Resetting the root password on Red Hat Enterprise Linux
Foreword
It’s not a bug, it’s a feature.
— Unknown
A long time ago and in a galaxy far, far away. You have installed a Linux OS on some bare metal host that will host your digital media at home, and just like me, you did not write down the password on a piece of paper or have stored it in a password manager. Nevertheless, it’s time to learn and understand how we reset the root password with ease to gain access to the OS once again. Let us dive it.
The Boot Process
The modern Linux boot process involves a series of steps that take place when a computer running Linux is powered on.
Assuming that we have a standard Red Hat Enterprise Linux installation running on EUFI firmware the following steps are involved:
- When computer starts the firmware initializes the hardware. Based on EFI boot options stored in NVRAM it then locates and launches the bootloader.
- GRUB2 bootloader initialize its components and loads configuration file
/boot/efi/EFI/redhat/grub.cfgwhich is located at ESP (EFI System Partition mounted at/boot/efi) . This file contains the location and options for Initial RAM disk image/boot/initramfs-5.14.0-162.6.1.el9_1.x86_64.imgand Linux kernel/boot/vmlinuz-5.14.0-162.6.1.el9_1.x86_64. There might be multiple kernels available and based on user’s menu selection It then loads them into memory. - Initramfs Initialization: If an initramfs (initial RAM filesystem) is specified in the GRUB2 configuration, GRUB2 loads it into memory alongside the kernel. The initramfs contains essential drivers and utilities necessary for booting, such as disk drivers and the initial root filesystem.
- Handover to the Kernel: GRUB2 transfers control to the loaded kernel. The kernel takes over and starts executing its initialization routines.
- Kernel Initialization: The kernel initializes various subsystems, including memory management, device drivers, and core system services. It detects and configures hardware, mounts the root filesystem, and sets up the necessary data structures for subsequent system initialization.
- Systemd Initialization: Once the kernel initialization is complete, the systemd init system is launched. Systemd is responsible for starting and managing system services, handling dependencies, and coordinating the boot process.
- Service Activation: Systemd reads unit files, which define system services and targets, from locations such as
/usr/lib/systemd/systemand/etc/systemd/system. It activates the necessary services and targets according to the defined dependencies, bringing up the system to a fully operational state. - User Login: Finally, once the necessary services are running, systemd spawns the login manager or presents the user with a login prompt, allowing users to log in and access the system.
Initial RAM disk
The password reset process can be carried out from the Initial RAM disk. The initial RAM disk is a compressed file system image (e.g. /boot/initramfs-5.14.0–284.11.1.el9_2.x86_64.img) containing a minimal root file system, essential kernel modules, and initialization scripts.
The purpose of the initial RAM disk is to facilitate the early stages of system initialization. It allows the kernel to perform certain tasks before the actual root file system is mounted. Some common scenarios where the initial RAM disk is useful include:
- Disk encryption, e.g. asking for decryption passphrase
- Modular Kernel, e.g. loading LVM modules
- File system Checks and Repairs, e.g. integrity checks
- Custom Configuration, e.g. device drivers, network interfaces
Once the kernel loads the initial RAM disk into memory, it unpacks the contents and mounts it as the root file system. The initialization scripts within the initial RAM disk are executed, allowing early user-space programs and scripts to perform necessary tasks before transitioning to the real root file system.
After the initialization tasks in the initial RAM disk are completed, the kernel proceeds with the regular boot process, mounting the actual root file system and transitioning to the user-space initialization stage.
Environment Setup
We start by downloading a sample Vagrant file from the GitHub repository. It defines a single virtual machine template, which is all we need for this demo.
📝Note: It is assumed that you have a hypervisor and Vagrant available to following along. If that is not the case have a look at Increase Your Output: Essential Tools Every Developer Needs!
# Create new project directory
New-Item -ItemType Directory -Force -Path "$HOME\projects\rhel"
# Move to this directory
cd $HOME\projects\debian
# Download the Vagrant file
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/maroskukan/rhcsa/main/Vagrantfiles/env1/Vagrantfile" `
-OutFile Vagrantfile📝Note: The Vagrant Box used in this demo is generic/rhel9. This virtual machine template comes with BIOS firmware.
Next, we create and start the virtual machine using vagrant up command.
vagrant up
Bringing machine 'client' up with 'hyperv' provider...
==> client: Verifying Hyper-V is enabled...
==> client: Verifying Hyper-V is accessible...
==> client: Importing a Hyper-V instance
client: Creating and registering the VM...
client: Successfully imported VM
client: Configuring the VM...
client: Setting VM Enhanced session transport type to disabled/default (VMBus)
==> client: Starting the machine...To open the VM console, we need to retrieve the virtual machine name.
$vmName = Get-VM -name env1_client*
vmconnect localhost $vmName.nameA new virtual machine console will open. Log in as a vagrant user with a password vagrant. By inspecting the /etc/shadow file, you may notice that the root user account does not have a password set.
sudo grep root /etc/shadow
root:!!$y$j9T$GkxtOE1Pw5drUS2FPzHvl/$uqlf1Kk0gr2IvhsMaT1i1TR4jWxCkW7YUGbvQpogfGB:19446:0:99999:7:::💡Tip: You can verify the state of the root user account password with sudo passwd -S root.
This is specific to the generic/rhel9 VagrantBox. To make this example more realistic we are going to update the root password to a random value.
echo "root:$(openssl rand -hex 16)" | sudo chpasswdNext, reboot the system with reboot command.
Password Reset Process
Armed with the knowledge about the boot process and Initial RAM disk, it is time to get our hands dirty. As with everything, there is more than one way to achieve the desired outcome. The following procedure applies to Red Hat Enterprise Linux 9 with SELinux enabled.
In order to stop the boot process at initramfs. Press e at the main grub entry and append rd.break to kernel line (contains vmlinuz keyword). Press Ctrl-x to finish booting. Press Ctrl-X to boot.
💡Tip: If grub timeout disabled, you can interrupt the boot process by holding left SHIFT key during boot process.
After boot, initramfs automatically mounts the existing root file system in read only mode at /sysroot. We need to remount it using read write mode. Afterwards, we need to change the root file system path, update the root password, restore SELinux file context, and finally boot.
The following steps describe the above procedure in greater detail.
- Verify existing mount options for
/sysroot.
mount | grep sysroot
/dev/mapper/rhel-root on /sysroot type dxfs (ro,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)2. Mount /sysroot using read write mote.
mount -o remount,rw /sysroot3. Change the root directory to /sysroot.
chroot /sysroot4. Update the root password to string LinuxRocks.
echo LinuxRocks | passwd --stdin root5. Load SELinux Policy.
load_policy -i6. Restore default security context for /etc/shadow from current system_u:object_r:unlabeled_t:s0 to system_u:object_r:shadow:t:s0.
restorecon -FvR /etc/shadow7. Exit the chroot environment
exit8. Exit the initramfs environment
exitOnce the boot process completes, login using as root using the newly set password.
Closing thoughts
In summary, knowing and understanding how the boot process works can be very beneficial during system troubleshooting and maintenance activities. I would be pleased to know your thoughts in the comments down below. Until next time, thanks for reading.
