Recovering root passwords with Fedora Core

I performed a Fedora core 4 installation today, and for some reason the root password I typed in during the installation got munged (or I typed it incorrectly two times). Since Fedora Core uses grub as a boot loader, I was able to recover from this situation relatively quickly.

To get to a shell where I could use the passwd(1) utility or vi(P) to change the password, I first needed to reboot the box to get to the grub menu. Once I was greeted with the grub menu, I used the up and down arrow keys to select a kernel, and then hit the ‘e’ key to edit the boot paramaeters. Once the editor displayed the kernel boot string, I added a 1 immediately following the LABEL definition:

kernel /boot/vmlinuz-2.6.11-1.1369_FC4 ro root=LABEL=/ 1 rhgb quiet

The number following the LABEL definition indicates the run level to boot into, and in this case 1 refers to single user mode. Once you finish editing the boot definition, you can hit ‘b’ to boot. This will boot to single user mode, and should dump you into a shell if everything goes well. Once your in the shell, you can use passwd(1) or vi(P) to update the root users password. Since I haven’t tinkered with grub for quite some time, this experience reminded me how important physical security and grub passwords are!

1 thought on “Recovering root passwords with Fedora Core”

  1. This only works if you skimped on security and the root password is not required to enter single-user mode. Of course, you can always boot a repair disk, mount the root filesystem and edit the password out of /mnt/etc/passwdfor root. This is why, on a production system where you can’t guarantee, 100%, physical security of your servers, you should have
    (a) A firmware password to prevent changing hardware parameters
    (b) Disable booting from devices other than the fixed disk, in firmware
    (c) Root password required to acess the shell in single-user-mode.
    (d) Bootstrap loader prtection to prevent changing boot parameters from the command line.
    etc.

Leave a Reply

Your email address will not be published. Required fields are marked *