Allow logging in to rescue/emergency shell as root

In Qubes OS guests, the console is _always_ the Xen console. There are _never_ untrusted entities with access to this under _any_ circumstances. The only supported way to get access to this from a VM is the admin.vm.Console service, which is (by design) equivalent to root access in the destination VM. Therefore, set SYSTEMD_SULOGIN_FORCE=1 to tell systemd-sulogin-shell to pass --force to sulogin(8). Since the root account is locked in Qubes VMs, this causes sulogin(8) to allow login as root without a password.
QubesOS · Nov 4, 2024 · 757ef06 · 757ef06
1 parent 607c341
commit 757ef06
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -50,7 +50,7 @@ SYSTEM_DROPINS += systemd-random-seed.service
 SYSTEM_DROPINS += tor.service [email protected]
 SYSTEM_DROPINS += systemd-timesyncd.service
 SYSTEM_DROPINS += systemd-logind.service
-SYSTEM_DROPINS += sysinit.target
+SYSTEM_DROPINS += sysinit.target emergency.service rescue.service
 ifeq ($(ENABLE_SELINUX),1)
 SYSTEM_DROPINS += selinux-autorelabel.target selinux-autorelabel.service
 endif

diff --git a/boot/module-setup.sh b/boot/module-setup.sh
@@ -0,0 +1,10 @@
+depends () {
+}
+
+install () {
+    if [ -h /lib ]; then
+        inst_multiple /usr/lib/systemd/system/rescue.service.d/30_qubes.conf /usr/lib/systemd/system/emergency.service.d/30_qubes.conf
+    else
+        inst_multiple /lib/systemd/system/rescue.service.d/30_qubes.conf /lib/systemd/system/emergency.service.d/30_qubes.conf
+    fi
+}
diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install
@@ -107,6 +107,8 @@ lib/systemd/system/sysinit.target.d/30_qubes.conf
 lib/systemd/system/systemd-timesyncd.service.d/30_qubes.conf
 lib/systemd/system/systemd-logind.service.d/30_qubes.conf
 lib/systemd/resolved.conf.d/30_resolved-no-mdns-or-llmnr.conf
+lib/systemd/system/rescue.service.d/30_qubes.conf
+lib/systemd/system/emergency.service.d/30_qubes.conf
 usr/lib/sysctl.d/20-qubes-core.conf
 usr/lib/systemd/user/tracker-extract-3.service.d/30_qubes.conf
 usr/lib/systemd/user/tracker-miner-fs-3.service.d/30_qubes.conf

diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
@@ -521,6 +521,7 @@ sed -i \
 %endif
 
 install -D -m 0644 boot/dracut-qubes.conf $RPM_BUILD_ROOT/usr/lib/dracut/dracut.conf.d/30-qubes.conf
+install -D -m 0644 boot/module-setup.sh $RPM_BUILD_ROOT/usr/lib/dracut/modules.d/99qubes/modules-setup.sh
 install -D -m 0644 boot/grub.qubes $RPM_BUILD_ROOT/etc/default/grub.qubes
 
 %if ! %with_sysvinit
@@ -1021,6 +1022,12 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/set-default-text-editor
 /usr/lib/qubes/tinyproxy-wrapper
 /usr/lib/dracut/dracut.conf.d/30-qubes.conf
+# Ensure that dracut is not a hard requirement.
+# It is only needed with in-VM initramfs, not
+# dom0-provided initramfs.
+%dir /usr/lib/dracut/modules.d/99qubes
+/usr/lib/dracut/modules.d/99qubes/module-setup.sh
+
 /usr/lib/environment.d/60-gnome-software-fix.conf
 %dir /usr/lib/qubes/init
 /usr/lib/qubes/init/bind-dirs.sh
@@ -1298,6 +1305,10 @@ The Qubes core startup configuration for SystemD init.
 %dir %_unitdir/sysinit.target.d
 %_unitdir/sysinit.target.d/30_qubes.conf
 %dir %_userunitdir/*.service.d
+%dir %_unitdir/rescue.service.d
+%dir %_unitdir/emergency.service.d
+%_unitdir/emergency.service.d/30_qubes.conf
+%_unitdir/rescue.service.d/30_qubes.conf
 %_userunitdir/tracker-extract-3.service.d/30_qubes.conf
 %_userunitdir/tracker-miner-fs-3.service.d/30_qubes.conf
 %_userunitdir/tracker-miner-fs-control-3.service.d/30_qubes.conf

diff --git a/vm-systemd/emergency.service.d/30_qubes.conf b/vm-systemd/emergency.service.d/30_qubes.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment=SYSTEMD_SULOGIN_FORCE=1
diff --git a/vm-systemd/rescue.service.d/30_qubes.conf b/vm-systemd/rescue.service.d/30_qubes.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment=SYSTEMD_SULOGIN_FORCE=1