This article is aimed at CentOS 7 and later versions. The previous version is not applicable, and only refers to the modification of root password during startup.
The operation of changing the password itself is not complicated, but the events and commands used in the process are worth studying.
Press the start button;
Press the “e” key in the core startup item;
Fill in rd.break after starting the script boot statement;
Press Ctrl + X and wait for the system to boot to switch_ Re input in root mode;
Rmount command: rmount – sys, enter / remount
Enter the command: chroot / sysRoot
Enter the command: echo “yournewpassword” | passwd — stdin root
Input command: touch / autorelabel
Enter the command: exit
Input command: Reboot
The above methods are taken from official documents. There are some things to pay attention to
The boot statement is the line of Linux = 16. If you can’t find it, you can press and hold the keyboard direction key. Maybe all the statement contents will not be displayed on the screen. Scroll down to see it;
If the virtual machine cannot be displayed correctly during startup, it can be changed to rd.break console = tty0 in the third step and the rhgb and quiet parameters can be removed;
In step 5, please note that there is a comma between remount and RW;
In step 7, replace the quotation marks with your own password;
Understanding the process of changing the boot password is essentially a study of the Linux boot process and the security context (SELinux). Because these two aspects are very profound, this paper only focuses on what happens when changing the boot password. The application of these two aspects involved in a simple study does not involve a deeper principle. If you want to make an in-depth study, please explore by yourself.
I Something you need to know in advance
The most simplified process of Linux startup: power supply BIOS initframfs kernel shell
SELinux status: mandatory, licensed, disabled
II Step by step
0. First, check whether your system is suitable for this method
The current system version will be returned
As shown in the figure, the system version is CentOS 7.9. This method is not applicable to systems below CentOS 7, because the boot mode and boot mode have changed
1. Press the “e” key in the system core when starting up.
Here is the Grub2 menu, which is the bootloader adopted by CentOS.
According to the text prompt, the first one is the time support core below, which is used for system troubleshooting. If you see multiple cores in this step, it means it’s time to clean up useless cores. This situation may be caused by updates. Please clean up your system according to the actual situation.
Tips on this page: use the direction key to change the options up and down, press e to edit the selected options, or press C to open the command prompt. Please select as soon as possible when starting up. This page will only stay for 5S, and then automatically start the core. Press any key to cancel the five second countdown and change to manual operation.
2. Fill in rd.break after the boot statement
After pressing the e key, you will see such a script, but there is no startup item line
Use the arrow keys to scroll down…
The line at the beginning of Linux 16 is the core project. It can be seen that some files, addresses and parameters are specified
Add rd.break at the end. Note that there is a space in front of it.
If it is a virtual machine, it may fail to enter the switch after it appears_ For the root problem, add console = tty0 after rd.break. The reason is that the virtual machine may not be able to connect to the correct terminal, that is, the user cannot see it because the console is not passed to the displayed terminal. Add this sentence to directly tell the system to go directly to tty0, the alias of the current terminal, and tty0 will contain all system information to solve this problem.
If you want to see all the startup information, you need to remove the previous rhgb and quiet parameters. Rhgb (red hat graphics boot) replaces the text information in the startup process with pictures, and quiet will filter out some hardware self-test information
I haven’t encountered these problems in the virtual machine test, and I don’t want to accept those information now, so I just need to add rd.break. If I need to add the above commands, the commands are separated by spaces.
This step is to use rd.break interrupt and initramfs to obtain a root shell in the early stage of boot kernel startup.
When the system starts early, the bootloader will load vmlinuz (bootable kernel) and initramfs (memory virtual file system) in memory. At the beginning of startup, the modules that the core needs to load dynamically are in the disk, but the disk itself can be used normally (mounted) through these modules. Therefore, a solution now in use: use a virtual file system so that the kernel can load the driver and start the required detection and services.
