2

I'm trying to wrap my mind around exactly how password reset procedures work in CentOS/RHEL 7 and I'm missing some fundamental knowledge.

In several different examples I see that chroot /sysroot is necessary but I don't understand why or what this step is specifically doing. Example verbiage:

  • (Source A) "5 – Now access the system with this command."
  • (Source B) "BOOM. You are in single user mode. The shell prompt! --looks like :/#
    type chroot /sysroot"
  • (Source C) "then use chroot to go into a chroot jail"

Suffice it to say, these procedures are a little sparse on explanation. :-( Can someone please elaborate a little more?

Mike B
  • 8,900
  • This might help : https://unix.stackexchange.com/questions/191618/what-is-the-difference-between-these-two-ways-of-reseting-the-root-password – Amit Singh Dec 30 '17 at 07:30

2 Answers2

9

You're talking about the procedure to reset a lost root password. This is needed only when the root password is lost and there is no sudo root access or similar available.

At boot, the bootloader (usually GRUB) loads 2 files: the kernel and the initramfs (also known as initrd) file. The initramfs file contains a minimal filesystem that includes any tools and kernel modules required to activate the real root filesystem, its disk controller(s) and other features necessary to activate it (e.g. any combination of: LVM, disk encryption, multipathing and/or software RAID).

The rd.break boot option tells the boot sequence to stop while the system is still using initramfs, but the real root filesystem is already mounted at /sysroot. Normally the next step would be a pivot_root operation to switch /sysroot into a real root filesystem, start executing stuff from there and then remove the initramfs from memory.

By stopping within the initramfs we gain access to the emergency shell. But the initramfs has a very limited number of commands available, and editing the initramfs's /etc/passwd file would achieve nothing as the entire initramfs gets replaced by the real root filesystem anyway.

The root filesystem is initially mounted in read-only mode in order to allow filesystem checking. The first step is to remount it read-write, to allow the password change to stick.

The chroot /sysroot command means: "start a new shell in such a way that for that shell the /sysroot directory will appear as /." Within that chrooted shell, /etc/passwd and /etc/shadow will refer to the real password files in the real root filesystem, and /bin/passwd will be the same command you'll use when the system is running normally. Since this chrooted shell was started from the emergency shell, you already have full root access, and you can use the passwd command to set a new password for anyone without being asked for the old one first - including setting a new root password.

Once the procedure is complete, the first exit command will exit the chrooted shell and return you to the initial emergency shell, which still sees the real root filesystem as /sysroot. The second exit command will return control to the boot scripts, which usually trigger a reboot whenever emergency shell has been used.

Was this the sort of explanation you needed?

telcoM
  • 96,466
0

In single user mode the file-system is mounted in /sysroot either read-only (by-default) or in read-write mode if ro is replace with rw init=/sysroot/bin/sh.

Now we need to change root file system to /sysroot using chroot /sysroot before resetting root password.

This is official RedHAT documentation regarding this.

Abhik Bose
  • 2,118