RHEL7: Interrupt the boot process in order to gain access to a system.

Share this link

Note: This is a critical RHCSA 7 exam objective (if you can’t take control of a VM through a reboot at the beginning of the exam, you will fail it entirely).

Presentation

In RHEL 7, the procedure to get access to a system during the boot process and modify the root password has changed because of the adoption of Systemd.

There were several procedures floating around to recover the root password. Some were working with physical servers but not with virtual machines, some the other way around.

The following procedure works all the time.

Procedure

At the beginning of the boot process, at the GRUB 2 menu, type the e key to edit.

Then, go to the kernel line (the line starting with linux16) and add the following statements at the end:

rd.break enforcing=0

Caution: The keys to press are those of a US keyboard (querty).
Note: rd.break asks for a break at an early stage of the boot process. enforcing=0 puts the system into SELinux Permissive mode. Don’t confuse with selinux=0 that completely disables SELinux.

Press Ctrl x to resume the boot process.

Then, mount the /sysroot partition as read/write:

switch_root:/# mount –o remount,rw /sysroot

Execute the chroot command on the /sysroot partition:

switch_root:/# chroot /sysroot

Change the root password:

sh-4.2# passwd root
Changing password for user root.
New passwd: mypassword
Retype new password: mypassword
passwd: all authentication token updated successfully.
sh-4.2# exit
exit
switch_root:/# exit
logout

Connect to your server at the console (don’t reboot now!) with the root user and the new password:

...
[  OK  ] Started Network Manager Script Dispatcher Service.
[  OK  ] Started Crash recovery kernel arming.
[  OK  ] Reached target Multi-User System.

CentOS Linux 7 (Core)
Kernel 3.10.0-229.14.1.el7.x86_64 on an x86_64

vm login: root
Password: mypassword

Then type:

# restorecon /etc/shadow
# reboot

If you strictly follow this procedure, you don’t need to force a SELinux relabel (# touch /.autorelabel) or load the SELinux policy (# /usr/sbin/load_policy -i).

You don’t even need to reboot at the end! In this case, type # setenforce enforcing

For the RHCSA exam, you need to intensely practice this procedure.

Thanks to salvador and hunter86_bg for their precious comments.

Additional Resources

Ralph Nyberg‘s video about recovering root access (15min/2015) explains the procedure very well.
Fedora Documentation‘s got a page about Resetting the root password.
There is also a documentation available for the Anaconda Boot Options.
As there is more than one way to do it, a page describes several ways to reset the root password.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

60 Comments on "RHEL7: Interrupt the boot process in order to gain access to a system."

Notify of
Sort by:   newest | oldest
tron
Member
tron

I thought that the whole thing about relabeling was due to a new file being created when you run passwd.
If you just edit the /etc/passwd with ed, then the current file is kept and you can just clear root’s password, go multi user and then re-establish selinux and change the (by now null) password to something else. I’ve done this and AFAIK it’s the fastest way. Any downside ?

vincent
Member
vincent

Thanks for putting this article together. Red Hat documentation states to remount the root directory to read only after setting the password for root: “mount -o remount,ro /”. Perhaps this is related to security of the system. Anyway, it seems to me also the most logical action to take. Plus, Red Hat suggest to remove rhgb and quiet parameters in order to enable system messages.

timlee
Member
timlee

Sorry if I’m asking a noob question… but what is the purpose of restorecon on /etc/shadow?

twostep
Member
twostep

If you do not relabel /etc/shadow, your system which is in Enforcing Selinux mode can not access to /etc/shadow, and you will not log in.
Below you have got two crucial lines from the audit logs:

type=AVC msg=audit(1471855249.615:42): avc: denied { open } for pid=2056 comm=”unix_chkpwd” path=”/etc/shadow” dev=”dm-1″ ino=1112495 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

type=AVC msg=audit(1471855249.615:42): avc: denied { read } for pid=2056 comm=”unix_chkpwd” name=”shadow” dev=”dm-1″ ino=1112495 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

tron
Member
tron

I thought that the whole thing about relabeling was due to a new file being created when you run passwd.
If you just edit the /etc/passwd with ed, then the current file is kept and you can just clear root’s password, go multi user and then re-establish selinux and change the (by now null) password to something else. I’ve done this and AFAIK it’s the fastest way. Any downside ?

tron
Member
tron

Well, makes sense if going from disabled to enabled, either permissive or enforcing. If you do not disable selinux, then I see no risk. May be I’m missing something.

tron
Member
tron

Just to be clear, here’s my proposed recovery procedure:
1- Interrupt Grub, edit load line, insert rd.break, boot.
2- Remount /sysroot rw
3- Edit in place /sysroot/etc/shadow (e.g. /bin/ed) and remove root password
4- Continue to multiuser, log in as root w/o password and use passwd to set a password.

