[SOLVED] Intrepid install Failed. Need to get to single user root mode

[davidkahn]

I have set up Grub to require a password to select recovery alternative modes. However, in the past when I selected a "Recovery Mode" version of a kernel, it went directly to a command prompt logged in as root. Now with Intrepid I come to a new menu that has an entry "Drop to root shell prompt", which I can't use because it then asks for the root password, and in Ubuntu you don't know root's password because the root account is locked.

I don't have earlier versions of Linux on the disk that I perhaps would go directly to the command prompt logged in as root.

When I enter "e" to edit the grub commands before booting I see:

lock
kernel /boot/vmlinuz-2.6.27-7-generic root=/dev/md0 ro single
initrd /boot/initrd.image-2.6.27-7-generic

Is there something I can add to the kernel command line to have it go directly to the single user cammand prompt as root?

Can I reinstall Hardy over this disk without losing all of my personal data?

What else could I do?

Please help.

David

[davidkahn]

I don't know if anyone is going to read this, since there were no replies to my question. But since I solved it, I wanted to post my solution for other people. Moreover, if requiring a password to get to the single user prompt logged in as root was intended to improve security, I just found a security hole. This hole might not apply to my computer because I setup /boot/grub/menu.lst to cause grub to require a password to edit the grub boot parameters. But since many people don't, this procedure is a security hole for them.

I used grub to perform a one-time edit of the boot line:

kernel /boot/vmlinuz-2.6.27-7-generic root=/dev/md0 ro single

and made it:

kernel /boot/vmlinuz-2.6.27-7-generic root=/dev/md0 rw init=/bin/bash

Booting then brought me to a command prompt as root, with the file system being read-write. I then used the passwd program to set root's password to a known value, and now I can select menu item that has an entry "Drop to root shell prompt", and enter root's password.

However, having a (presumably) crackable root password seems so un-Ubuntu. So I am wondering if anyone else has a more elegant solution.

[Dave_Connor]

This is with physical access to your machine. Linux is more prevent online attacks but there are measures against people you don't trust accesssing your machine physically.

[bodhi.zazen]

First of all, the default behavior in Ubuntu when you boot to recovery mode is to boot to a root shell without asking a password.

The only time you will be asked a password is if you change the default behavior or set a root password.

Second, in a nut shell you are asking about how to secure a box from someone who has physical access, and the short answer to that is you can not. BIOS passwords, grub passwords, root passwords, all that is easily defeated.

The only "protection" you have is encryption. Encryption will protect sensitive data, but beyond that physical access == game over

[davidkahn]

I had to set the root password to install a modem/fax driver, and wanted to unset it to get back to Ubuntu's standard security model. My understanding was that the way to do this was to run:

sudo passwd --lock root

This certainly makes it very difficult to log in as root.

However, after I did that, grub still asked for root's password, but I no longer knew its value, and couldn't boot into recovery mode.

What's the correct process to lock root and restore grub's default behavior.

Thanks.

David

[bodhi.zazen]

I had to set the root password to install a modem/fax driver, and wanted to unset it to get back to Ubuntu's standard security model. My understanding was that the way to do this was to run:

sudo passwd --lock root

This certainly makes it very difficult to log in as root.

However, after I did that, grub still asked for root's password, but I no longer knew its value, and couldn't boot into recovery mode.

What's the correct process to lock root and restore grub's default behavior.

Thanks.

David

You are asking two questions.

First, how to remove the grub password.

With any editor (gksu gedit /boot/grub/menu.lst) edit /boot/grub/menu.lst

Remove the line with "password" in it:

password --md5 xxxyyyzzz

To lock the root (or any account) use :

Code:

sudo usermod --lock root

https://bugs.launchpad.net/ubuntu/+s...ow/+bug/238755

=============

Last, to get a root shell, rather then setting a root password, use sudo :

Code:

sudo -i

[davidkahn]

I intentionally added the password --md5 $1$BIWmD$dA8Bbs4WZ7... line to /boot/grub/menu.lst to require a password to select one of the recovery mode boot choices. But I didn't know about usermod. Thanks for the help.

[davidkahn]

I tried going to single user recovery mode, and it's still asking for root's password. So as far as I can tell 'sudo usermod --lock root' may do exactly the same thing as 'sudo passwd --lock root', though the man page for passwd doesn't explain how it disables the password.

To be completely clear, I am not talking about the grub password to allow running locked boot options. The problem occurs after the menu that was introduced in Hardy that allows choices like fixing xorg.conf, updating packages. When one selects "Drop to root shell prompt", before it gets to the command prompt, it asks for root's password, even though the usermod command has made entering a valid password impossible.

Is there any way to restore the "normal" state with a password isn't needed?

[bodhi.zazen]

You will need to manually edit /etc/shadow and possibly /etc/passwd

/etc/passwd

root:x:0:0:root:/root:/bin/bash

/etc/shadow

root:!:14182:0:99999:7:::

Notice the ! in the second column in /etc/shadow for root, that is probably the edit you need.

[davidkahn]

bodhi,

Editing /etc/shadow and making the password equal "!" rather than simply inserting a "!" in front of the password, which is what usermod does, worked perfectly. /etc/passwd did not require an edit.

Thanks for following through.

David