If we don't know the root password and don't have root access to the machine, how can we change the root password?
3 Answers
Here are a few ways I can think of, from the least intrusive to the most intrusive.
Without Rebooting
With sudo: if you have sudo
permissions to run passwd
, you can do:
sudo passwd root
Enter your password, then enter a new password for root twice. Done.
Editing files: this works in the unlikely case you don't have full sudo
access, but you do have access to edit /etc/{passwd,shadow}
. Open /etc/shadow
, either with sudoedit /etc/shadow
, or with sudo $EDITOR /etc/shadow
. Replace root's password field (all the random characters between the second and third colons :
) with your own user's password field. Save. The local has the same password as you. Log in and change the password to something else.
These are the easy ones.
Reboot Required
Single User mode: This was just explained by Renan. It works if you can get to GRUB (or your boot loader) and you can edit the Linux command line. It doesn't work if you use Debian, Ubuntu, and some others. Some boot loader configurations require a password to do so, and you must know that to proceed. Without further ado:
- Reboot.
- Enter boot-time password, if any.
- Enter your boot loader's menu.
- If single user mode is available, select that (Debian calls it ‘Recovery mode’).
- If not, and you run GRUB:
- Highlight your normal boot option.
- Press e to enter edit mode. You may be asked for a GRUB password there.
- Highlight the line starting with
kernel
orlinux
. - Press e.
- Add the word ‘single’ at the end. (don't forget to prepend a space!)
- Press Enter and boot the edited stanza. Some GRUBs use Ctrl-X, some use b. It says which one it is at the bottom of the screen.
Your system will boot up in single user mode. Some distributions won't ask you for a root password at this point (Debian and Debian-based ones do). You're root now. Change your password:
mount / -o remount,rw
passwd # Enter your new password twice at the prompts
mount / -o remount,ro
sync # some people sync multiple times. Do what pleases you.
reboot
and reboot
, or, if you know your normal runlevel, say telinit 2
(or whatever it is).
Replacing init
: superficially similar to the single user mode trick, with largely the same instructions, but requires much more prowess with the command line. You boot your kernel as above, but instead of single
, you add init=/bin/sh
. This will run /bin/sh
in place of init
, and will give you a very early shell with almost no amenities. At this point your aim is to:
- Mount the root volume.
- Get
passwd
running. - Change your password with the
passwd
command.
Depending on your particular setup, these may be trivial (identical to the instructions for single user mode), or highly non-trivial: loading modules, initialising software RAID, opening encrypted volumes, starting LVM, et cetera. Without init
, you aren't running dæmons or any other processes but /bin/sh
and its children, so you're pretty literally on your own. You also don't have job control, so be careful what you type. One misplaced cat
and you may have to reboot if you can't get out of it.
Rescue Disk: this one's easy. Boot a rescue disk of your choice. Mount your root filesystem. The process depends on how your volumes are layered, but eventually boils down to:
# do some stuff to make your root volume available.
# The rescue disk may, or may not do it automatically.
mkdir /tmp/my-root
mount /dev/$SOME_ROOT_DEV /tmp/my-root
$EDITOR /tmp/my-root/etc/shadow
# Follow the `/etc/shadow` editing instructions near the top
cd /
umount /tmp/my-root
reboot
Obviously, $SOME_ROOT_DEV
is whatever block device name is assigned to your root filesystem by the rescue disk and $EDITOR
is your favourite editor (which may have to be vi
on the rescue system). After the reboot
, allow the machine to boot normally; root's password will be that of your own user. Log in as root and change it immediately.
Other Ways
Obviously, there are countless variations to the above. They all boil down to two steps:
- Get root access to the computer (catch-22 — and the real trick)
- Change root's password somehow.
