Emergency mode when root account locked

deandre

unread,

Dec 4, 2020, 7:20:06 AM12/4/20

to

Hi

My problem is when I try to boot up deepin(Debian 10 buster) I get the message “cannot open access to console, the root account is locked See sulogin(8) man for more details” and after I press Enter it continues to give me the same message, at this point I’m not really sure what to do.

Sent from Mail for Windows 10

Greg Wooledge

unread,

Dec 4, 2020, 8:20:06 AM12/4/20

to

On Fri, Dec 04, 2020 at 12:00:14PM +0000, deandre wrote:
> My problem is when I try to boot up deepin(Debian 10 buster)

Deepin is not Debian. It's a derivative. Your problems with Deepin
should be asked on a Deepin support list, because the users there will
have more knowledge about your operating system than we do.

> I get the message “cannot open access to console, the root account is locked
> See sulogin(8) man for more details” and after I press Enter it continues to
> give me the same message, at this point I’m not really sure what to do.

>From the original Subject: header, your question is apparently about
something called "emergency mode". I am going to **GUESS** (here,
again, we are not Deepin users and we don't know how Deepin works)
that this is single-user mode, a.k.a. "rescue mode" in Debian, accessed
from the GRUB boot loader menu.

I am also going to guess that Deepin, like Ubuntu, defaults to giving
you a user account with sudo access, and no root password. You can
achieve that in Debian as well, by doing something special during the
installation. In all cases, it's a stupid idea and you shouldn't do it.

If you want to access single-user mode from GRUB, you need a root
password. So set one.

You'd do that by booting normally, then running something like
"sudo passwd root" as your sudo-privileged user.

If you *can't* boot normally (hence your attempts to enter single-user
mode), then you'll need to boot from an installation image, or a
rescue image, or something along those lines. Mount your root partition,
chroot into it, and run "passwd root" to set the root password.

Ask your Deepin mailing list for help doing that if you don't know how.

Andrei POPESCU

unread,

Dec 5, 2020, 5:50:05 AM12/5/20

to

On Vi, 04 dec 20, 08:09:44, Greg Wooledge wrote:
> On Fri, Dec 04, 2020 at 12:00:14PM +0000, deandre wrote:
> > My problem is when I try to boot up deepin(Debian 10 buster)
>
> Deepin is not Debian. It's a derivative. Your problems with Deepin
> should be asked on a Deepin support list, because the users there will
> have more knowledge about your operating system than we do.

While your guess is probably right, just for the archives, there is also
a Deepin Desktop Environment, with several components available already
in buster and many more to come.

https://salsa.debian.org/pkg-deepin-team

> I am also going to guess that Deepin, like Ubuntu, defaults to giving
> you a user account with sudo access, and no root password. You can
> achieve that in Debian as well, by doing something special during the
> installation. In all cases, it's a stupid idea and you shouldn't do it.

This is a pretty strong (and harsh!) statement. Care to expand on the
reasons?

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

signature.asc

Marco Möller

unread,

Dec 5, 2020, 9:10:06 AM12/5/20

to

> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>

If the root account login is deactivated, then the rescue console
(rescue.target or emergency.target) usually cannot be entered.
However, in the grub menu it can still be forced the launch o a shell as
root, even if the root account was deactivated, by adding the following
boot parameter:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
init=/sbin/sulogin --force
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Best wishes,
Marco.

Greg Wooledge

unread,

Dec 7, 2020, 10:20:06 AM12/7/20

to

It prevents access to single-user mode. The fact that Debian (and
these others?) still puts a single-user mode entry into the GRUB menu,
knowing that it won't work, is just adding insult to injury.

Even if you plan to use sudo for 99% of your administrative work,
there's still no reason NOT to have a root password, for those emergency
situations where you need one.

Another thing to keep in mind is that you might forget your root
password if you don't use it once in a while. So, you might try to
remember to use "su" or a console root login from time to time, just
to make sure you remember your root password.

