commit 984d2a00caa541ea273f8d4ea7aad6c79ca29e71 Author: Stephen Wadeley swadeley@redhat.com Date: Thu Jan 15 21:56:53 2015 +0100
Resetting the root password
Improving, and adding the rd.break method
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 125 +++++++++++++++++++++++-- 1 files changed, 116 insertions(+), 9 deletions(-) --- diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml index 1e81667..d465e8c 100644 --- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml +++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml @@ -725,8 +725,10 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an <para> Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Fedora 15 and Red Hat Enterprise Linux 6. The <systemitem class="username">root</systemitem> password is now required to operate in <literal>single-user</literal> mode as well as in <literal>emergency</literal> mode. </para> - <procedure> - <title>Resetting the Root Password</title> + <para> + Two procedures for changing the <systemitem class="username">root</systemitem> password are shown here. The <xref linkend="proc-Resetting_the_Root_Password_Using_bin_sh" /> procedure creates a chrooted shell using <command>init=/bin/sh</command>. It is the shorter of the two procedures and does not require an SELinux relabel. But this procedure will not work if you have a USB keyboard, encrypted file systems, and does not work in certain virtual machines or systems. The <xref linkend="proc-Resetting_the_Root_Password_Using_rd.break" /> procedure makes use of <command>rd.break</command> to interrupt the boot process before control is passed from <systemitem>initramfs</systemitem> to <systemitem class="service">systemd</systemitem>. The disadvantage of this method is that you have to then change <systemitem class="username">root</systemitem> using the <command>sysroot</command> command.</para> + <procedure id="proc-Resetting_the_Root_Password_Using_bin_sh"> + <title>Resetting the Root Password Using /bin/sh</title> <step> <para> Start the system and, on the GRUB 2 boot screen, press the <keycap>e</keycap> key for edit. @@ -754,10 +756,13 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an <para> The Linux <package>kernel</package> will run the <application>/bin/sh</application> shell rather than the system <systemitem class="daemon">init</systemitem> daemon. Therefore, some functions may be limited or missing. </para> + <para> + Note that if a console is specified, the <systemitem>initramfs</systemitem> prompt will appear on the last console specified on the Linux line. + </para> </step> <step> <para> - Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the parameter. + Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the changed parameters. </para> <para> The shell prompt appears. @@ -767,7 +772,7 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an <para> <!-- Add this step as a result of https://bugzilla.redhat.com/show_bug.cgi?id=1045574#c11 --> To preserve the SELinux context of the files that are to be modified, load the SELinux policy into the kernel. Use the <option>-i</option> option as this is the first time the policy is being loaded since boot: - <screen>~]# <command>/usr/sbin/load_policy -i</command></screen> + <screen>sh-4.2# <command>/usr/sbin/load_policy -i</command></screen> </para> </step> <step> @@ -776,12 +781,12 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an </para> <para> Remount the file system as writable: - <screen>~]# <command>mount -o remount, rw /</command></screen> + <screen>~]# <command>mount -o remount,rw /</command></screen> </para> </step> <step> <para> - Run the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password. + Enter the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password. </para> <para> Note that if the system is not writable, the <application>passwd</application> tool fails with the following error: @@ -791,19 +796,121 @@ For more information on adding kernel options, see <xref linkend="sec-Editing_an <step> <para> Remount the file system as read only: - <screen>~]# <command>mount -o remount, ro /</command></screen> + <screen>~]# <command>mount -o remount,ro /</command></screen> </para> </step> <step> <para> - Run the <command>exec /sbin/init</command> command to resume the initialization and finish the system boot. + Enter the <command>exec /sbin/init</command> command to resume the initialization and finish the system boot. </para> <para> Running the <command>exec</command> command with another command specified replaces the shell and creates a new process; <systemitem class="daemon">init</systemitem> in this case. </para> </step> </procedure> - </section> + <procedure id="proc-Resetting_the_Root_Password_Using_rd.break"> + <title>Resetting the Root Password Using rd.break</title> + <step> + <para> + Start the system and, on the GRUB 2 boot screen, press the <keycap>e</keycap> key for edit. + </para> + </step> + <step> + <para> + Remove the <option>rhgb</option> and <option>quiet</option> parameters from the end, or near the end, of the <literal>linux16</literal> line, or <literal>linuxefi</literal> on UEFI systems. + </para> + <para> + Press <keycombo><keycap>Ctrl</keycap><keycap>a</keycap></keycombo> and <keycombo><keycap>Ctrl</keycap><keycap>e</keycap></keycombo> to jump to the start and end of the line, respectively. On some systems, <keycap>Home</keycap> and <keycap>End</keycap> might also work. +</para> + + <important> + <para> + The <option>rhgb</option> and <option>quiet</option> parameters must be removed in order to enable system messages. + </para> + </important> + </step> + <step> + <para> + Add the following parameter at the end of the <literal>linux16</literal> or <literal>linuxefi</literal> on UEFI systems: + </para> + <screen>rd.break</screen> + <para> + The <systemitem>initramfs</systemitem> will stop before passing control to the Linux <package>kernel</package>, enabling you to work with the <systemitem class="username">root</systemitem> file system. + </para> + <para> + Note that the <systemitem>initramfs</systemitem> prompt will appear on the last console specified on the Linux line. + </para> + </step> + <step> + <para> + Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot the system with the changed parameters. + </para> + <para> + With an encrypted system file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the <keycap>Backspace</keycap> key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages. + </para> + <para> + The <systemitem>initramfs</systemitem> <systemitem class="username">switch_root</systemitem> prompt appears. + </para> + </step> + + <step> + <para> + The file system is mounted read-only on <filename class="directory">/sysroot/</filename>. You will not be allowed to change the password if the file system is not writable. + </para> + <para> + Remount the file system as writable: + <screen>switch_root:/# <command>mount -o remount,rw /sysroot </command></screen> + </para> + </step> + <step> + <para> + The file system is remounted with write enabled. + </para> + <para> + Change the file system's <systemitem class="username">root</systemitem> as follows: + <screen>sh-4.2# <command>chroot /sysroot</command></screen> + </para> + </step> + + <step> + <para> + Enter the <command>passwd</command> command and follow the instructions displayed on the command line to change the <systemitem class="username">root</systemitem> password. + </para> + <para> + Note that if the system is not writable, the <application>passwd</application> tool fails with the following error: + </para> + <screen>Authentication token manipulation error</screen> + </step> + <step> + <para> +Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command: +<screen>sh-4.2# <command>touch /.autorelabel</command></screen> +</para> +</step> + <step> + <para> + Remount the file system as read only: + <screen>sh-4.2# <command>mount -o remount,ro /</command></screen> + </para> + </step> + + <step> + <para> + Enter the <command>exit</command> command to exit the <command>chroot</command> environment. + </para> + </step> + + <step> + <para> + Enter the <command>exit</command> command again to resume the initialization and finish the system boot. Note that the SELinux relabeling process can take a long time and a system reboot will occur when complete. + </para> + <para> + With an encrypted system file system, a pass word or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the <keycap>Backspace</keycap> key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages. + </para> + </step> + </procedure> + + </section>
</section>