Ive decided to write a guide on how to get root on most linux systems after forgetting the local password to my server. This should work on most linux systems as long as the root partition is not encrypted or grub is password protected.
First step to edit the boot parameters. All you have todo is press e when prompted by grub on what to boot.
Now scroll down until you see a linux16 or linux line and append "init=/bin/bash" to the end of it
press ctrl+x or F10 to boot and you will be prompted with a root shell running bash
note that root with be mounted as read-only so we will need to remount root. just type "mount -o remount,rw /" to allowing writing files to root
It is surprisingly easy to get root on any linux computer where you have a couple of minutes and access to the bootloader. What could be done from here? You could install something like a key logger or flash a malicious bios onto the system. The list goes on because root has access to all software and hardware on the system with no protections.
So what can do you to protect against this attack?
Add a password to grub Encrypt the OS Set a boot password Dont let people you cant trust onto your machine
But all of this only protects against this attack. You still wont be protected against something like a privilege escalation exploit or someone just plugging your drive into another computer.
You and/or @ivailo ought to be given the "Synchronicity of Posts" badge or some such. Your useful tips and concomitant paranoia are in eerie harmony. Still, can't point out these kinds of things too often - they are, at the same time, both useful and dangerous. Thanks for the post.
ive actually had to do this, after a systemd update killed systemd; endless errors, for hours on boot. would never boot to a point where you could even get a prompt. probably because systemd was seemingly unable to mount / .
did this and bam could undo the fscking systemd update. system would boot once again
the goal of pointing out this kind of stuff is too inform the public about such things. They are still vulnerable to something like this whether they know about it or not.
You dont have good security by just ignoring this kind of stuff
I read something a couple years ago where Ubuntu users were complaining that you could drop a root shell in its recovery mode and they thought it was a serious security issue, they didn't understand the concept that if somebody has physical access to your device then it isn't yours anymore. It is the same with many general computer users thinking that the password to login to the OS protects all of their data but we know that isn't true, you can just pull the drive and put it in another computer and everything is readable, this case is no different and people need to understand the risks involved with physical device access. Full drive encryption seems to be the most effective solution to attacks like this and I would recommend that people start doing it at least on portable devices like laptops as they can be stolen/taken more easily.
As a aside note, this still works on systems with encrypted drives, it just drops the shell after you've typed in the paraphrase to unlock it.
if no encrypted then i think you could use a flash drive with some live version of linux to make most changes as well.....ive probably done that more than anything else
I have had to access data for friends that forget to give me their Windows passwords, when working on their computers. For data recovery purposes, in this instance, I use a Linux live USB. Quick and easy. If you are a little more brave, their are some scripts that will bypass the Windows logon completely. I don like to use them though, at least in a computer with internet access.
This is a trick I did not know. If I ever need to get into a Linux system, in order to work on it, I now know a work around.