So, you got physical access to a machine, but you don’t remember (or never knew) the root password. This post will walk you through how to reset the root password on a CentOS 7 system.

At the boot menu, press e to edit the desired boot entry

Now go to the end of the line that starts with linux16 (you can quickly do it with Ctrl-e or End key, Ctrl-a or Home for the beginning of a line) and add rd.break enforcing=0 to it. The first paramenter will interrupt the boot process to drop into a shell, and the second one sets SELinux to permissive mode, needed for a quicker way of resetting the password that doesn’t require file relabeling at the end.

Also remove the rhgb and quiet parameters to see more debugging information. These are described in https://www.redhat.com/archives/rhl-list/2004-May/msg07775.html

rhgb = redhat graphical boot – This is a GUI mode booting screen with most of the information hidden while the user sees a rotating activity icon spining and brief information as to what the computer is doing.

quiet = hides the majority of boot messages before rhgb starts. These are supposed to make the common user more comfortable. They get alarmed about seeing the kernel and initializing messages, so they hide them for their comfort.

Next, press Ctrl-x to boot with the new options. You will be dropped into an initramfs switch_root shell.

This could be confusing to someone new. Basically, initramfs is a temporary filesystem loaded into memory, that the kernel can access really early, in order to offload some startup tasks. It is also called early user space, and it takes care of steps that would be too cumbersome to include in the kernel, such as loading kernel modules and drivers needed for boot. This allows the kernel to remain relatively lean and not do by itself all the possible configurations. This initramfs image is a CPIO archive that gets unpacked into a tmpfs (a temporary filesystem stored in memory) and becomes the initial root filesystem.

Now, the filesystem is already mounted read-only inside /sysroot. To makey any changes, you have to mount it as read-write: mount -o remount,rw /sysroot

Finally, change the root directory to /sysroot in order to run a shell from it: chroot /sysroot. Now your prompt will change to sh-4.2# and from here you can change the password normally, by using passwd. You should get the message that all authentication tokens updated successfully. Since you updated the password, you changed /etc/shadow and now it won’t be labeled correctly with a SELinux security context. You have to force a relabel of all the files at next boot, by creating an .autorelabel file: touch /.autorelabel.

Now type exit twice to exit the chroot environment first and then to exit the initramfs shell which will cause a reboot. The relabeling will take a while, and then you can use the system.

To skip the relabeling process, if you used enforce=0, you can restore the context of the shadow file with restorecon /etc/shadow. Then you have to remember to set SELinux back to enforcing, by running setenforce 1

Apparently, when you have an RHCSA exam, you start from getting a machine that you have to reset the root password for, which is really cool. Don’t get caught unprepared!

Learn more

https://www.certdepot.net/rhel7-interrupt-boot-gain-access-system/

Kernel command line parameters

switch_root and initramfs

1
2
3
4
5
6
7
8
9
10
11

 _________________________________________
/ Be careful of reading health books, you \
| might die of a misprint.                |
|                                         |
\ -- Mark Twain                           /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||