Recovering root passwords with Fedora Core
I performed a Fedora core 4 installation today, and for some reason the root password I typed in during the installation got munged (or I typed it incorrectly two times). Since Fedora Core uses grub as a boot loader, I was able to recover from this situation relatively quickly.
To get to a shell where I could use the passwd(1) utility or vi(P) to change the password, I first needed to reboot the box to get to the grub menu. Once I was greeted with the grub menu, I used the up and down arrow keys to select a kernel, and then hit the ‘e’ key to edit the boot paramaeters. Once the editor displayed the kernel boot string, I added a 1 immediately following the LABEL definition:
kernel /boot/vmlinuz-2.6.11-1.1369_FC4 ro root=LABEL=/ 1 rhgb quiet
The number following the LABEL definition indicates the run level to boot into, and in this case 1 refers to single user mode. Once you finish editing the boot definition, you can hit ‘b’ to boot. This will boot to single user mode, and should dump you into a shell if everything goes well. Once your in the shell, you can use passwd(1) or vi(P) to update the root users password. Since I haven’t tinkered with grub for quite some time, this experience reminded me how important physical security and grub passwords are!
Rob on October 26th, 2005
This only works if you skimped on security and the root password is not required to enter single-user mode. Of course, you can always boot a repair disk, mount the root filesystem and edit the password out of /mnt/etc/passwdfor root. This is why, on a production system where you can’t guarantee, 100%, physical security of your servers, you should have
(a) A firmware password to prevent changing hardware parameters
(b) Disable booting from devices other than the fixed disk, in firmware
(c) Root password required to acess the shell in single-user-mode.
(d) Bootstrap loader prtection to prevent changing boot parameters from the command line.
etc.