Package: initscripts Version: 2.88dsf-59.3 Severity: important Dear Maintainer,
Since sysvinit-utils/util-linux package versions shipped in Debian Stretch the sulogin program is now provided by util-linux (replacing previously supplied sulogin implementation from sysvinit-utils). The Debian sysvinit package used to carry a (buggy) patch against sulogin which allowed people to log in as root even when the root account is locked. (Neither sysvinit or util-linux upstreams for sulogin never supported it.) This patch was not carried over to the util-linux package when switching to util-linux sulogin implementation in Debian for various reasons primarily: - the patch had serious bugs - unconditionally handing out root shells where considered questionable for some usecases (eg. kiosk mode). After discussions with util-linux upstream a compromise was found to allow handing out root shell even with locked root account *only* when the --force (-e) option is specified. As far as I've been told the Debian installer creates a locked root account when people just press enter (without giving a password) at the root password prompt, which seems reasonably common among users. That means users has no way to be let in even when following instructions given by sulogin. The systemd package has been updated to pass the --force flag. The initscripts package (src:sysvinit) needs equivalent changes to restore the old status quo (and thus ignoring potential kiosk mode usecase problems -- kiosk mode users should alter their init scripts and remove the --force flag to be secure). Regards, Andreas Henriksson -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages initscripts depends on: ii coreutils 8.25-2 ii debianutils 4.7 ii lsb-base 9.20160110 ii mount 2.28-1 ii sysv-rc 2.88dsf-59.3 ii sysvinit-utils 2.88dsf-59.3 Versions of packages initscripts recommends: ii e2fsprogs 1.43~WIP.2016.03.15-2 ii psmisc 22.21-2.1+b1 initscripts suggests no packages. -- no debconf information _______________________________________________ Pkg-sysvinit-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-sysvinit-devel
