emergency-login — perform emergency mode login
emergency-login
emergency-login is a very simple login program that is designed to operate in the emergency startup mode (see system-control(1) and the emergency and rescue modes section of the nosh Guide) and to simply verify the password of the superuser account, if the system account database is not broken.
Its function is restricted compared to the usual login-envuidgid(1) or login(1) programs:
It presents a very simple "glass TTY" user interface, suitable for even completely dumb TeleType Model 37 terminals, that makes no use of any escape or control sequences and relies entirely upon the terminal device line discpline for editing functions and not echoing passwords.
It communicates entirely through its standard input and output, which it presumes are open to the terminal to log on to, and does not attempt to open its controlling terminal device. It makes no attempt to become a session or process group leader, and does not call setlogin(2).
It does not use PAM or the login.conf(5) subsystem. It presents a single, one-time, hardwired, prompt for a password that never times out. It has no "hushlogin", "nologin", or "welcome" mechanisms, configurable prompts, or configurable retry/timeout settings.
It only uses the system account database and access to that is directly through the endpwent(3), endspent(3), getpwuid(3) and getspnam(3) library functions. Networking, NIS, and even nscd(1) are presumed unavailable in emergency mode.
It only allows login as the superuser.
It looks up the account database entry by the superuser user name root
, and if that does not result in an entry with user ID 0 it falls back to looking up the account database entry by the superuser ID 0.
root
and toor
accounts both with user ID 0, but with different passwords and different shells.
Because their system account databases are indexed Berkeley DB databases, superuser accounts are not necessarily enumerated in the order that they occur in /etc/master.passwd
when looking up by ID 0.
It fails open in the event of a missing password (or shadow) file. If getpwuid(3) (or getspnam(3)) fails for some reason, it issues no prompt and acts as if the correct password had been entered.
It does not record anything in the accounting logs. The filesystem containing them might not be mounted in emergency mode, or might be mounted read-only. For that and other reasons, it does not use syslog(3).
It ignores any secure
settings in the ttys(5) database (if the operating system has one).
It ignores all settings in the account database relating to password expiry.
It tries hard to execute a shell.
If it cannot execute the shell listed in the account record (or that field is blank), it attempts to fall back to the program denoted by the SHELL
environment variable, or the program hardwired as the platform's _PATH_BSHELL
setting at compilation time.
It does not tell the shell that it is a login shell, in order that the shell does not attempt to source "profile" or "login" scripts that may not be appropriate for emergency mode.
It tells the shell that its name is "sh".
This should invoke the POSIX-conformant mode of the shell, which for non-login shells must only look at the "rc" file denoted by the ENV
environment variable.
Since it does not set this environment variable, the shell should not attempt to source "rc" scripts that may not be appropriate for emergency mode.
It alters no environment variables at all, and does not attempt to change into a home directory.