How to reset a root password on Fedora

A system administrator can easily reset a password for a user that has forgotten their password. But what happens if the system administrator forgets the root password? This guide will show you how to reset a lost or forgotten root password. Note that to reset the root password, you need to have physical access to the machine in order to reboot and to access GRUB settings. Additionally, if the system is encrypted, you will also need to know the LUKS passphrase.

Edit the GRUB settings

First you need to interrupt the boot process. So you’ll need to turn on the system or restart, if it’s already powered on. The first step is tricky because the grub menu tends to flash by very quickly on the screen.

Press E on your keyboard when you see the GRUB menu:

After pressing ‘e’ the following screen is shown:

Use your arrow keys to move the the linux16 line.

Using your del key or backspace key, remove rhgb quiet and replace with the following.

rd.break enforcing=0

After editing the lines, Press Ctrl-x to start the system. If the system is encrypted, you will be prompted for the LUKS passphase here.

Note: Setting enforcing=0, avoids performing a complete system SELinux relabeling. Once the system is rebooted,  restore the correct SELinux context for the /etc/shadow file. (this is explained a little further in this process)

Mounting the filesystem

The system will now be in emergency mode. Remount the hard drive with read-write access:

# mount –o remount,rw /sysroot

Password Change

Run chroot to access the system.

# chroot /sysroot

You can now change the root password.

# passwd

Type the new root password twice when prompted. If you are successful, you should see a message that all authentication tokens updated successfully.

Type exit, twice to reboot the system.

Log in as root and restore the SELinux label to the /etc/shadow file.

# restorecon -v /etc/shadow

Turn SELinux back to enforcing mode.

# setenforce 1
Fedora Project community

32 Comments

  1. Costa A.

    Couldn’t i just boot with “1 or s or S” and reset it ?

    Or even, if you have except your root account, a second account with sudo, use something like “sudo systemctl isolate runlevel1.target” or “sudo systemctl isolate rescue.target” ?

    I am not implying that the article is wrong on that matter, but we have to keep things simple.

    • If memory serves, a broken file system can result in a prompt for the root password if you boot to single-user mode. So in some cases single-user might work fine, and in some it might not be sufficient. And it may not be safe to assume that there’s a sudo capable account setup, although if you have one, that will work as well. You might be trying to rescue the system of someone who isn’t familiar with sudo and lost the administrator password.

    • Radosław K.

      The article is keeping things as simple as possible, while minding changed architecture (that was introduced along with systemd) and the fact that possibly user has no access to machine whatsoever. I completely agree with the method laid out here, as it is most error-proof in my experience.

  2. Jancio Wodnik

    Hi. is it not simpler – run in single user and then use passwd ?

    • Radek Ulatowski

      If I’m correct single user don’t automaticaly mean root acces – you still need to type password. With boot parameter ‘1’ you will boot to command line (‘rescue’ mode I think).

    • Radosław K.

      No, there is no single user mode any more and replacements like rescue.target and emergency.target will ask for root password.

    • tom

      I doubt you’ll feel that way when the SEL violations start rolling in and you can’t boot anymore 😀

  3. Vince Sh

    Instead of changing the procedure every few version, why not just setup a grub menu option to boot to single user mode? Just sayin

    • Sebastiaan

      Single user mode still asks for a root password

  4. Zac

    Could you please clarify. I’m new to fedora and linux so apologies for any redundancy in my questions. I merely am trying to learn how as much as I can.

    Does this mean anyone needs only physical access to a workstation to gain root access to that machine? Just seems odd, as the sole purpose of a password for the root user, is to prevent someone from gaining root access. And this method seems to circumvent that.

    Perhaps access to an encrypted disk is not possible with the workaround you described, and is the added security one would want?

    • Michael F

      This was also quite a surprise to me.

    • Bruno

      Maybe setting a password to Grub2 beforehand could help avoid editing the boot parameters.
      But if one has physical access to the machine, he could always boot with a live media and gain access to data in it, be it Linux, Windows or other systems (if the file system isn’t encrypted, of course).

    • If your workstation is a desktop in your office, you lock the office. If your workstation is a laptop, you encrypt the disk. You may additionally may want to set a password for the BIOS to avoid somebody boot your computer with a removable media. So, root password is one of several measures to secure your workstation. You need to ponder how at risk is your computer and what other measures you will put in place.

    • Dann Griggs

      Have you ever reset an unknown local administrator password on a Windows machine? All you need is physical access and a USB stick with a linux live distro on it. The chntpw utility gets you into any Windows machine (7, 8, 10, and server versions) in about 40 seconds.

    • Hans Meiser

      The solution is to encrypt your hard drive, not matter if laptop or desktop machine (re comment on locked office). Again, unless your hard drive is encrypted nothing is safe at all. Anyone could at anytime take out the drive and stick it into another machine for full access.