Initramfs will be mounted as rootfs, and the mount point is /, which is the root file system. The kernel loads the driver core modules of these file system and disk interfaces through the provided program interface, and then the kernel will detect whether there is an init program. If there is one, it will execute it. Init will directly hand over the control to SYSTEMd to call the services required for target loading (after centos7). We will stop at this time and tell init not to transfer the control. In this way, the boot will not continue to transfer control. At this time, the real kernel file system has no root file system, and initramfs still has root permission, which can provide us with the necessary conditions for changing the password. (the setting here is only a temporary control, which can only be interrupted and continued at the next startup, not permanently modified)
3. Press Ctrl + X to reboot the system to switch_ Root mode
According to the prompt at the bottom of the screen in the previous step, press Ctrl + X to restart. The system will start with the parameters edited by ourselves and enter the switch_ Root mode, switch_ What is root?
According to the previous step, the system was interrupted during startup and did not continue to be handed over to SYSTEMd for startup. At this time, we need to manually mount the root node. According to the screenshot, we will find that the command line ID is # proof that we have the highest permission in rootfs, but we also did not enter the required Linux core at this time. Initramfs is not where we need to change the password, We need to switch to the core to operate.
switch_ Root: it is a solution provided by busybox to switch to the root node through commands. This command must be called by the process with PID = 1, and the process we are currently using is init with PID = 1
4. Re mount the core node and switch to follow
We can first take a look at the current mounting situation and use mount to view it
All the mounting conditions are listed. In the box selection, we can see that the root is mounted at / sysRoot. Then look back at the details. It describes that its reading and writing conditions are read-only. I tried to change the password directly in this case and prompted some random codes. It should describe the error information. Ignore and start it. It is found that the modified password is invalid and the old password can enter normally, indicating that the modification failed, Therefore, you still need to mount the core to read-write status before you can modify it.
1. First, you need to re mount the mounted root. The command is as follows:
mount -o remount,rw /sysroot
2. After mounting, change the following command to sysRoot /
If you don’t feel at ease, you can mount it again and check whether it is readable and writable
When we see here, we have entered the core mount point.
5. Modify the password and create an automatic recovery flag
After switching, we can change the password. After changing the password, you also need to create an automatic recovery file Autorelable, what is this? Why create it? First look at the operation steps
1. Use the passwd command to recreate the password. The command is as follows
echo “YourNewPassWord” | passwd –stdin root
2. Create an automatic recovery mark file in the root directory. The command is as follows
There’s nothing to say about changing the password, but why create it For autorelable files, you still need to know what SELinux is. The simplest explanation is that Linux ensures the security of the whole file system through such a core module. Is a subsystem of Linux. If you want to manually control the policy, the content involved is very complex, but the user can simply command and modify his main configuration file to modify the basic state of the current operation. Among them, the security context is the core part of SELinux. He requires that the upper and lower marks of the file accessed by the process must correspond to each other, and this mark is automatically marked by SELinux without our manual intervention, However, some operations will destroy the integrity of the security context, such as the operation of changing the password when we start up.
When we use the passwd command to change the password, we will create a new / etc / shadow file, then apply the SELinux flag to the new file, and then copy the old shadow file and write the new password. There is no problem with this step itself, but at this time, a real operating system is not actually running, and most processes, including SELinux, are not running (you can use getenforce to see the status, and you will find that the status is disabled). The process of changing the password has not been verified. The new shadow file does not have a context security ID, so there is no problem when SELinux is not running. However, the problem is that SELinux is turned on by default and the operation policy is enforced. That is to say, when we start up, the file after changing the password will not be used due to the context, and the direct consequence is that no matter using the old or new password, we cannot enter the system.
But there are several ways to solve this problem. The first is to create in the root directory Autorelable, which will enable SELinux to re mark the entire file system when it starts up, including the shadow files affected when we change the password. At the same time, it is also the safest way and officially recommended by RedHat. I tested using this method to recover. After initramfs restarts, the system will go through a marking process and restart again. After startup, this file cannot be found under /. At present, it is speculated that it may be automatically removed by SELinux after the process is completed. The overall process takes a long time. When the virtual machine is newly created without any other files, it takes about four minutes from executing the restart command to starting up (simplified installation), especially when the hardware performance is not increased or there are too many files. Therefore, we may not use this method. Other methods are described below.