Tixy

unread,

Dec 7, 2020, 10:40:06 AM12/7/20

to

On Mon, 2020-12-07 at 10:11 -0500, Greg Wooledge wrote:
[...]

> Another thing to keep in mind is that you might forget your root
> password if you don't use it once in a while.

For machines that are personal, single user machines, it just makes
sense to me to use the same password for root as the user. After all,
the root account isn't really protecting anything additional that the
user cares about.

--
Tixy

gru...@mailfence.com

unread,

Dec 7, 2020, 10:40:06 AM12/7/20

to

i was a sys admin for hpux and linux systems for 25 years now retired
having a root password is along the same line as backups for your system
you spend time and money and pray you never have to use it
you set a root password and use it from time to time just in case

Andrei POPESCU

unread,

Dec 8, 2020, 4:00:07 AM12/8/20

to

I'm guessing you are referring to this:

https://xkcd.com/1200/

signature.asc

Tixy

unread,

Dec 8, 2020, 4:20:05 AM12/8/20

to

On Tue, 2020-12-08 at 10:53 +0200, Andrei POPESCU wrote:
> On Lu, 07 dec 20, 15:35:16, Tixy wrote:
> > On Mon, 2020-12-07 at 10:11 -0500, Greg Wooledge wrote:
> > [...]
> > > Another thing to keep in mind is that you might forget your root
> > > password if you don't use it once in a while.
> >
> > For machines that are personal, single user machines, it just makes
> > sense to me to use the same password for root as the user. After
> > all,
> > the root account isn't really protecting anything additional that
> > the
> > user cares about.
>
> I'm guessing you are referring to this:
>
> https://xkcd.com/1200/

Something like that, except I never use hibernate and my disk is
encrypted, so hopefully if someone steals my computer they don't get
anything but the hardware :-)

Also, so I only have one thing to remember my disk encryption
passphrase is also my user and root account password, and I have system
set to automatically login to my account at boot so just have to enter
the passphrase once.

--
Tixy

deloptes

unread,

Dec 8, 2020, 6:00:07 AM12/8/20

to

Tixy wrote:

> I never use hibernate and my disk is
> encrypted

hibernation works with encryption just fine. I have a problem though with
hibernation+NFS

Celejar

unread,

Dec 8, 2020, 7:50:05 PM12/8/20

to

On Mon, 7 Dec 2020 09:30:05 -0600 (CST)
gru...@mailfence.com wrote:

...

> i was a sys admin for hpux and linux systems for 25 years now retired
> having a root password is along the same line as backups for your system
> you spend time and money and pray you never have to use it
> you set a root password and use it from time to time just in case

But the difference is that if you don't have backups and you do need
them, you're in big trouble. If you don't have a root password and you
need it, you can always mount the disk from another operating
environment, such as a live one, and fix things. A hassle, certainly,
but not nearly as catastrophic as not having backups

Celejar

Fabrice BAUZAC

unread,

Dec 11, 2020, 7:10:06 PM12/11/20

to

Greg Wooledge <woo...@eeg.ccf.org> writes:

> Even if you plan to use sudo for 99% of your administrative work,
> there's still no reason NOT to have a root password, for those emergency
> situations where you need one.

I've had the bitter taste of it when I had to salvage a virtual machine
for which I had lost access to my non-root account. You'd better have
the root password around.

unread,

Dec 12, 2020, 8:20:06 AM12/12/20

to

There is a question as to whether you want to set up a root account, I think.
If you choose not to, then you get a normal user account.

If you choose to set up a root user:
If you do _not_ set a root password, then the first user you set up is set up
with sudo. In Ubuntu, this is the default behaviour, for example.

