sulogin: Read SYSTEMD_SULOGIN_FORCE from kernel cmdline

This allows setting it on the kernel cmdline and having it work
automatically without having to write any dropins or such.

Also enable the option in mkosi so that we can debug the initrd
properly with a locked root account.

diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf
index a19d464a09aa6d710fbe49a840e29f8ce05d95e9..d82a59dd036d75e9b3ba78ed598767a3041dfa26 100644 (file)
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -28,3 +28,5 @@ KernelCommandLineExtra=systemd.crash_shell
                        printk.devkmsg=on
                        # Tell networkd to manage the ethernet interface.
                        ip=enp0s1:any
+                       # Make sure sulogin works even with a locked root account.
+                       SYSTEMD_SULOGIN_FORCE=1

diff --git a/src/sulogin-shell/sulogin-shell.c b/src/sulogin-shell/sulogin-shell.c
index 87eed541f06974aea0f70409c37d0f5059262205..e81bb527ff8a524aec1128d6ac99898abc0f0fd4 100644 (file)
--- a/src/sulogin-shell/sulogin-shell.c
+++ b/src/sulogin-shell/sulogin-shell.c
@@ -17,6 +17,7 @@
 #include "log.h"
 #include "main-func.h"
 #include "process-util.h"
+#include "proc-cmdline.h"
 #include "signal-util.h"
 #include "special.h"
 #include "unit-def.h"
@@ -116,6 +117,7 @@ static int run(int argc, char *argv[]) {
                 NULL,             /* --force */
                 NULL
         };
+        bool force = false;
         int r;
 
         log_setup();
@@ -123,6 +125,18 @@ static int run(int argc, char *argv[]) {
         print_mode(argc > 1 ? argv[1] : "");
 
         if (getenv_bool("SYSTEMD_SULOGIN_FORCE") > 0)
+                force = true;
+
+        if (!force) {
+                /* We look the argument in the kernel cmdline under the same name as the environment variable
+                 * to express that this is not supported at the same level as the regular kernel cmdline
+                 * switches. */
+                r = proc_cmdline_get_bool("SYSTEMD_SULOGIN_FORCE", &force);
+                if (r < 0)
+                        log_debug_errno(r, "Failed to parse SYSTEMD_SULOGIN_FORCE from kernel command line, ignoring: %m");
+        }
+
+        if (force)
                 /* allows passwordless logins if root account is locked. */
                 sulogin_cmdline[1] = "--force";