6. Exit and restart
This step is to exit from the temporary follow-up system and restart in initramfs. There is nothing more to say. Just use the corresponding command.
1. Exit with the following command:
Return to switch_ root
After restart, you can log in to the root account with the modified password
Other ways to change the password
I Recover files manually
We can use some methods to skip the overall re marking of the system by SELinux. First, we need to modify the previous steps. The previous steps remain unchanged. After changing the password, we don’t need to execute touch / Autorelabel this step, directly execute exit and restart.
When you boot grub again, continue to press e to edit the kernel startup item, but this time only add one sentence: enforceing = 0. This command means to adjust the SELinux operation mode to the license mode. Carry this parameter when you boot, and the SELinux operation mode will be adjusted when you boot this time.
At this time, you can log in with the previously modified password. After startup, use getenforceto check and find that the running state is the license mode. Further check the configuration file and find that it is still the mandatory mode, because we only modified the mode at this startup and did not write it in the configuration. We just use the feature that the license mode does not enforce the policy to enter the system. At this time, what we need to do is to manually reply to the file with incomplete context.
You can see that permission is running at present, but the configuration is still enforced.
We can manually restore the file context through the restorecon command. Here, you can choose to restore only the file / etc / shadow or a directory. If you restore the file, you only need to execute
Restorecon / etc / shadow is OK, but the – R parameter needs to be added to restore the directory, which represents recursion. If you need to view the process, you also need to add – V
Restorecon – RV / etc, which is OK. After that, you can manually change the operation mode to forced mode by using the setenforcecommand, or restart directly.
When the shell is started, we can also specify a PID number at the shell to start the system.
After pressing the boot key, add init = / bin / bash after the kernel boot statement, and then press Ctrl + X to boot. The subsequent operations are shown in the figure below
Similarly, we need to mount the root node to be read-write, otherwise it cannot be modified, but please note that the mount point here is /, not / sysRoot
The next step is to change the password and create a relabel. However, it should be noted that reboot or init cannot be used to restart or continue the startup. If you directly use the command, the prompt command returned cannot be found. This is because we use a default bash environment at this time. The lack of environment variables leads to a large number of commands that cannot be found by the system.
The startup method that can be used at this time is the exec command, which is executed by specifying the absolute path of the command, but there are also problems. After testing, it is found that exec can only continue to start by specifying the absolute path of the init command, but cannot reboot. The following is my guess: under bash, enter / SBIN, execute LS – Al | grep “init” and replace it with reboot. It will be found that init points to / lib / SYSTEMd / SYSTEMd, Reboot points to / bin / systemctl
In the default bash environment, due to the lack of environment variables, the service cannot be managed through systemctl, resulting in the inability to execute reboot, because the reboot command is a link to systemctl. However, you can execute init, continue to start the system through SYSTEMd, and verify the normal boot. It is found that after boot, you can use exec to execute normally through the path of reboot. This is my guess. Whether it is correct needs to be determined later by understanding the Linux startup process and service management.
But there is still a problem. If you didn’t create it before in order to save time For autorelabel, you need to manually restart again and add enforceing = 0 to start it. Otherwise, you can’t start it with a new password. Therefore, if you use the specified bash method to modify the password, you’d better add relabel.
I SELinux is not running when initramfs is running.
SELinux is some modules in the Linux kernel, but the kernel is not loaded and started at this time. Naturally, the relevant processes of SELinux will not be started. At this time, it is meaningless to use commands to modify the state of SELinux.
II Changing the password in disabled or licensed mode will not cause context problems.
As mentioned earlier, the password is invalid because the SELinux policy is enforced at startup, but if SELinux has been adjusted to disabled or licensed mode, it will not be blocked. However, RedHat does not recommend completely disabling SELinux, because the licensed mode also meets our needs and will record some abnormal behaviors to facilitate troubleshooting when restoring the forced mode in the future.