I'll now need to go and check a standard (as distinct from an expert install)

All the very best,

Andy C

Brian

unread,

Dec 12, 2020, 8:50:06 AM12/12/20

to

On Sat 12 Dec 2020 at 13:15:41 +0000, Andrew M.A. Cater wrote:

> On Sat, Dec 12, 2020 at 01:03:55PM +0000, Brian wrote:
> > On Sat 12 Dec 2020 at 22:53:41 +1100, Keith Bainbridge wrote:
> >
> > > On 12/12/20 7:29 pm, Andrei POPESCU wrote:
> > > > > AND run sudo as root, for additional safety
> > > > Is this supposed to be ironic? I really can't tell.
> > >
> > >
> > > There was a detailed discussion here about sudo being a security issue
> > > on our systems. It appears to be default in debian 10, so most of us get
> > > it as default. I looked at replacing sudo.
> >
> > sudo is set up by default by the installer? You're sure?
> >
> > --
> > Brian.
> >
> There is a question as to whether you want to set up a root account, I think.
> If you choose not to, then you get a normal user account.
>
> If you choose to set up a root user:
> If you do _not_ set a root password, then the first user you set up is set up
> with sudo. In Ubuntu, this is the default behaviour, for example.

>From user-setup-udeb:

Template: passwd/root-login
Type: boolean
Default: true
Description: Allow login as root?
If you choose not to allow root to log in, then a user account will be
created and given the power to become root using the 'sudo' command.

> I'll now need to go and check a standard (as distinct from an expert install)

Default: true

--
Brian.

Alex Mestiashvili

unread,

Dec 12, 2020, 9:20:06 AM12/12/20

to

Not sure is that was already answered, since I lost track of the thread.
But resetting the root password is just matter of booting with root
partition it rw mode and init=/bin/bash isn't?

Marco Möller

unread,

Dec 12, 2020, 9:40:06 AM12/12/20

to

On 12.12.20 15:18, Alex Mestiashvili wrote:
> Not sure is that was already answered, since I lost track of the thread.
> But resetting the root password is just matter of booting with root
> partition it rw mode and init=/bin/bash isn't?

It is not even required to mount your disk from other hardware. Simply
boot to the grub menu and set this boot parameter:
init=/sbin/sulogin --force

As long as someone has physical access to the Debian carrying disk, you
can always break into the system! In this case for restoring your access
options, but of course in other cases this could also be used for evil
things.
In order to prevent the evil access option you need to activated disk
encryption. To my knowledge this cannot be bypassed as easily as simply
gaining root access on an unencrypted system. But of course, if you now
forget your decryption passphrase, then your system is gone for ever,
also no more accessible by mounting the disk in another system. If you
now would have a problem with the root password or sudo setup, you would
for sure still need the disk decryption passphrase, and only afterwards
could help yourself with the mentioned boot parameter.
Best wishes, Marco.

Alex Mestiashvili

unread,

Dec 12, 2020, 9:50:06 AM12/12/20

to

Hi thanks for the hint, never considered "/sbin/sulogin --force" so far,
good to know. I normally also set grub password, so one can't edit that
easily grub entries. And use full disk encryption for laptops.

Best,
Alex

Kenneth Parker

unread,

Dec 12, 2020, 11:40:05 AM12/12/20

to

On Sat, Dec 12, 2020, 8:16 AM Andrew M.A. Cater <amac...@einval.com> wrote:

On Sat, Dec 12, 2020 at 01:03:55PM +0000, Brian wrote:
> On Sat 12 Dec 2020 at 22:53:41 +1100, Keith Bainbridge wrote:
>
> > On 12/12/20 7:29 pm, Andrei POPESCU wrote:
> > > > AND run sudo as root, for additional safety
> > > Is this supposed to be ironic? I really can't tell.
> >
> >
> > There was a detailed discussion here about sudo being a security issue
> > on our systems. It appears to be default in debian 10, so most of us get
> > it as default. I looked at replacing sudo.
>
> sudo is set up by default by the installer? You're sure?
>
> --
> Brian.
>
There is a question as to whether you want to set up a root account, I think.
If you choose not to, then you get a normal user account.