-
Anyway to do this remotely? Assuming that SSH got shutdown.CMCDragonkai– CMCDragonkai2014-06-11 09:19:14 +00:00Commented Jun 11, 2014 at 9:19
-
1Without SSH (or, presuming any of the other, scarily insecure methods like rsh or telnet), you don't have remote access to the machine, so you can't change the password. Unless of course the target computer has a known remotely exploitable issue which can help you somehow spawn a shell. The thought terrifies me more than a telnet daemon running on it. :)Alexios– Alexios2014-06-16 08:59:12 +00:00Commented Jun 16, 2014 at 8:59
-
So I would have to physically teleport there to fix it?CMCDragonkai– CMCDragonkai2014-06-16 09:02:23 +00:00Commented Jun 16, 2014 at 9:02
-
WRT "Change root's password somehow", see here: unix.stackexchange.com/a/168422/25985goldilocks– goldilocks2014-11-17 12:56:04 +00:00Commented Nov 17, 2014 at 12:56
-
@CMCDragonkai, your question has been discussed on Quora: What is a way to hack a computer system remotely?.Alexey– Alexey2020-04-14 13:52:21 +00:00Commented Apr 14, 2020 at 13:52
This should work on just about any distro, I think.
If you can access the root partition from another system, e.g. a live CD, you can as root from there edit /etc/shadow
; first you have to chmod u+w shadow
. Find the entry for root
, it's probably the first one and looks something like this:
root:$6$asdG0[..etc...]ae/:15666:0:99999:7:::
Erase everything between the first two colons so you end up with:
root::15666:0:99999:7:::
Then chmod u-w shadow
. You can now reboot the system and root will have no password. You can just type root
at the login prompt and it won't ask for one. You can then use passwd
to set one.
To be extra careful:
- Create a backup copy of
/etc/shadow
first. - Don't log in as anyone but root until you've set a new password. This is not critical, but guards against the theoretical possibility of unprivileged malware making some kind of hail mary pass ("Hey, maybe there's no root password..."). Kinda far-fetched IMO.
-
That will work, but boy does it make me *cringe* to remove the password on a root account. I take it Ubuntu doesn't drop you in a root shell in runlevel 1? Or wouldn't a better idea be to run
passwd
in a chroot environment from the live CD?SailorCire– SailorCire2014-11-17 14:50:41 +00:00Commented Nov 17, 2014 at 14:50 -
If you feel safer trying those other methods first, go ahead. But as long as you don't leave the system without a root password, this should be fine. There wouldn't be a point in malware that tried to exploit this, because if it were running at boot, it already has root privileges anyway. So don't log in as anyone else first, I guess (might be a problem on systems that don't allow root in via the display manager, unless you can switch to console). Even then it seems pretty unlikely.goldilocks– goldilocks2014-11-17 15:03:52 +00:00Commented Nov 17, 2014 at 15:03
-
-
I'm very doubtful about the malware possibility as well. However, the idea behind what I suggested is that it prohibits the "Oh I'll change it later, because it works now" type of mentality that a lot of us fall in to.SailorCire– SailorCire2014-11-17 17:59:35 +00:00Commented Nov 17, 2014 at 17:59
-
You can also refer to this answer for ways to manually generate a password for
/etc/shadow
NullUser– NullUser2015-12-08 16:54:57 +00:00Commented Dec 8, 2015 at 16:54
Judging from the tags I take that you're using RHEL, but this solution should work equally well for all distros.
If the root password is forgotten, you can boot in single-user mode and use this to change the password. This approach is described in the Red Hat step-by-step guide:
- Enter the GRUB menu and press e .
- Choose the line that begin with
kernel
, press e again. - On the end of this line, put
single
. Then press ENTER and boot from it.
You will eventually get to a prompt where you can type passwd root
and change the password. Then type reboot
to reboot the system.
-
1This will work only if you don't have any boot passwd.pradeepchhetri– pradeepchhetri2012-04-07 06:33:32 +00:00Commented Apr 7, 2012 at 6:33
-
1And if you're not using /sbin/sulogin for single-user shell (it will prompt for root's password).James O'Gorman– James O'Gorman2012-04-07 09:52:37 +00:00Commented Apr 7, 2012 at 9:52
-
If you can get to the file system you can edit
/boot/grub/grub.conf
to remove the bootloader password and/etc/inittab
to change the single-user shell to something like /bin/sh (cc @pradeepchhetri)NullUser– NullUser2015-12-08 16:49:18 +00:00Commented Dec 8, 2015 at 16:49