In RHEL based systems, in situations where someone has forgotten / lost root password, administrator can gain access to system by getting control of boot process and changing the password.
There have been some improvements suggested in traditional way of gaining access by rd.break specification in grub command editing. This articles gives flow of newer recommended way and brief comparison with older way.
Updated RHEL 9 Password Reset Process (due to changes in dracut
):
- Press
e
to edit the GRUB boot options:- This step allows you to modify the boot options temporarily.
2. In the linux
line, change ro
to rw
(this is just before crashkernel
):
- The root filesystem is mounted as read-only (
ro
) by default. Changing it torw
ensures that the root filesystem is mounted as read-write, allowing you to make changes such as modifying the root password. - Find the line starting with
linux
orlinuxefi
, then modifyro
torw
.
3. Press Ctrl + e
to go to the end of the linux
line and add /init=/bin/bash
:
This bypasses the default system initialization process and brings you directly into a Bash shell in the root environment, allowing you to troubleshoot or reset the password.
This method is a substitute for the traditional rd.break
approach.
4. Press Ctrl + x
to boot:
- This boots the system with the modified GRUB configuration
5. Run passwd
to change the root password:
- After booting into the Bash shell, you can now change the root password by running the
passwd
command. Be sure to enter the new password twice as prompted.
Run touch /.autorelabel
:
- This command ensures that the SELinux contexts are properly relabeled upon the next boot, preventing issues with SELinux that might arise due to modified files like
/etc/shadow
.
- Without this step, SELinux might block processes because of incorrect contexts, especially in enforcing mode.
Run exec /sbin/init
:
- This command will replace the current Bash shell with the system’s initialization process (
/sbin/init
), resuming the normal boot process.
- The system will continue to boot normally, and on the next boot, SELinux will perform the relabeling as indicated by the
.autorelabel
file.
- Dracut Changes: RHEL 9 now uses
dracut
differently compared to previous versions, which no longer includessulogin
by default during the boot process whenrd.break
is used. Therefore, booting into a shell usinginit=/bin/bash
is an alternative method. - Importance of
.autorelabel
: The SELinux relabeling process ensures that after modifying the password or other system files, SELinux labels are corrected, avoiding potential boot failures or security issues caused by incorrect SELinux contexts.
Additional Considerations for the Video/Slides:
- Highlight SELinux Impact: Make sure to emphasize why the
touch /.autorelabel
step is crucial, especially for viewers who might be unfamiliar with SELinux. - Ensure clear explanation of
init=/bin/bash
: Explain that this method is a workaround for the changes in RHEL 9’s boot process due to the absence ofsulogin
indracut
.
This approach ensures compatibility with the updated boot mechanism in RHEL 9 and provides an effective way to reset the root password.
Once got booted you are taken into your login interface.
Method A with init=/bin/bash
seems to be the more straightforward and future-proof solution in RHEL 9
A method:
- Grub > e
init=/bin/bash
(Removerhgb
andquiet
tags if necessary) > Ctrl+x/usr/sbin/load_policy -i
mount -o remount,rw /
passwd root
orpasswd
mount -o remount,ro /
B method:
- Grub > e
rd.break
> Ctrl+xmount -o remount,rw /sysroot/
chroot /sysroot/
passwd root
orpasswd
touch /.autorelabel
Also refer Official Redhat docs: