It just so happened: you needed to switch to root while working on your server but you forgot your root password. Or you inherited a Linux server without any documentation on it, not even login credentials. Or you read the list of exam objectives for Red Hat Certified System Administrator and you saw the root password recovery as one of the objectives. Or just for funzies, you wondered how could you change the root password since you stopped liking the current one. Read on, this post will walk you through the procedure of changing the root password of your Linux server, no need to know the old password.
This post is written for and tested on RHEL 8. The procedure, with possible slight variations, should work on any other Linux distribution.
No. I won't bother anyone with the boot sequence, BIOS, LILO, GRUB, GRUB2, associated config files... I think those terms are explained by so many other bloggers/Linux enthusiasts/IT professionals online already, it would be beyond redundant if I embarked to repeat the same explanations here.
Reboot/turn on your Linux server and interrupt the boot process by pressing the arrow keys once the boot menu appears.
The part of the boot process where at least some control is handed to the user is when a list of available kernels is offered to the user to choose which one to boot. By pressing the arrow keys the timer that counts down number of seconds before loading the default kernel is interrupted, the system gets a signal to pause the process and you get the chance to either choose a different kernel to load or edit boot parameters to the kernel you plan to load.
Once the kernel loading sequence is paused, highlight the kernel you wish to boot (typically the default kernel you usually load to later work on your system and to which you want to change the root password to) and press "e" (stands for "edit"). You'll be shown a list of kernel boot parameters for the highlighted kernel, right below the list of kernels. Locate the line that starts with "linux". Depending on the distro and its version, this line may start with "linux", "linux16", "linux($name-of-kernel-arch-version)" or some other variation of these terms. Get to the end of that line and enter
This is an instruction to the boot loader to enter a special shell that is used to recover a system that has trouble booting. One of the advantages of this shell is that the typical user hierarchy of a fully functional Linux system (with root on its top) doesn't apply, you are instantly given root powers while in this shell, without the need to enter any passwords. This will enable you to use the
command to change the password of the root user without being asked for its password, something that would happen if you tried that same command on a fully booted system.
So once you added the instruction to the boot loader to drop you into the rescue shell (rd.break at the end of the "linux" line), it is time to proceed to that shell. Press Ctrl+x and you'll get to the rescue shell.
Step two: remount /sysroot as read/write, arrest it (yes, you are the sheriff now, it's the shell where you can only be root) and change the password:
You've been dropped in the rescue shell, you see you are root user (the # at the end of the prompt) and now you need to remount the /sysroot as read/write. And here I probably lost you: why /sysroot and why read/write mounting? It's not as if I am mounting a USB or a DVD, right?
The /sysroot is the actual kernel image you need to load, this is the image of the fully functional system you want to later load and work in. It isn't loaded yet, but it is accessible only if you remount it- and once you do that you'll get the chance to introduce changes to the /etc/passwd and /etc/shadow files while having full root powers without ever entering that root password you actually don't know. I deliberately mentioned USB and DVD here, imagine the kernel you need to load with the changed root password is a USB flash drive or a DVD disc you want to play- there has to be some sort of hardware that will read the data on the USB or the DVD and then present the data to you in the Files application or play that movie from the DVD you just inserted. Something roughly similar happens with the /sysroot kernel image- it needs the hardware resources of your system in order to play the movie you want to watch (that is, the fully functional system that you want to work in later).
The mount command with remounting in read/write mode option:
mount -o remount,rw /sysroot
Note the syntax, it is "-o" the letter and not number zero and the comma between "remount" and "rw" with no spaces between.
Congrats, you got the gates of the system wide open for you to ride in as the sheriff! On to making your first arrest now!
The next command you want to issue is to put that newly mounted and available for editing kernel image /sysroot in jail. Why? What's the offense? Convenience.
It is inconvenient to always type the full address of some resources when you need to access them often and those resources live in the same parent directory. Putting their parent directory in chroot jail means changing the point of reference: instead of typing the full path to the resource every time you use it, repeating their parent directory each time, just put the parent directory in jail and that way that parent directory in your view becomes the root directory of the system.
So let's jail the /sysroot:
Notice how the prompt changes, it is shorter now but retains the # symbol at the end, meaning you still the sheriff :-)
Finally time to do what you came to the rescue shell for: change that password! How?
passwd and notice how you aren't asked for old password, nor for any other form of authentication neither for the name of the user you are changing the password for. You are now root for all intents and purposes, you are in the root shell and you are changing the root password. The only thing you'll be asked to do now is to enter the desired password and repeat it.
otherwise the secret police (SELinux) wins. If the secret police wins, your system will still boot but you won't be able to log in: not with your regular user password, not with the new root password nor with any password.
SELinux labels every resource on your Linux system with various labels and uses that same systems to label processes. Once the secret police, lurking in the shadows (hence secret), nabs a process that tries to access a resource to which that process has no business accessing (and that's decided based on those labels), the secret police stops that process, issues an alert on the screen and logs the offender and its offense in the proper logs. The very presence of the hidden file "autorelabel" forces SELinux to appropriately label the resources critical to successful logins so that at the end of the kernel loading process you'll successfully be able to log in as root with your shiny new password. The
touch command plays a roll of file creator, it creates an empty file (among other things this command is capable of, although the original intent was to change the timestamps of files).
You are done and done here, after
and paying attention to the syntax before you press ENTER (slash dot autorelabel), keep typing "exit" to first exit from the jail and then from the rescue shell itself so that the kernel loading process continues.
Warning will show up: SELinux needs time to complete the relabeling process, which is a great sign- success is on the horizon. After secret police does its job relabeling every resource, you'll be presented with the normal terminal login, try to log in as root with your shiny new password, confirm it works, and congrats: you've successfully changed the root password.
Some may call this procedure "recovering the root password" instead of "changing the root password", notice how you aren't recovering anything. That old password, once you forget it and did not record it in some external resource, is gone forever. The new password takes effect at the very exit from the rescue shell.