commit 984d2a00caa541ea273f8d4ea7aad6c79ca29e71
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Thu Jan 15 21:56:53 2015 +0100
Resetting the root password
Improving, and adding the rd.break method
en-US/Working_with_the_GRUB_2_Boot_Loader.xml | 125 +++++++++++++++++++++++--
1 files changed, 116 insertions(+), 9 deletions(-)
---
diff --git a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
index 1e81667..d465e8c 100644
--- a/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
+++ b/en-US/Working_with_the_GRUB_2_Boot_Loader.xml
@@ -725,8 +725,10 @@ For more information on adding kernel options, see <xref
linkend="sec-Editing_an
<para>
Note that in GRUB 2, resetting the password is no longer performed in single-user mode
as it was in GRUB included in Fedora 15 and Red Hat
Enterprise Linux 6. The <systemitem
class="username">root</systemitem> password is now required to operate
in <literal>single-user</literal> mode as well as in
<literal>emergency</literal> mode.
</para>
- <procedure>
- <title>Resetting the Root Password</title>
+ <para>
+ Two procedures for changing the <systemitem
class="username">root</systemitem> password are shown here. The
<xref linkend="proc-Resetting_the_Root_Password_Using_bin_sh" /> procedure
creates a chrooted shell using <command>init=/bin/sh</command>. It is the
shorter of the two procedures and does not require an SELinux relabel. But this procedure
will not work if you have a USB keyboard, encrypted file systems, and does not work in
certain virtual machines or systems. The <xref
linkend="proc-Resetting_the_Root_Password_Using_rd.break" /> procedure makes
use of <command>rd.break</command> to interrupt the boot process before
control is passed from <systemitem>initramfs</systemitem> to <systemitem
class="service">systemd</systemitem>. The disadvantage of this method
is that you have to then change <systemitem
class="username">root</systemitem> using the
<command>sysroot</command> command.</para>
+ <procedure id="proc-Resetting_the_Root_Password_Using_bin_sh">
+ <title>Resetting the Root Password Using /bin/sh</title>
<step>
<para>
Start the system and, on the GRUB 2 boot screen, press the
<keycap>e</keycap> key for edit.
@@ -754,10 +756,13 @@ For more information on adding kernel options, see <xref
linkend="sec-Editing_an
<para>
The Linux <package>kernel</package> will run the
<application>/bin/sh</application> shell rather than the system <systemitem
class="daemon">init</systemitem> daemon. Therefore, some functions may
be limited or missing.
</para>
+ <para>
+ Note that if a console is specified, the
<systemitem>initramfs</systemitem> prompt will appear on the last console
specified on the Linux line.
+ </para>
</step>
<step>
<para>
- Press
<keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo>
to boot the system with the parameter.
+ Press
<keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo>
to boot the system with the changed parameters.
</para>
<para>
The shell prompt appears.
@@ -767,7 +772,7 @@ For more information on adding kernel options, see <xref
linkend="sec-Editing_an
<para>
<!-- Add this step as a result of
https://bugzilla.redhat.com/show_bug.cgi?id=1045574#c11 -->
To preserve the SELinux context of the files that are to be modified, load the SELinux
policy into the kernel. Use the <option>-i</option> option as this is the
first time the policy is being loaded since boot:
- <screen>~]# <command>/usr/sbin/load_policy
-i</command></screen>
+ <screen>sh-4.2# <command>/usr/sbin/load_policy
-i</command></screen>
</para>
</step>
<step>
@@ -776,12 +781,12 @@ For more information on adding kernel options, see <xref
linkend="sec-Editing_an
</para>
<para>
Remount the file system as writable:
- <screen>~]# <command>mount -o remount, rw
/</command></screen>
+ <screen>~]# <command>mount -o remount,rw
/</command></screen>
</para>
</step>
<step>
<para>
- Run the <command>passwd</command> command and follow the instructions
displayed on the command line to change the <systemitem
class="username">root</systemitem> password.
+ Enter the <command>passwd</command> command and follow the instructions
displayed on the command line to change the <systemitem
class="username">root</systemitem> password.
</para>
<para>
Note that if the system is not writable, the
<application>passwd</application> tool fails with the following error:
@@ -791,19 +796,121 @@ For more information on adding kernel options, see <xref
linkend="sec-Editing_an
<step>
<para>
Remount the file system as read only:
- <screen>~]# <command>mount -o remount, ro
/</command></screen>
+ <screen>~]# <command>mount -o remount,ro
/</command></screen>
</para>
</step>
<step>
<para>
- Run the <command>exec /sbin/init</command> command to resume the
initialization and finish the system boot.
