(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sunlogo.gif)
Just before you went on a Hawaiian vacation, you cleaned up your office. Now you've returned, expecting a nice day of answering mail and playing phone tag. Unfortunately, you see several people camping out in your office: The computer is down, and they're waiting for you to fix it.
After a moment of fright, you realize that the request is a simple one. Just log in as root and tweak a parameter, and you're home free. You sit down and type root at the login prompt. Then you type the password. The system rejects your attempt.
All of a sudden, you have a cold feeling in the pit of your stomach. The password is wrong. What did you change it to? Where did you put that slip of paper that you use to remind yourself? After a half-hour of frantic searching, you realize you're doomed. You can't log in as root. What do you do?
In this article, we'll show you how to regain access to the root account after you've lost your password. Be forewarned that it takes a bit of time and effort. Fortunately, the method works and isn't a security nightmare.
First you have to put your computer in single-user mode. (If you have Solaris x86, you'll need to refer to the article "Starting Solaris x86 in Single-User Mode.") Now that we're at the shell prompt, we can do the dirty work. First, we'll need to mount the file system that contains the /etc directory. Then, we'll edit the shadow file to tell Solaris that the root account has no password. Finally, we'll unmount the file system and reboot Solaris.
If you know which file system holds the /etc directory,
this isn't a major problem. Just issue the mount command
mount /dev/dsk/filesys /a
replacing filesys with the appropriate file system name. If you've installed Solaris on the first IDE drive, for example, the file system name will be c0d0s0, or slice 0 of the first disk on the first controller card. Similarly, if the file system is on the third SCSI disk on the second controller, you'd use c1t3d0s0. If you know which file system to mount, you can skip the next section.
If you don't know which file system to use, you'll have to try them all, one at a time. (I'd try c0d0s0 and c0t0d0s0 first, just in case someone set the system up as simply as possible.)
To try using a file system, issue the mount command and
see if the system complains. If it complains, your screen will
look something like this:
# mount /dev/dsk/c1t0d0s0
mount: /dev/dsk/c1t0d0s0 is
already mounted, /a is busy,or allowable number of mount points
exceeded
If it doesn't complain, then use the ls command to list the directory
to see if the /etc directory is there. If the drive successfully
mounts but doesn't contain the /etc directory, issue the umount
command and try the next file system. This process looks like
this:
# mount /dev/dsk/c0d0s6
# ls /a
5bin dict lib oasys sadm
tmp adm dt lost+found
old sbin ucb aset
games mail openwin share ucbinclude
bin include man opt snadm
ucblib ccs kernel net preserve
spool vmsys demo kvm news
pub src
# umount /a
Now we have to remove the password entry from the /a/etc/shadow file. To do so, type vi /a/etc/shadow, and you'll see a screen like the one shown in Figure A.
The password is encrypted so you can't read it. It's the jumble of characters between the first two colons on the root line (the first line, in this case). All you need to do to remove the password is to delete the characters between the first two colons on the root line. In other words, change root: sXuu63aJkkTml: to root::. Now save the file. Since it's read only, you must use the :w! command. If you try the :w command, you'll receive the error message "/a/etc/shadow" File is read only.
Now all you need to do is remove the floppy from drive A, unmount
the file system, and reboot the computer. To do so, just type
umount /a
reboot
Be sure to change the root password once the system boots up. You don't want to leave the system open after all this work! (Also, be sure to remember the password this time.)
If you'd like to avoid the headache of using trial and error to find the /etc directory, just print a copy of the /etc/vfstab file and place it somewhere safe. Figure B shows the /etc/vfstab file on my work machine.
As you can see, there's no explicit entry for /etc, so
it's located in the root directory, which is on c0d0s0. Use the
mount point column to determine which part of the directory tree
is held by a file system.
That's all there is to it. The technique is tedious, but not terribly complex. But now there are a few thousand more people who know how to do it. From a security standpoint, that's not too bad.
First of all, many UNIX administrators already know this technique. The technique is tricky enough that most people won't attempt it casually. Second, you need access to the Solaris installation disk, the CD-ROM drive, and the console. These things are pretty easy to keep under control.
There's no chance of someone removing the root password remotely,
as long as the permissions on the /etc/passwd and /etc/shadow
files aren't changed. For your information, the permissions on
these two files are normally set to
-rw-r--r-- passwd
-r-------- shadow
Obviously, you want to keep your system secure, and you shouldn't forget your password. But at least you now have peace of mind: If you ever lose the root password, all is not lost. With a bit of patience and work, you can still get back into your system.
[Return to Index for Inside Solaris - March 1996 Issue]
Copyright (c) 1996 The Cobb Group, a division of Ziff-Davis Publishing Company. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis Publishing Company is prohibited. The Cobb Group and The Cobb Group logo are trademarks of Ziff-Davis Publishing Company.
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9603/sun9634a.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9603/sun9634b.gif){kind=link}