I wanted a stronger password for sudo than the lockscreen code, so I set the root password like this:
sudo passwd
Then I created the file /etc/sudoers.d/purism
with this:
Defaults rootpw
But, now when I try to sudo I get sudo: account validation failure, is your account locked?
I’m thinking that I will probably have to reflash the device at this point but if there’s any other way out of it then I would rather do that. Any suggestions?
You might still be able to rescue it without reflashing if you mount the disk from another computer using Jumpdrive, then use chroot
and fix things from there.
I’ll give that a try. What’s the boot order? Will it boot from SD first?
I don’t know about boot order, what I meant with my suggestion was not to boot the L5 but to access its disk from another computer in order to change passwords and sudoers files and things like that. Then after that you would boot the L5 again normally. You would not need to change anything regarding boot order, I think…
I ended up just reflashing the device.
No. That is not currently even an option.
@Skalman has the right answer: Jumpdrive.
So, with the right boot incantation, you connect your Librem 5 to a Linux host via USB and boot the Librem 5 over USB - and the software to load over USB is Jumpdrive. Once Jumpdrive is booted on the Librem 5 it exposes your eMMC drive (and the uSD card if present) as USB disks (block devices) to the Linux host. With that done, you mount the eMMC drive on the Linux host and then you can fix up the sudoers
file or most other files on the Librem 5’s eMMC drive.
(The procedure is basically the same as reflashing except the software that you boot over USB is different. Either way, it can get you out of tight spot if the content of the eMMC drive is stuffed up. The difference is of course that reflashing nukes everything, so sooner or later you are going to want to try Jumpdrive, if you are a bit of a tinkerer.)
I think your problem is that the root account is by default disabled (expired and/or locked) on most distros in the Debian family. Refer: Expired root account
There are some reasons to keep the root account disabled.
That in and of itself sounds like a good idea. You can have a stronger password for the lockscreen but that could be quite tedious. You can also prevent purism
from doing sudo
at all (and do all your sudo
work from a different user) but that would surely cause other problems.