Linux System Password Reset

First published — Aug 06, 2023
Last updated — Aug 06, 2023
#init #aaa #funny

Unix, Linux password reset. Bootloader, grub, init, mount, passwd, reboot, sysrq. Funny story.

Table of Contents

Introduction

Root user can change passwords for all users. Non-root users must know the current password to be able to change it.

If you have forgotten your root password (or the password for the account through which you access root), you will not be able to reset it or even log in to the system.

However, there is a trick to help it.

When the computer starts up, after the low-level stuff is initialized (e.g. the BIOS part on the PC architecture), it will load a bootloader program. The bootloader will then load the first or default OS entry configured in it, which is your Linux installation.

The bootloader can pass additional arguments to the Linux kernel. One of the parameters is init=. It specifies which program the kernel will run after it initializes itself. By age-old convention, this program is called /bin/init. It is the first and only process started by the kernel, and when it starts up it takes care of booting the rest of the system.

The option to overwrite kernel’s default init was originally added to be able to test upgraded versions of init. The upgrade would usually configure the kernel to boot into init=/bin/newinit on next attempt, and if that went OK, /bin/newinit was copied over the old /bin/init, and the init= setting was reverted back to its default value.

But by modifying the init= argument ourselves to start a shell like /bin/sh instead of /bin/init, we can get root access to the machine without a password.

Note that this is only possible if the bootloader has been configured to allow modifying the entries, and if it has not been password-protected. But in almost all default installations it is unlocked and allows modification, so this method can be used.

Bootloader Phase

The session to reach the bootloader and boot a kernel with modified configuration could look like this:

  1. Reset the computer.

  2. Wait for the bootloader menu to show up. If it does not show up automatically, try holding Alt or Ctrl key during boot. If it still does not show up, try resetting the machine while halfway booted into Linux. The bootloader might detect a problem and automatically show prompt on next boot.

  3. In the bootloader, locate the entry which you want to boot. It is usually the first entry in the list.

  4. Edit the boot entry (usually by pressing ’e’ to edit).

  5. In the configuration, find a line which mentions “vmlinuz” (not line that mentions “initrd” or any other line).

  6. On the line which refers to “vmlinuz”, press End on the keyboard, or use any other method to get to end of the line (although any position after “vmlinuz” is fine)

  7. Append or insert text init=/bin/sh, ensuring it is either at the end of the line or there are spaces around it

  8. Boot into the modified entry (usually by pressing ‘Ctrl+x’ to boot the current configuration)

Shell Phase

When the machine boots, instead of the usual startup procedure you will be greeted by the root prompt, # . This will be a limited environment because there will be no “job control” in it, and also there will be no TAB completion or other conveniences because we have started sh instead of bash. But it will be more than enough for our purpose, and you could also run bash or other shells if needed.

Once in the shell, you need to make sure that the root partition is mounted read-write, and then you can change the password. Afterwards, you need to remount the partition back to read-only, to ensure that all buffers are flushed to disk and that the partition will be unmounted cleanly when you reboot.

The whole term session might look like this:

# mount -o remount,rw /
# passwd SOME_USERNAME
# mount -o remount,ro /

Rebooting

Reboot the machine by typing reboot or shutdown -r now, or pressing Ctrl+Alt+Del or Alt+SysRq+b. (On typical PC keyboards, the SysRq key is labeled “Print Screen”.) Alternatively, just hard-reset the machine.

(For more information about the “magic SysRq key” see Linux Magic System Request Key Hacks.)

Which method will succeed rebooting may depend, because the machine was booted to a limited environment.

After rebooting, you should be able to log in normally, using the new password.

Funny Story - Password Reset Prank

In the late ’90s I told the trick about init=/bin/sh to a friend. He went to his college campus and changed the root password on one of the machines that was used for Usenet posts (mostly binaries). He changed it two or three times that week.

(Important for the story: on Unix there is a thing called motd – message of the day. It is used for notifications from system administrators to users. Administrators save any important message to file /etc/motd and it gets displayed to users automatically on the login screen.)

A couple days after root password was incessantly being reset, the following message appeared in machine’s motd:

I KNOW WHO IS DOING THIS AND WILL DEAL WITH HIM!!!!

Funny Story - Pepper Bites!

A college campus I knew of in the late ’90s used to run SGI IRIX operating system on a number of machines.

One local user brute-forced the systems administrator’s root password. The password was pepper4.

Then, he decided to prank the admin one evening and change the password. He changed it from pepper4 to pepper5.

He also sent admin an email from admin’s own address, further mocking him.

In the morning he realized the inappropriateness and tried to use root access to delete the email. However, it was too late, the email was already read.

Automatic Links

The following links appear in the article:

1. Linux Magic System Request Key Hacks - https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html