How can I secure the dracut shell?

asciiphil asked:

When there are errors during the initrd part of a system boot, dracut will drop to a shell (so you can fix things). Is there a way to require a password before going into the shell, in the manner that Debian’s initramfs-tools rescue shell works?

I have several Fedora machines (currently Fedora 17, soon to be Fedora 20) run in a public lab environment. One of them had an fsck error today and dropped to the the rescue shell. Someone tried to use the system before I got to it (and, fortunately, didn’t hit any of the commands available in the rescue shell). I’d like to prevent a recurrence.

My answer:

This occurs when the emergency shell is enabled. This debugging shell is spawned when dracut is unable to mount the root filesystem. Since the passwords are on the root filesystem, authentication isn’t really possible at this early stage.

Check the kernel command line for This option should be set to 0 or be absent, to disable the emergency shell.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.