[system-administrators-guide] Update to "Resetting root password"
stephenw
stephenw at fedoraproject.org
Wed Mar 4 07:55:34 UTC 2015
commit 271650cdb072474b467fad714ac2fb63b21bb9ca
Author: Stephen Wadeley <swadeley at redhat.com>
Date: Wed Mar 4 08:41:38 2015 +0100
Update to "Resetting root password"
replace bin/sh method with boot disk method
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 103 ++++++++++++-------------
1 files changed, 50 insertions(+), 53 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index 8c62014..f59a3b6 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -726,93 +726,79 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<title>Changing and Resetting the Root Password</title>
<para>
Setting up the <systemitem class="username">root</systemitem> password is a mandatory part of the Fedora installation. If you forget or lose the <systemitem class="username">root</systemitem> password it is possible to reset it, however users who are members of the wheel group can change the <systemitem class="username">root</systemitem> password as follows:
- <screen>~$ <command>sudo passwd root</command></screen>
+ <screen>~]$ <command>sudo passwd root</command></screen>
</para>
<para>
Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Fedora 15 and Red Hat Enterprise Linux 6. The <systemitem class="username">root</systemitem> password is now required to operate in <literal>single-user</literal> mode as well as in <literal>emergency</literal> mode.
</para>
<para>
- Two procedures for changing the <systemitem class="username">root</systemitem> password are shown here. The <xref linkend="proc-Resetting_the_Root_Password_Using_bin_sh" /> procedure creates a shell, in a changed <systemitem class="username">root</systemitem> environment, using <command>init=/bin/sh</command>. It is the shorter of the two procedures and does not require an SELinux relabel, which can be time consuming. But this procedure will not work if you have a USB keyboard, encrypted file systems, and does not work in certain virtual machines or systems. The <xref linkend="proc-Resetting_the_Root_Password_Using_rd.break" /> procedure makes use of <command>rd.break</command> to interrupt the boot process before control is passed from <systemitem>initramfs</systemitem> to <systemitem class="service">systemd</systemitem>. The disadvantage of this method is that you have to then change <systemitem class="username">root</systemitem> using the <command>sysroot</command>
command.</para>
- <procedure id="proc-Resetting_the_Root_Password_Using_bin_sh">
- <title>Resetting the Root Password Using /bin/sh</title>
+ Two procedures for resetting the <systemitem class="username">root</systemitem> password are shown here:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <xref linkend="proc-Resetting_the_Root_Password_Using_an_Installation_Disk" /> takes you to a shell prompt, without having to edit the grub menu. It is the shorter of the two procedures and it is also the recommended method. You can use a server boot disk or a netinstall installation disk.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref linkend="proc-Resetting_the_Root_Password_Using_rd.break" /> makes use of <command>rd.break</command> to interrupt the boot process before control is passed from <systemitem>initramfs</systemitem> to <systemitem class="service">systemd</systemitem>. The disadvantage of this method is that it requires more steps, includes having to edit the GRUB menu, and involves choosing between a possibly time consuming SELinux file relabel or changing the SELinux enforcing mode and then restoring the SELinux security context for <filename>/etc/shadow/</filename> when the boot completes.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <procedure id="proc-Resetting_the_Root_Password_Using_an_Installation_Disk">
+ <title>Resetting the Root Password Using an Installation Disk</title>
<step>
<para>
- Start the system and, on the GRUB 2 boot screen, press the <keycap>e</keycap> key for edit.
+ Start the system and when BIOS information is displayed, select the option for a boot menu and select to boot from the installation disk.
</para>
</step>
<step>
<para>
- Remove the <option>rhgb</option> and <option>quiet</option> parameters from the end, or near the end, of the <literal>linux16</literal> line, or <literal>linuxefi</literal> on UEFI systems.
+ Choose <guimenuitem>Troubleshooting</guimenuitem>.
</para>
- <para>
- Press <keycombo><keycap>Ctrl</keycap><keycap>a</keycap></keycombo> and <keycombo><keycap>Ctrl</keycap><keycap>e</keycap></keycombo> to jump to the start and end of the line, respectively. On some systems, <keycap>Home</keycap> and <keycap>End</keycap> might also work.
-</para>
-
- <important>
- <para>
- The <option>rhgb</option> and <option>quiet</option> parameters must be removed in order to enable system messages.
- </para>
- </important>
</step>
<step>
<para>
- Add the following parameter at the end of the <literal>linux16</literal> line, or <literal>linuxefi</literal> on UEFI systems:
- </para>
- <screen>init=/bin/sh</screen>
- <para>
- The Linux <package>kernel</package> will run the <application>/bin/sh</application> shell rather than the system <systemitem class="daemon">init</systemitem> daemon. Therefore, some functions may be limited or missing.
