Recovering Lost Root User Passwords
It is that dreaded first day at work where you turn up as the brand new system administrator and nobody knows the root password to the server and they are staring at you hopefully. Of course, if someone has a login with full sudo rights then it is a trivial matter to set the root password using sudo, but you are guessing, the same as me that none of these users have sudo privileges on the system.
Not only is recovery of the root password important for these scenarios in real life but it makes up part of the RHCSA objectives and being a practical exam you are going to want to be sure that you can reset the password without external media and you can protect the integrity of SELinux in doing so.
You will need to gain physical access the the server to be able to reset the users password, this may be possible with remote access cards if they are present in the server, but if the root password is unknown then I am also assuming there is no access to the DRAC or iDRAC cards in the server. In the demonstration we will be working with a VirtualBox virtual machine. Having physical access to the server you could also boot to a USB key running some form of live Linux distribution but it is just as easy with GRUB and does not need external physical media.
Boot the system and pause at the GRUB menu, just use the down arrow key and then back up to select the default entry. But don’t enter on the menu entry.
NOTE: In the gold release of RHEL 8 the menu entry we wait on is: Red Hat Enterprise Linux (4.8.0-80.el8.x86_65) 8.0 (Ootpa)
There are prompts at the very bottom of the GRUB screen and we can use the _e_ key to edit the entry. This is what we need to do, so press e when the menu entry is selected. You are presented with the following entry:
GRUB Menu ----- load video set gfx_payload=keep insmod gzio linux ($root)/vmlinux-4.18.0-80.el8.x86_64 root=/dev/mapper/rhel-root ro crash kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet initrd ($root)/initramfs-4.18.0-80.el8.x86_64.img $tuned_initrd -----
Move to the line start begins with linux and then use CTRL+e to move to the end of the line and append *rd.break*. This will stop the boot process after the RAM Disk operating system has loaded, the initrd line in the main GRUB menu
Append rd.break ----- linux ($root)/vmlinux-4.18.0-80.el8.x86_64 root=/dev/mapper/rhel-root ro crash kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet rd.break -----
As directed with prompts at the bottom of the screen we can continue the boot process using CTRL+x
The system will boot quickly and present you with the switch_root:/# prompt. The real root file-system will be mounted to the /sysroot directory and will be read-only at this stage. We can make it read-write:
Mount sysroot rw ----- switch_root:/# mount -o remount,rw /sysroot -----
We now need to set the /sysroot directory to be the root file-system, using the command chroot. This way when we use commands such as passwd in setting the root password we will be saving them in the correct root file-system. The prompt will change when we use chroot
Change Root Directories ----- switch_root:/# chroot /sysroot sh-4.4# -----
Reset Root Password
We can now set the root password using the passwd command or chpasswd.
Change Root Password ----- sh-4.4# echo 'root:Password1 | chpasswd' -----
Without an SELinux policy being loaded the SELnux context of the /etc/shadow file will not be set correctly. This should have the type of shadow_t but if it is edited outside of SELinux the context will be lost. Of SELinux is normally in Enforcing mode on your system no user will be able to login until the context is restored. We can make use of the auto-relabel feature which will happen as the system is booted. We need to create the file /.autorelabel This should be at the root of the real root file-system, so within the chrooted environment.
Autorelabel ----- sh-4.4# touch /.autorelabel -----
We are now finished, we can type exit once to exit the chrooted environment and then exit again to continue the boot process. A waning about the relabel will be shown. On a simple VM it does not take too long, perhaps a few minutes but heed the warning on live systems especially with older disk subsystems.
Complete ----- sh-4.4# exit switch_root:/# exit logout *** Warning -- SELinux targeted policy relabel us required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. -----
You should now be able to login with the new root password
Summary
To recover from a lost root password we can interrupt the GRUB boot process and edit the main menu entry. We need to append rd.break to the line start starts with linux. The system boots to the initrd where we can mount /sysroot as rw. We then chroot to the directory and set the password before creating the /.autorelabel file. Use exit twice to continue the boot process