2

When there are errors during the initrd part of a system boot, dracut will drop to a shell (so you can fix things). Is there a way to require a password before going into the shell, in the manner that Debian's initramfs-tools rescue shell works?

I have several Fedora machines (currently Fedora 17, soon to be Fedora 20) run in a public lab environment. One of them had an fsck error today and dropped to the the rescue shell. Someone tried to use the system before I got to it (and, fortunately, didn't hit any of the commands available in the rescue shell). I'd like to prevent a recurrence.

asciiphil
  • 3,036
  • 3
  • 26
  • 52

2 Answers2

4

I think you should be able to disable it by adding rd.shell=0 to your kernel command line. Then if the boot fails it will print a message but not drop to a shell, and you will have to go into grub and reboot with a modified command line to get the shell.

TomH
  • 1,290
  • 7
  • 9
  • Ah, that makes sense. (I, of course, have passwords required for any GRUB action other than "boot the default kernel", so that becomes the barrier to anyone getting the dracut rescue shell, too.) – asciiphil Nov 14 '13 at 15:29
3

This occurs when the emergency shell is enabled. This debugging shell is spawned when dracut is unable to mount the root filesystem. Since the passwords are on the root filesystem, authentication isn't really possible at this early stage.

Check the kernel command line for rd.shell. This option should be set to 0 or be absent, to disable the emergency shell.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Authentication from the system `/etc/passwd` isn't possible, but I was thinking along the lines of a specifically-configured password like GRUB supports. As TomH points out, if the dracut rescue shell is disabled on the default kernel command line, the GRUB password is effectively the dracut password, too. – asciiphil Nov 14 '13 at 15:31
  • Ha. TomH didn't point that out, you did :) – Michael Hampton Nov 14 '13 at 15:35