III Why not use the emergency mode provided in the grub menu
Emergency mode also requires a password to enter
IV When modifying the startup item, if “ro” in this line is changed to “RW”, when booting and restarting again, the root node will be read-write directly, and there is no need to mount it again
1. Rd.break: I didn’t find such a command, but someone said that the RD part here means initializing the virtual memory disk, that is, decompressing initramfs into memory and mounting it as rootfs /. Yes, this part has not been to the hard disk, and the file system also runs in memory, which refers to the virtual memory hard disk (ramdisk). A break instruction is given here, which naturally means that it will be interrupted after mounting and will not continue.
2. Mount: used to mount the file system.
Format: Mount [- LHV] mount – a [- fnrsvw] [- t vfstype] [- O optlist] mount [- fnrsvw] [- O options [,…]] device | dir mount [-fnrsvw] [-t vfstype ] [-o options ] device dir
Description: in UNIX system, all accessible files are organized into a large tree structure, called file hierarchy, with / as the root. These files can be distributed across multiple devices. The mount command is used to mount the file system on the device to this tree structure.
Options used: – O: used to specify the following mount items.
Remount: attempt to remount a mounted file system. This option is usually used to change the mount flag of the file system, especially to make a read-only file system read-write. It does not change the device or mount point.
RW: mount the file system as read / write.
Here, the comma is used to connect the two mount items remount and RW after – O
3. Chroot: run command or interactive shell with special root directory, run command or interactive shell with special root, and switch with.
Format: chroot [option] newroot [command [Arg]…]
Description: run the command in the root directory or switch to the new root directory
Options used: None
4. Touch: it has two main functions. It mainly uses the function of creating files, but the original text here is: Touch – change file timestamps
Format: touch [option] FILE…
Description: update the access and modification time of each file to the current time, and the nonexistent file parameters will be created as empty unless – C (- – no create does not create any file) or – H is provided. (– no dereference only affects the symbolic link itself, not the destination indicated by the symbolic link (this option is useful when the system supports changing the owner of the symbolic link))
Options used: None
5. Echo: output a line of text
Format: echo [short-option] [STRING]…
Description: echo a string to standard output.
Options used: none, direct text. Here, manually enter the new password as standard output and pass it to the following passwd through the pipe symbol |
6. Passwd: update the user identity authentication token, that is, change the password
Format: passwd [- k] [- l] [- u [- F] [- D] [- e] [- n mindays] [- x maxdays] [- W warnings] [- I inactive days] [- S] [– stdin] [username]
Description: the passwd utility is used to update the user’s authentication token. This task is achieved by calling the linuxpam and libuser APIs. In essence, it uses Linux PAM to initialize itself as a “passwd” service, authenticate with the configured password module, and then update the user’s password.
Options used: – stdin: this option is used to indicate that passwd should read the new password from standard input (which can be a pipe).
7. Restorecon: restore the default SELinux security context of the file. Is to repair
Description: This program is mainly used to set the security context (extended attribute) of one or more files. It can also run at any other time to correct inconsistent labels, add support for newly installed policies, or use the – N option to passively check whether the file context is set to be specified by the active policy (the default behavior).
Option used: add at least – r if repairing the folder
8. Setenforce: modify the running mode of SELinux.
Format: setenforce [enforcing permission | 1 | 0]
Description: use force or 1 to put SELinux in force mode. Use permissive or 0 to put SELinux in permissive mode.
Options used: choose the right one.
9. Getenforce: get the current mode of SELinux
Description: reports whether SELinux is mandatory, licensed, or disabled.
Options used: None
10. Exec: call and execute the specified command
Format: exec (option) (parameter)
Description: the command used to call and execute instructions is usually used to call other commands in the shell script. If it is executed in the current terminal, it will exit the terminal immediately after the execution of the currently specified command
When judging the persistence layer: Problem: there is such a problem when modifying user information. For example: the user’s email is not required. It was not empty originally. At this time, the user deletes the mailbox information and submits it. At this time, if it is not empty to judge whether it needs to be […]