[system-administrators-guide] Resetting the root password
stephenw
stephenw at fedoraproject.org
Thu Jan 15 20:58:46 UTC 2015
commit b7e769cb09be970023ba4a7633636fbc32fcd7a5
Author: Stephen Wadeley <swadeley at redhat.com>
Date: Thu Jan 15 21:56:53 2015 +0100
Resetting the root password
Improving, and adding the rd.break method
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 125 +++++++++++++++++++++++--
1 files changed, 116 insertions(+), 9 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index 45fe966..7185dec 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -725,8 +725,10 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<para>
Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Fedora 15 and Red Hat Enterprise Linux 6. The <systemitem class="username">root</systemitem> password is now required to operate in <literal>single-user</literal> mode as well as in <literal>emergency</literal> mode.
</para>
- <procedure>
- <title>Resetting the Root Password</title>
+ <para>
+ Two procedures for changing the <systemitem class="username">root</systemitem> password are shown here. The <xref linkend="proc-Resetting_the_Root_Password_Using_bin_sh" /> procedure creates a chrooted shell using <command>init=/bin/sh</command>. It is the shorter of the two procedures and does not require an SELinux relabel. But this procedure will not work if you have a USB keyboard, encrypted file systems, and does not work in certain virtual machines or systems. The <xref linkend="proc-Resetting_the_Root_Password_Using_rd.break" /> procedure makes use of <command>rd.break</command> to interrupt the boot process before control is passed from <systemitem>initramfs</systemitem> to <systemitem class="service">systemd</systemitem>. The disadvantage of this method is that you have to then change <systemitem class="username">root</systemitem> using the <command>sysroot</command> command.</para>
+ <procedure id="proc-Resetting_the_Root_Password_Using_bin_sh">
+ <title>Resetting the Root Password Using /bin/sh</title>
<step>
<para>
Start the system and, on the GRUB 2 boot screen, press the <keycap>e</keycap> key for edit.
@@ -754,10 +756,13 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<para>
The Linux <package>kernel</package> will run the <application>/bin/sh</application> shell rather than the system <systemitem class="daemon">init</systemitem> daemon. Therefore, some functions may be limited or missing.
</para>
+ <para>
+ Note that if a console is specified, the <systemitem>initramfs</systemitem> prompt will appear on the last console specified on the Linux line.
+ </para>
</step>
<step>
<para>
- Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the parameter.
+ Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the changed parameters.
</para>
<para>
The shell prompt appears.
@@ -767,7 +772,7 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<para>
<!-- Add this step as a result of https://bugzilla.redhat.com/show_bug.cgi?id=1045574#c11 -->
To preserve the SELinux context of the files that are to be modified, load the SELinux policy into the kernel. Use the <option>-i</option> option as this is the first time the policy is being loaded since boot:
- <screen>~]# <command>/usr/sbin/load_policy -i</command></screen>
+ <screen>sh-4.2# <command>/usr/sbin/load_policy -i</command></screen>
</para>
</step>
<step>
@@ -776,12 +781,12 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
</para>
<para>
Remount the file system as writable:
- <screen>~]# <command>mount -o remount, rw /</command></screen>
+ <screen>~]# <command>mount -o remount,rw /</command></screen>
</para>
</step>
<step>
<para>
- Run the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password.
+ Enter the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password.
</para>
<para>
Note that if the system is not writable, the <application>passwd</application> tool fails with the following error:
@@ -791,19 +796,121 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<step>
<para>
Remount the file system as read only:
- <screen>~]# <command>mount -o remount, ro /</command></screen>
+ <screen>~]# <command>mount -o remount,ro /</command></screen>
</para>
</step>
<step>
<para>
- Run the <command>exec /sbin/init</command> command to resume the initialization and finish the system boot.
+ Enter the <command>exec /sbin/init</command> command to resume the initialization and finish the system boot.
</para>
<para>
Running the <command>exec</command> command with another command specified replaces the shell and creates a new process; <systemitem class="daemon">init</systemitem> in this case.
</para>
</step>
</procedure>
- </section>
+ <procedure id="proc-Resetting_the_Root_Password_Using_rd.break">
+ <title>Resetting the Root Password Using rd.break</title>
+ <step>
+ <para>
+ Start the system and, on the GRUB 2 boot screen, press the <keycap>e</keycap> key for edit.
+ </para>
+ </step>
+ <step>
+ <para>
+ Remove the <option>rhgb</option> and <option>quiet</option> parameters from the end, or near the end, of the <literal>linux16</literal> line, or <literal>linuxefi</literal> on UEFI systems.
+ </para>
+ <para>
+ Press <keycombo><keycap>Ctrl</keycap><keycap>a</keycap></keycombo> and <keycombo><keycap>Ctrl</keycap><keycap>e</keycap></keycombo> to jump to the start and end of the line, respectively. On some systems, <keycap>Home</keycap> and <keycap>End</keycap> might also work.
+</para>
+
+ <important>
+ <para>
+ The <option>rhgb</option> and <option>quiet</option> parameters must be removed in order to enable system messages.
+ </para>
+ </important>
+ </step>
+ <step>
+ <para>
+ Add the following parameter at the end of the <literal>linux16</literal> or <literal>linuxefi</literal> on UEFI systems:
+ </para>
+ <screen>rd.break</screen>
+ <para>
+ The <systemitem>initramfs</systemitem> will stop before passing control to the Linux <package>kernel</package>, enabling you to work with the <systemitem class="username">root</systemitem> file system.
+ </para>
+ <para>
+ Note that the <systemitem>initramfs</systemitem> prompt will appear on the last console specified on the Linux line.
+ </para>
+ </step>
+ <step>
+ <para>
+ Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the changed parameters.
+ </para>
+ <para>
+ With an encrypted system file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the <keycap>Backspace</keycap> key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
+ </para>
+ <para>
+ The <systemitem>initramfs</systemitem> <systemitem class="username">switch_root</systemitem> prompt appears.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ The file system is mounted read-only on <filename class="directory">/sysroot/</filename>. You will not be allowed to change the password if the file system is not writable.
+ </para>
+ <para>
+ Remount the file system as writable:
+ <screen>switch_root:/# <command>mount -o remount,rw /sysroot </command></screen>
+ </para>
+ </step>
+ <step>
+ <para>
+ The file system is remounted with write enabled.
+ </para>
+ <para>
+ Change the file system's <systemitem class="username">root</systemitem> as follows:
+ <screen>sh-4.2# <command>chroot /sysroot</command></screen>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Enter the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password.
+ </para>
+ <para>
+ Note that if the system is not writable, the <application>passwd</application> tool fails with the following error:
+ </para>
+ <screen>Authentication token manipulation error</screen>
+ </step>
+ <step>
+ <para>
+Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:
+<screen>sh-4.2# <command>touch /.autorelabel</command></screen>
+</para>
+</step>
+ <step>
+ <para>
+ Remount the file system as read only:
+ <screen>sh-4.2# <command>mount -o remount,ro /</command></screen>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Enter the <command>exit</command> command to exit the <command>chroot</command> environment.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Enter the <command>exit</command> command again to resume the initialization and finish the system boot. Note that the SELinux relabeling process can take a long time and a system reboot will occur when complete.
+ </para>
+ <para>
+ With an encrypted system file system, a pass word or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the <keycap>Backspace</keycap> key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
+ </para>
+ </step>
+ </procedure>
+
+ </section>
</section>
More information about the docs-commits
mailing list