+ Enter the <command>exec /sbin/init</command> command to resume the
initialization and finish the system boot.
</para>
<para>
Running the <command>exec</command> command with another command
specified replaces the shell and creates a new process; <systemitem
class="daemon">init</systemitem> in this case.
</para>
</step>
</procedure>
- </section>
+ <procedure id="proc-Resetting_the_Root_Password_Using_rd.break">
+ <title>Resetting the Root Password Using rd.break</title>
+ <step>
+ <para>
+ Start the system and, on the GRUB 2 boot screen, press the
<keycap>e</keycap> key for edit.
+ </para>
+ </step>
+ <step>
+ <para>
+ Remove the <option>rhgb</option> and
<option>quiet</option> parameters from the end, or near the end, of the
<literal>linux16</literal> line, or <literal>linuxefi</literal> on
UEFI systems.
+ </para>
+ <para>
+ Press
<keycombo><keycap>Ctrl</keycap><keycap>a</keycap></keycombo>
and
<keycombo><keycap>Ctrl</keycap><keycap>e</keycap></keycombo>
to jump to the start and end of the line, respectively. On some systems,
<keycap>Home</keycap> and <keycap>End</keycap> might also work.
+</para>
+
+ <important>
+ <para>
+ The <option>rhgb</option> and <option>quiet</option>
parameters must be removed in order to enable system messages.
+ </para>
+ </important>
+ </step>
+ <step>
+ <para>
+ Add the following parameter at the end of the <literal>linux16</literal>
or <literal>linuxefi</literal> on UEFI systems:
+ </para>
+ <screen>rd.break</screen>
+ <para>
+ The <systemitem>initramfs</systemitem> will stop before passing control
to the Linux <package>kernel</package>, enabling you to work with the
<systemitem class="username">root</systemitem> file system.
+ </para>
+ <para>
+ Note that the <systemitem>initramfs</systemitem> prompt will appear
on the last console specified on the Linux line.
+ </para>
+ </step>
+ <step>
+ <para>
+ Press
<keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo>
to boot the system with the changed parameters.
+ </para>
+ <para>
+ With an encrypted system file system, a password is required at this point.
However the password prompt might not appear as it is obscured by logging messages. You
can press the <keycap>Backspace</keycap> key to see the prompt. Release the
key and enter the password for the encrypted file system, while ignoring the logging
messages.
+ </para>
+ <para>
+ The <systemitem>initramfs</systemitem> <systemitem
class="username">switch_root</systemitem> prompt appears.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ The file system is mounted read-only on <filename
class="directory">/sysroot/</filename>. You will not be allowed to
change the password if the file system is not writable.
+ </para>
+ <para>
+ Remount the file system as writable:
+ <screen>switch_root:/# <command>mount -o remount,rw /sysroot
</command></screen>
+ </para>
+ </step>
+ <step>
+ <para>
+ The file system is remounted with write enabled.
+ </para>
+ <para>
+ Change the file system's <systemitem
class="username">root</systemitem> as follows:
+ <screen>sh-4.2# <command>chroot
/sysroot</command></screen>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Enter the <command>passwd</command> command and follow the instructions
displayed on the command line to change the <systemitem
class="username">root</systemitem> password.
+ </para>
+ <para>
+ Note that if the system is not writable, the
<application>passwd</application> tool fails with the following error:
+ </para>
+ <screen>Authentication token manipulation error</screen>
+ </step>
+ <step>
+ <para>
+Updating the password file results in a file with the incorrect SELinux security context.
To relabel all files on next system boot, enter the following command:
+<screen>sh-4.2# <command>touch
/.autorelabel</command></screen>
+</para>
+</step>
+ <step>
+ <para>
+ Remount the file system as read only:
+ <screen>sh-4.2# <command>mount -o remount,ro
/</command></screen>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Enter the <command>exit</command> command to exit the
<command>chroot</command> environment.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Enter the <command>exit</command> command again to resume the
initialization and finish the system boot. Note that the SELinux relabeling process can
take a long time and a system reboot will occur when complete.
+ </para>
+ <para>
+ With an encrypted system file system, a pass word or phrase is required at this
point. However the password prompt might not appear as it is obscured by logging messages.
You can press and hold the <keycap>Backspace</keycap> key to see the prompt.
Release the key and enter the password for the encrypted file system, while ignoring the
logging messages.
+ </para>
+ </step>
+ </procedure>
+
+ </section>
</section>