+ Choose <guimenuitem>Rescue a Fedora-Server System</guimenuitem>.
</para>
- <para>
- Note that if a console is specified, the <systemitem>initramfs</systemitem> prompt will appear on the last console specified on the Linux line.
+ </step>
+ <step>
+ <para>
+ Choose <guimenuitem>Continue</guimenuitem> which is the default option. At this point you will be promoted for a passphrase if an encrypted file system is found.
</para>
</step>
<step>
<para>
- Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the changed parameters.
- </para>
- <para>
- The shell prompt appears.
+ Press <keycap>OK</keycap> to acknowledge the information displayed until the shell prompt appears.
</para>
</step>
<step>
- <para>
- <!-- Add this step as a result of https://bugzilla.redhat.com/show_bug.cgi?id=1045574#c11 -->
- To preserve the SELinux context of the files that are to be modified, load the SELinux policy into the kernel. Use the <option>-i</option> option as this is the first time the policy is being loaded since boot:
- <screen>sh-4.2# <command>/usr/sbin/load_policy -i</command></screen>
- </para>
- </step>
- <step>
<para>
- The file system is mounted read-only. You will not be allowed to change the password if the file system is not writable.
- </para>
- <para>
- Remount the file system as writable:
- <screen>~]# <command>mount -o remount,rw /</command></screen>
+ Change the file system <systemitem class="username">root</systemitem> as follows:
+ <screen>sh-4.2# <command>chroot /mnt/sysimage</command></screen>
</para>
</step>
<step>
<para>
Enter the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password.
</para>
- <para>
- Note that if the system is not writable, the <application>passwd</application> tool fails with the following error:
- </para>
-<screen>Authentication token manipulation error</screen>
</step>
<step>
<para>
- Remount the file system as read only:
- <screen>~]# <command>mount -o remount,ro /</command></screen>
+ Remove the <filename>autorelable</filename> file to prevent a time consuming SELinux relabel of the disk:
+ <screen>sh-4.2# <command>rm -f /.autorelabel</command></screen>
</para>
</step>
<step>
- <para>
- Enter the <command>exec /sbin/init</command> command to resume the initialization and finish the system boot.
+ <para>
+ Enter the <command>exit</command> command to exit the <command>chroot</command> environment.
</para>
+ </step>
+ <step>
<para>
- Running the <command>exec</command> command with another command specified replaces the shell and creates a new process; <systemitem class="daemon">init</systemitem> in this case.
- </para>
- </step>
+ Enter the <command>exit</command> command again to resume the initialization and finish the system boot.
+ </para>
+ </step>
</procedure>
<procedure id="proc-Resetting_the_Root_Password_Using_rd.break">
<title>Resetting the Root Password Using rd.break</title>
@@ -837,9 +823,10 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
</step>
<step>
<para>
- Add the following parameter at the end of the <literal>linux16</literal> or <literal>linuxefi</literal> on UEFI systems:
- </para>
- <screen>rd.break</screen>
+ Add the following parameters at the end of the <literal>linux</literal> line on 64-Bit IBM Power Series, the <literal>linux16</literal> line on x86-64 BIOS-based systems, or the <literal>linuxefi</literal> line on UEFI systems:
+ <screen>rd.break enforcing=0</screen>
+ Adding the <option>enforcing=0</option> option enables omitting the time consuming SELinux relabeling process.
+ </para>
<para>
The <systemitem>initramfs</systemitem> will stop before passing control to the Linux <package>kernel</package>, enabling you to work with the <systemitem class="username">root</systemitem> file system.
</para>
@@ -858,7 +845,6 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
The <systemitem>initramfs</systemitem> <systemitem class="username">switch_root</systemitem> prompt appears.
</para>
</step>
-
<step>
<para>
The file system is mounted read-only on <filename class="directory">/sysroot/</filename>. You will not be allowed to change the password if the file system is not writable.
@@ -892,6 +878,7 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an
<para>
Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:
<screen>sh-4.2# <command>touch /.autorelabel</command></screen>
+Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the <option>enforcing=0</option> option in step 3.
</para>
</step>
<step>
@@ -920,6 +907,16 @@ Updating the password file results in a file with the incorrect SELinux security
</para>
</note>
</step>
+ <step>
+ <para>
+ If you added the <option>enforcing=0</option> option in step 3 and omitted the <command>touch /.autorelabel</command> command in step 8, enter the following command to restore the <filename>/etc/shadow</filename> file's SELinux security context:
+ <screen>~]# <command>restorcon /etc/shadow</command></screen>
+ Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:
+ <screen>~]# <command>setenforce 1</command>
+~]# <command>getenforce</command>
+Enforcing</screen>
+ </para>
+ </step>
</procedure>
</section>
More information about the docs-commits
mailing list