  5. Erik Beck

    Good article. My starting point would be a couple of steps back:
    1) If the admin’s normal user account has sudo rights, ‘sudo passwd’ might be enough to do the trick.
    2) If #1 isn’t workable, then boot the machine from a live dvd or some other rescue media that does not have a password protected root account. Mount the file system on the target machine with /etc. Edit the password file or shadow password file, as appropriate, blanking out the hashed password field for the root account. Dismount all file systems cleanly. Cut the machine off from all network connections (remove the ethernet cable). Reboot. Login as root, and set a new password. Reattach to the network and resume normal operations.

    3)Else if, do as described in the article.

  6. Einer

    Let me help 🙂
    1) If the root partition on the disk is encrypted, you will need the password at boot for the disk encryption
    2) If GRUB is protected by a power on/boot password, you will need the GRUB boot password
    3) Now, IF you can get to single user mode, you still have to do the chroot and passwd command as described earlier … OR ….. you can also vi /etc/etc/shadow file on the root device and remove the root password entirely (leaving root with no password at login) and change/set it once the OS is up (login as root and do passwd)
    4) IF you have a user that is already permitted to sudo su – you can have that same user change the root password without having to do 1 – 3 …….

  7. Einer

    Also …. a couple of other things 🙂 ….
    If the root account is set to require a password even at single user ………. then you have only a couple of options to recover / reset the lost root password
    1) You can do #4 in previous comment
    2) Get your bootable media and bott the affected machine from it (and you will still need to know everything in #1 – #3 of last comment …….

  8. Einer

    For the person that asked “How do I ultimately protect my machine from being hacked in this fashion?”
    1) Disk encryption (protect you password for it)
    2) Reduce/Eliminate unauthorized physical access to the machine/base tty console

    • Thank You Einer for being the only one giving the answer to the simple question of Zac which I also needed to know.

      I will Google the terms “GRUB”, “tty” to understand more.

      Curt’s article too is very useful and simple compared to various alternatives listed by professional Linux users who have many years of Linux use and understanding.

      I guess there is a whole community of Linux users who may be very frustrated by the newbies trying to adopt Linux in their daily life. But I really hope Fedora becomes popular and widely used and it can’t happen unless an average Joe-Jane who uses a computer only for emails, facebook and tax calculation spreadsheet also switches to Fedora Linux as his / her first choice.

  9. Why the disable of SELinux? This is an additional step beyond what RHEL 7 currently requires.

  10. Robert Stanfield

    you can do

    sudo passwd

    if you’re in the sudo file too

    • Leslie Satenstein

      Hi Robert,
      That is you show is the method that works with SUSE and Fedora.
      Even so when I install a new system I run visudo and uncomment the line that says NOPASSWD

      That allows me to issue sudo su and sudo su –
      passwd

  11. Earl Ramirez

    Hello Zac

    This is correct, anyone with physical access any access your system and reset the root password; however, there are a number of things you can do to harden your server, workstation, laptop from this.

    You can encrypt your HDD/SSD, enable grub password, which means that the individual will require your grub password and the passphrase to decrypt your HDD/SSD.

    This is why physical security is extremely important.

  12. Zach

    These things is why I have a BIOS power on password! I think it helps.

    • Hans Meiser

      BIOS password is not very secure – one can take out the hdd and plug it into another machine to gain access to your data, unless it is encrypted! Once it is encrypted, a BIOS password becomes obsolete (safe to the time to type that password)

  13. Florian

    On a Fedora 27 (U)EFI system, the relevant grub line does start with a

    linuxefi

    (not

    linux16

    as shown in the screenshots.)

  14. I believe this should be in the wiki… just in case we need something to follow

  15. cmurf

    This seems overly complicated.

    a. If you can get to any kind of console and login use ‘sudo -i’ to become root. Anyone in group wheel can do this.

    b. If you’re having problems logging in as an admin, you can add a boot parameter ‘systemd.debug-shell=1’ and then you’ll be able to switch to tty9 and have a passwordless root shell from which you can change the password for any user. Obviously do this as a one shot, not a persistent change.

  16. einer

    Power on password works well ……. until the disk is connected to another machine …. then not so much 🙂

    Probably the best protection short of locking the machine in a safe is disk encryption.

    🙂

  17. Zac

    Thanks for all the feedback and helpful comments.

    I’ll have to do some research on the Grub/Bios pw approach. I do have the SSD encrypted, but have often left the workstation laptop unattended in ‘locked’ mode, which I am now learning is not sufficient. Sounds like I will need to do a shutdown instead, or figure out how to set a Grub/Bios pw.

    Thanks again.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions