-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation or Functionality for Resetting Root Password #469
Comments
I think this is generally broken for the Atomic Desktops. I tried following (most of) the root password recovery steps from the generic Fedora docs and they were not successful. I filed an issue with the Silverblue tracker to see if we can chase this down more broadly - fedora-silverblue/issue-tracker#524 |
So far the process is looking like the following:
It would be good to confirm upstream whether this is best practice. |
I found that changing my user password via |
Right, that is if you know your password though. I'm talking about cases where you don't know what your password is. |
On a freshly installed Silverblue 39 VM, I'm getting Might be a different experience on ublue-os derived hosts? |
That is quite possible. Let me poke around a bit at both and see. |
Ah...I found it at |
When using the instructions above and replacing the |
The simplest, most generic procedure that works across package and ostree/bootc based Fedora derivatives is:
|
(What would be much better to support is |
To clarify understanding, you are saying that emergency target is not available in projects like Silverblue? Is there an architectural reason? |
What we really want is a protocol where the boot loader (grub, etc.) can pass down to the OS knowledge of whether it is "unlocked". If the boot loader allows arbitrary edits (e.g. kernel command line) then there's no reason for the OS to prompt you for a root password; it can just drop you into a root shell. That's what However, for people making e.g. kiosks, ATMs, etc. or in general a case where a physically present user should not be root, then they need to explicitly lock the boot loader (by e.g. setting a GRUB password) and if they do that, then if we had such a protocol then it'd automatically ensure that things like a fsck failure or anything reaching emergency.target wouldn't be an unexpected privilege escalation. In the short term I'd definitely advocate for Fedora and derivatives to carry that change by default and tell anyone making kisoks etc. that they need to disable it. We just chose to carry it in FCOS derivatives by default currently. |
We may want to consider shipping this by default for our images. Thoughts? @bsherman @castrojo @KyleGospo |
@nicknamenamenick This is probably what we should update our documentation with in regards to resetting a user password or root password. The reason this is better is because it mounts selinux and loads the policy so passwd properly labels the /etc/shadow file when making it's changes. It's also less commands. Another option we could consider is adding a shell script and make it available through just or some other means? Call it |
This is a great idea that I think eventually should be implemented. I will document this on our Discourse documentation first. |
I support adding the This avoids current hassle for users which doesn't provide any real security benefit. |
Sounds good, should I make a separate issue in main to implement this? Or do we want more discussion in this thread first? |
Yep, this current ticket seems to be for documentation, but the change to emergency service implementation should be in a distinct ticket, please. |
We should probably make this change Fedora wide for all desktops. If folks are interested in driving this through the Fedora process, feel free to reach out to me. As always, every change that we carry upstream in Fedora, you don't have to maintain here. |
I'm happy to help make this change for all of Fedora. I will probably soon ask you for guidance. |
In that case, we should link the upstream issue in ours once it's created! |
Upstream has documentation on this: https://docs.fedoraproject.org/en-US/quick-docs/reset-root-password/ for Fedora Workstation and other non-atomic Fedora variants.
However, this sparked discussion in Discord that this method may actually not work properly for our images. For those who have a Discord account can view this discussion here, and we regret not making it into its own thread to have it archived on the Answer Overflow.
There are upstream threads surrounding this issue on Fedora Silverblue. There is also this bug report which is now closed but still relevant.
From Fedora Silverblue's Troubleshooting Documentation on the issue:
There are known issues with the read-only filesystem (
autorelabel
&restorecon
) and SELinux (/etc/shadow
) with the official documentation.Does anyone have any experience or other knowledge for this? Whenever this is figured out, we can contribute to upstream documentation as well.
The text was updated successfully, but these errors were encountered: