Linux Root Password Reset

Last updated — Oct 30, 2024
First published — Aug 06, 2023
#init #aaa #funny

Unix, Linux password reset. Bootloader, grub, init, mount, passwd, reboot, sysrq. Funny story.

Article Collection

This article is part of the following series:

1. Tips

Table of Contents

Introduction

Root user can change passwords for all users. Non-root users must know the current password to be able to change it.

If you have forgotten your root password (or the password for the account through which you access root), you will not be able to reset it or even log in to the system.

However, there is a point of entry available to local users who have access to the console.

When the computer starts up, after the low-level stuff is initialized, it will load a bootloader program. This will happen from either the first 512KB of the boot disk, or from an EFI partition.

The bootloader will then present the list of available OSes to boot, and/or after a timeout load the default entry from the list.

The bootloader can also configure and pass additional arguments to the kernel of the chosen entry. Modifying kernel arguments can be protected by a password, but in default installations the password is not defined and modification is allowed.

One of the parameters recognized by the Linux kernel is init=. It specifies which first (and only) program the kernel will run after initialization. By an age-old convention, this program is /bin/init, whose duty is to initialize and boot the rest of the system.

This ability to override kernel’s default init was added, among other reasons, to be able to test upgraded versions of init. The upgrade would usually configure the kernel to boot into init=/bin/newinit on next attempt, and if that went OK, /bin/newinit would be copied over the old /bin/init, and the init= setting would be reverted back to its default value, completing the upgrade.

By modifying the init= argument ourselves, we can instruct the kernel to start a shell (such as /bin/sh or /bin/bash) instead of /bin/init. Since the password prompt is not part of the shell and the shell will immediately provide access, we can use this method to obtain root access without a password.

Note again that this is only possible if the bootloader has been configured to allow modifying the entries, and if it has not been password-protected. But, by default, both conditions are true and this method is viable.

Bootloader Phase

The session to reach the bootloader and boot a kernel with modified configuration could look like this:

  1. Reset the computer.

  2. Wait for the bootloader menu to show up. If it does not show up automatically, try holding Alt or Ctrl keys during boot. If it still does not show up, try resetting the machine while halfway booted into Linux. The bootloader might detect a problem and automatically show prompt on next boot.

  3. In the bootloader, locate the entry which you want to boot. It is usually the first entry in the list.

  4. Edit this boot entry, usually by pressing ’e’ to edit.

  5. In the configuration, find a line which mentions “vmlinuz” (not line that mentions “initrd” or any other line).

  6. On the line which refers to “vmlinuz”, press End on the keyboard, or use any other method to get to end of the line (although any position after “vmlinuz” would be fine)

  7. Append or insert the text init=/bin/bash or init=/bin/sh, ensuring there are spaces around it, separating it from other existing options

  8. Boot into the modified entry, usually by pressing ‘Ctrl+x’ to boot the current entry and configuration

Shell Phase

When the machine boots, instead of the usual startup procedure you will be greeted by the root prompt, # . This will be a limited environment because there will be no job control, and there may be no TAB completion, but it will be . more than enough for our purpose.

Once in the shell, you need to make sure that the root partition is mounted read-write, and then you can change the password. After making changes, you need to remount the partition back to read-only, to ensure that all buffers are flushed to disk and that the partition will be unmounted cleanly when you reboot.

The whole term session might look like this:

# mount -o remount,rw /
# passwd SOME_USERNAME
# mount -o remount,ro /

Rebooting

Reboot the machine by typing reboot or shutdown -r now, or pressing Ctrl+Alt+Del or Alt+SysRq+b. (On typical PC keyboards, the magic SysRq key is labeled “Print Screen”.) Alternatively, just hard-reset the machine.

(For more information about the “magic SysRq key” see Linux Magic System Request Key Hacks.)

Which method will successfully reboot the machine may depend because the machine was booted into a limited environment.

After rebooting, you should be able to log in normally, using the new password.

Funny Story - Password Reset Prank

On Unix, there is a file /etc/motd (message of the day). It is used for notifications from system administrators to users. Administrators save any important message to this file /etc/motd and then it gets displayed to users automatically on the login screen.

In the late ’90s I told the trick about init=/bin/sh to a friend. He went to his college campus and changed the root password on one of the machines that was used for Usenet posts (mostly binaries). He changed the root’s password two or three times that week.

A couple days later, the following message appeared in machine’s motd:

I KNOW WHO IS DOING THIS AND AM GONNA DEAL WITH HIM!!!!

Funny Story - Pepper Bites!

A college campus I knew of in the late ’90s used to run SGI IRIX operating system on a number of machines.

As the main system did not use shadow passwords, it was easy to obtain the password file with 13-character Unix crypt password hashes of all local users available in it.

One local user brute-forced the systems administrator’s password. The password was pepper4.

He decided to prank the admin one evening and change the password. He changed it from pepper4 to pepper5.

He also sent admin an email from admin’s own account, further mocking him.

In the morning he realized the inappropriateness and tried to use root access to delete the email. However, it was too late, the email was already read.

Article Collection

This article is part of the following series:

1. Tips

Automatic Links

The following links appear in the article:

1. Job Control - https://en.wikipedia.org/wiki/Job_control_(Unix)
2. /Etc/Motd (Message of the Day) - https://en.wikipedia.org/wiki/Message_of_the_day
3. Shadow Passwords - https://en.wikipedia.org/wiki/Passwd#Shadow_file
4. Linux Magic System Request Key Hacks - https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html