-core-agent-linux#526
marmarek added a commit to marmarek/qubes-core-admin that referenced this pull request Feb 14, 2025
@marmarek
tests: add test for password-less emergency console
6323b81 
It shouldn't prompt for the password, as the root account is locked.

Related to QubesOS/qubes-core-agent-linux#526
marmarek added a commit to marmarek/qubes-core-admin that referenced this pull request Feb 16, 2025
@marmarek
tests: add test for password-less emergency console
796ca60 
It shouldn't prompt for the password, as the root account is locked.

Related to QubesOS/qubes-core-agent-linux#526
@marmarek marmarek mentioned this pull request Feb 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marmarek marmarek Awaiting requested review from marmarek

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DemiMarie @marmarek