If you choose to set up a root user:
If you do _not_ set a root password, then the first user you set up is set up
with sudo. In Ubuntu, this is the default behaviour, for example.

I use Ubuntu (as well as "pure Debian"). When I install Ubuntu, it does not even give an *option* for a Root Password. The Username that you give during Install goes into the Sudoers list (but not Users defined later). Since I have my own method of System Administration, one of the first things I do, after the first Reboot is "sudo passwd root" and, after completion, I am a happy camper.

I'll now need to go and check a standard (as distinct from an expert install)

I am setting up a Virtual Bullseye Cinnamon system later today. I will, also use "standard install". Between us, we should be able to answer followup questions.

All the very best,

Andy C

Thanks!

Kenneth Parker

Andrew M.A. Cater

unread,

Dec 12, 2020, 12:20:06 PM12/12/20

to

On a "normal" as opposed to an Advanced/expert install, it prompts you to give a password for a root user.
If you effectively tab through this, not setting a password at all, then you

get a normal user account.

Andy C

Brian

unread,

Dec 12, 2020, 12:50:06 PM12/12/20

to

On Sat 12 Dec 2020 at 17:13:53 +0000, Andrew M.A. Cater wrote:

> On a "normal" as opposed to an Advanced/expert install, it prompts you to give a password for a root user.
> If you effectively tab through this, not setting a password at all, then you
> get a normal user account.

Hardly surprising, given what user-setup-udeb is designed to do.

--
Brian.

Andrei POPESCU

unread,

Dec 12, 2020, 2:00:06 PM12/12/20

to

On Sb, 12 dec 20, 22:53:41, Keith Bainbridge wrote:
> On 12/12/20 7:29 pm, Andrei POPESCU wrote:
> > > AND run sudo as root, for additional safety
> > Is this supposed to be ironic? I really can't tell.
>
>
> There was a detailed discussion here about sudo being a security issue
> on our systems. It appears to be default in debian 10, so most of us get
> it as default. I looked at replacing sudo.
>
> I found an article that explained how to strengthen it by forcing sudo
> to require root password.

To my non-native understanding of English "run foo as root" usually
means one first gains root privileges (by whatever means) and then runs
that program with the elevated privileges.

In the context of the text you were replying to it seemed to me you
might just be ironic (though admittedly I did also consider you might be
referring to the 'targetpw' option in 'sudoers').

> If somebody breaks in, they now need my root password to execute
> commands that require root permissions (except a couple that I have
> given nopasswd privilege).

If a user's normal account is compromised most of what matters is
already compromised as well. The root access is just icing on the cake
and can be easily obtained with a keylogger (which an attacker would
need anyway for the all the other goodies).

https://xkcd.com/1200/

Otherwise a probably quite simple 'sudo' script[1] in ~/.local/bin
should do the trick as well: present a password prompt, save the
password somewhere safe, pretend to fail and then call the real
'sudo'[3].

After all, how many users are calling 'sudo' with the full path?

Instead I would suggest admin tasks should be performed from a dedicated
*normal* account, using sudo just for those commands that require
elevated privileges.

This provides some additional security, while also being slightly safer
from accidental mistakes than logging in as root directly.

[2] which by default is added to $PATH on Debian.
[1] If I'm bored enough I might just write such a script myself.
[3] and maybe deletes itself to remove traces

signature.asc

Brian

unread,

Dec 12, 2020, 3:20:06 PM12/12/20

to

On Sat 12 Dec 2020 at 20:51:26 +0200, Andrei POPESCU wrote:

> On Sb, 12 dec 20, 22:53:41, Keith Bainbridge wrote:
> > On 12/12/20 7:29 pm, Andrei POPESCU wrote:
> > > > AND run sudo as root, for additional safety
> > > Is this supposed to be ironic? I really can't tell.
> >
> >
> > There was a detailed discussion here about sudo being a security issue
> > on our systems. It appears to be default in debian 10, so most of us get
> > it as default. I looked at replacing sudo.
> >
> > I found an article that explained how to strengthen it by forcing sudo
> > to require root password.
>
> To my non-native understanding of English "run foo as root" usually
> means one first gains root privileges (by whatever means) and then runs
> that program with the elevated privileges.