No selinux issues, no reboots, no hassles.

dan
Member
dan

Does the exam expect us to only use this method, or as long as the password gets changed we are good? I have found a quicker method, adding systemd.debug-shell to kernel parameters adds an open root shell on vt9(ctrl-alt-f9). You can then use passwd without worrying about having to remount sysroot or selinux context issues, and just switch back to vt1 to login.

Taliez
Member
Taliez

hi Certdepot.

Ive been practicing RHCSA objectives based on everything from REDHAT Official and Anything from the net Google gives, just wanna validate this procedure on breaking root…

BTW i will take my RHCSA this year (2016)

at GRUB menu add rd.break

# mount -o remount,rw /sysroot
# chroot /sysroot
#passwd root
# “newpass”
#touch /.autorelabel
#ctrl + d
#ctrl + d

rao
Member
rao

hello Bro,
This is the simple way to change the root passwd.
rd.break console=tty1
mount -o remount,rw /sysroot/
chroot /sysroot/
passwd root
type passwd
touch /.autorelabel
ctrl+d
ctrl+d

It works, don’t need to type enforcing or restorecon.

sungsta
Member
sungsta

What if I skip the rd.break and instead modify the kernel line from ro to “rw init=/sysroot/bin/sh”
then chroot /sysroot
passwd root
touch /.autolabel
exit
reboot

Would this work?

twostep
Member
twostep

Link to description of system boot against ramdisk and different options like rd.break etc.
https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#dracutbootup7

popo
Member
popo

Here is another great method.. at GRUB menu add rd.break

mount -o remount ,rw /sysroot
# chroot /sysroot
#passwd root
# “newpass”
# load_policy -i
#chcon -t shadow_t /etc/shadow
#exit
#reboot

reboot is required at end not exit. It saves time.

popo
Member
popo

Hi certdepot,

can we do this ??

at GRUB menu add rd.break

# mount -o remount,rw /sysroot
# chroot /sysroot
#passwd root
# “newpass”
#load_policy -i
#chcon -t shadow_t /etc/shadow
#exit
#reboot

samuel.sappa
Member
samuel.sappa

Hi CertDepot,
I find strange situation when trying your method (sorry not mean to be rude)
when the root using the xfs filesystem it’s working, but when using the ext3 file system after reboot and then to login root failed
I’m using virtualbox environment maybe is this some kind of bugs or something?

Sam
Member
Sam

I dont know much about Virtual box, however can you mount the image, and take a look at the log files. This may point you in the correct direction!

watchdog
Member
watchdog

I have just returned from the ex200 exam… fell foul right at the first hurdle… now that I now the new rhel7 procedure, I’ll know next time… but it is a waste of 500 euros + vat … which I have to pay myself. It reminds me of that special darts game: double-in, double-out … ie you don’t score anything until you have hit a double. Not only is it a waste of money and time, but I was not able to answer the rest of the questions for which I trained quite hard. Oh well… c’est la vie

watchdog
Member
watchdog

FYI … redhat were unwilling to change anything or to help with any of the costs. I have, however, asked icttrainingen.nl to review their self-study course to add a specific section for this. Here another link that also worked for me: http://www.tecmint.com/reset-forgotten-root-password-in-centos-7-rhel-7/

Lisenet
Member

On RHEL 7, I would use rd.break rather than init=/bin/bash as per official RedHat documentation.

wpDiscuz

RHCSA7: Task of the day

Allowed time: 3 minutes.
Check that you've got no SELinux policy violations.

RHCE7: Task of the day

Allowed time: 8 minutes.
Set up an iScsi target based on a block backstore of 100MB called lv_iscsi with basic authentication, ext4 filesystem and standard firewall configuration.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments