Reset a Lost Root Password

Posted on by Dan Davis

Booting into single user mode was the prescribed method for recovery prior to the advent of systemd, (Pre-RHEL7). Recovery in a modern Linux environment requires booting the ramdisk image and chrooting into your root filesystem to make the change.

If you’ve forgotten the root password on your RHEL/CentOS/Fedora machine and have physical access to the machine it’s not the end of the world. Just follow these steps:

Step 1. Interrupt the GRUB bootloader.

Power on your machine and wait for the GRUB boot menu to appear. When the boot options appear press your keyboard’s ‘e’ key to enter boot option editing mode:

Use your keyboard’s down arrow to move through the boot options until you see the line beginning with ‘linux16’ and then press your keyboard’s right arrow until you’ve reached the end of the line. Here you will append the directive ‘rd.break’ which will signal your system to load the initramfs but stop short of handing off control to your system’s root filesystem.

Once your edits to the bootloader options are complete press ‘ctrl-x’ to boot and wait for the ‘switch_root:/#’ prompt to appear:

Step 2. Mount your root filesystem in read-write mode:

Once you’ve reached the switch_root prompt your root filesystem will be mounted in the current environment under /sysroot, but it will only be mounted in read-only mode. The changes made by the passwd command to /etc/passwd and /etc/shadow will require RW access to that filesystem. Enter the following at the prompt:

# mount -o remount,rw /sysroot

Step 3. Chroot into your root filesystem and change the root password

Use the chroot command to make what’s currently at /sysroot your session’s effective / directory with:

# chroot /sysroot

and then use the passwd command to change root’s password.

Step 4. Make your changes agree with SELinux

All this time we’ve been making filesystem changes outside of the auspices of SELinux since it’s currently not running. This means restarting at this point, if you’re using SELinux, would result in a kernel panic and an unbootable system. Fortunately, all we need to do to make our changes agree with SELinux is to have it relabel the filesystem on the next reboot by touching an empty text file named .autorelabel in the root filesystem that will act like a flag for SELinux. We can do this by entering:

# touch /.autorelabel

Step 5. Exit the environment and restart the system

Like Inception, remember we’re two levels deep. Level 1 was at the switch_root prompt, and Level 2 is our current level, which we achieved after chrooting into /sysroot. To reboot you can type ‘exit’ press enter, and type ‘exit’ again, or press ‘ctrl-d’ twice. The choice is yours. This will trigger a reboot which will take slightly longer than a usual boot as the SELinux relabeling operation can take some time. After the reboot is complete you should be able to login as root with the password you chose in Step 3.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.