That is my understanding too.

> In the context of the text you were replying to it seemed to me you
> might just be ironic (though admittedly I did also consider you might be
> referring to the 'targetpw' option in 'sudoers').

Keith Bainbridge argument begins with a complete misunderstanding of
the role of sudo in the installer. It then mentions an article that
is not referenced. Two fails.

--
Brian.

deloptes

unread,

Dec 12, 2020, 6:50:05 PM12/12/20

to

Alex Mestiashvili wrote:

> Not sure is that was already answered, since I lost track of the thread.
> But resetting the root password is just matter of booting with root
> partition it rw mode and init=/bin/bash isn't?

yes, it is - more problematic is the password of the encrypted drive - you
really have to memorize it good, or write it down and lock it in the safe

Andrei POPESCU

unread,

Dec 14, 2020, 6:20:06 AM12/14/20

to

Package: release-notes
X-Debbugs-CC: debia...@lists.debian.org

Dear Release Notes Maintainers,

Some text based on below would make sense for the Release Notes for
buster. If agreed I'll try to come up with a wording.

On Lu, 07 dec 20, 10:11:48, Greg Wooledge wrote:
> On Sat, Dec 05, 2020 at 12:41:57PM +0200, Andrei POPESCU wrote:
> > On Vi, 04 dec 20, 08:09:44, Greg Wooledge wrote:
> > > I am also going to guess that Deepin, like Ubuntu, defaults to giving
> > > you a user account with sudo access, and no root password. You can
> > > achieve that in Debian as well, by doing something special during the
> > > installation. In all cases, it's a stupid idea and you shouldn't do it.
> >
> > This is a pretty strong (and harsh!) statement. Care to expand on the
> > reasons?
>
> It prevents access to single-user mode. The fact that Debian (and
> these others?) still puts a single-user mode entry into the GRUB menu,
> knowing that it won't work, is just adding insult to injury.

A web search found #802211[1].

Short version:

For systemd >= 240 (buster[2]) run as root

systemctl edit rescue.service

and add:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

(see /usr/share/doc/systemd/ENVIRONMENT.md.gz)

The 'rescue.service' is started by systemd in case it detects 'single'
on the kernel command line (see systemd(1)).

You might want to do the same for 'emergency.service' as well (or
instead), since this service is started *automatically* in case of
certain errors (see systemd.special(7)) or if you add 'emergency' to the
kernel command line (e.g. if you can't fix your system via the 'rescue'
service).

An untested patch to the Debian Installer exists to add both snippets if
the user chooses to leave the root password blank.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
[2] see the bug for another snippet that should work for squeeze or
earlier.

signature.asc

nickgeovanis

unread,

Dec 14, 2020, 7:40:07 AM12/14/20

to

Thanks Andrei.

Alexander V. Makartsev

unread,

Mar 21, 2021, 4:50:04 AM3/21/21

to

On 21.03.2021 12:40, Andrei POPESCU wrote:

[Bcc: debian-boot]

Dear Debian-User subscribers,

The Release Notes editor is asking whether this is still an issue for 
bullseye (i.e. if the patch to Debian Installer mentioned below was 
applied in the meantime).

It will be a while until I get to check that. If someone can confirm 
either way please write to #977358.

Full quote below for context.

Thanks,
Andrei

This is still an issue for bullseye. Patch was not applied, but solution works if you apply it manually after OS installation.
I've tested it on latest weekly build (debian-testing-amd64-netinst.iso).

-- 
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