emergency-login — perform emergency mode login




emergency-login is a very simple login program that is designed to operate in the emergency startup mode (see system-control(1) and the emergency and rescue modes section of the nosh Guide) and to simply verify the password of the superuser account, if the system account database is not broken.

Its function is restricted compared to the usual login-envuidgid(1) or login(1) programs:

  • It presents a very simple "glass TTY" user interface, suitable for even completely dumb TeleType Model 37 terminals, that makes no use of any escape or control sequences and relies entirely upon the terminal device line discpline for editing functions and not echoing passwords.

  • It communicates entirely through its standard input and output, which it presumes are open to the terminal to log on to, and does not attempt to open its controlling terminal device. It makes no attempt to become a session or process group leader, and does not call setlogin(2).

  • It does not use PAM or the login.conf(5) subsystem. It presents a single, one-time, hardwired, prompt for a password that never times out. It has no "hushlogin", "nologin", or "welcome" mechanisms, configurable prompts, or configurable retry/timeout settings.

  • It only uses the system account database and access to that is directly through the endpwent(3), endspent(3), getpwuid(3) and getspnam(3) library functions. Networking, NIS, and even nscd(1) are presumed unavailable in emergency mode.

  • It only allows login as the superuser. It looks up the account database entry by the superuser user name root, and if that does not result in an entry with user ID 0 it falls back to looking up the account database entry by the superuser ID 0.


    If more than one record in the database has the superuser ID, which records's password and shell are used depends from how the getpwuid(3) library function works. FreeBSD and NetBSD as standard have both root and toor accounts both with user ID 0, but with different passwords and different shells. Because their system account databases are indexed Berkeley DB databases, superuser accounts are not necessarily enumerated in the order that they occur in /etc/master.passwd when looking up by ID 0.


    If it is not actually run as the superuser, the password verification check will always fail. It is not a set-UID program, and expects to already be running as the superuser.
  • It fails open in the event of a missing password (or shadow) file. If getpwuid(3) (or getspnam(3)) fails for some reason, it issues no prompt and acts as if the correct password had been entered.


    Emergency mode is a last resort system repair mode. If the system account database is broken, failing open enables it to be fixed. Do not conflate emergency mode with rescue mode, where the system account database is required to be functional and login fails closed if it is not so.
  • It does not record anything in the accounting logs. The filesystem containing them might not be mounted in emergency mode, or might be mounted read-only. For that and other reasons, it does not use syslog(3).

  • It ignores any secure settings in the ttys(5) database (if the operating system has one).


    The terminal is presumed to be a "secure" terminal that permits direct log-on by the superuser. Do not invoke emergency-login on non-"secure" terminals.
  • It ignores all settings in the account database relating to password expiry.

  • It tries hard to execute a shell. If it cannot execute the shell listed in the account record (or that field is blank), it attempts to fall back to the program denoted by the SHELL environment variable, or the program hardwired as the platform's _PATH_BSHELL setting at compilation time.

  • It does not tell the shell that it is a login shell, in order that the shell does not attempt to source "profile" or "login" scripts that may not be appropriate for emergency mode.

  • It tells the shell that its name is "sh". This should invoke the POSIX-conformant mode of the shell, which for non-login shells must only look at the "rc" file denoted by the ENV environment variable. Since it does not set this environment variable, the shell should not attempt to source "rc" scripts that may not be appropriate for emergency mode.

  • It alters no environment variables at all, and does not attempt to change into a home directory.


Jonathan de Boyne Pollard