How to reset the root password of any GRUB-based Linux system.

So this hit me hard when Nitesh Singh aka “Technical Navigator” visited our campus and gave a small demo about this. So I researched a little more and apparently this is a very easy way to reset password of the root user of a system.

Basically this can be used to break into a linux system(mint and fedora in my case) unless there are specific measures taken eg. BIOS password or rpm-ostree(somehow it doesn’t work on Fedora silverblue with rpm-ostree. Ask ric96). But we need to try this once more pls.

Also, this is kinda like a .md to tackle different systems. I might add other systems besides fedora and mint to this if they have a more unique approach to this.

Setup

So I setup Linux mint defaults. Since Mint is based on Ubuntu, I’m backing on the fact that we will be able to edit GRUB kernel parameters from the GRUB Menu. The username and password are set as mint:mint and root is disabled by default.

Removing mint from sudo group.

Process

noice.

Pressing ‘e’ lets me edit the kernel parameters so lets go do that.

preferably remove the `quiet` and `splash` as well

So, there are a few ways of doing this and some work on some systems and some don’t. Booting in a rw state with /bin/bash(single user mode I think) should let us do some shady stuff.

haha, lets go

since /dev/sda5 is writable, this should work

If you know a lower privilege user’s password then this is gucci

Otherwise you can hit Ctrl+Alt+F3 and login via CLI

You can do this multiple times too. My thoughts directly go towards this being a vulnerability so lets test it on an inherently secure OS as well.

i.e. Fedora 36 since 37 is still in beta mode.

Fedora 36 Workstation has SELinux, so this will definetly be quite different.

Test on Fedora 36

Again a default install with a user:pass as fedora:fedora.

Process

Doing this on fedora is a little different(kinda complex), I’m no linux wiz, but I’ll try to explain the stuff as best as possible.

First off, we boot into something called a “single user mode” which is usually used for rescue operations when a system gets corrupted or the system hangs during a normal boot so its used to change configs etc. All-in-all its used for fixing broken stuff.

A multiuser system boots into a single superuser system temporarily usually used for maintenance.

Original kernel parameters

We remove quiet since it disables log messages which might not give a prompt to enter Single user mode.

Removing rhgb since we don’t need graphical boot.

Note: Keeping both of them there doesn’t hinder the process as far as I know

rd.break → Ramdisk(.) Break Basically creates a breakpoint in the execution cycle.

enforcing=0

Setting this parameter causes the system to start in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted.

remount /sysroot as read,write

set root directory to /sysroot since its been made read write

We did not do this did we @ric96 👀

restorecon -> restore file to default SELinux security context

setenforce 1 → Usually used to set SELinux in enforcing mode, we are using it here to check if SELinux is active or not and setting it to enforcing for future.

getenforce can also be used to check the status

Then just touch /.autorelabel(to relabel as per SELinux policy), exit(to exit single user mode) and reboot

This process is super fast on fresh systems, but takes longer on systems which have a lot of data in them.

If we do not add the .autorelabel, then we wont be able to login as any user.

Normal GUI login as root:root

References

4.5. Changing SELinux Modes at Boot Time Red Hat Enterprise Linux 7 | Red Hat Customer Portal

https://fedoraproject.org/wiki/Fedora_Project_Wiki

Reset Root Password In Fedora 36 - OSTechNix

How to Reset Forgotten Root Password in Ubuntu

PS

I’d love to hear about how I can improve this or any other blogs, please don’t hesitate to reach out to JodisKripe on twitter etc. <3