System Recovery Week: Single-user mode

Monday, December 3. 2007

Posted by Chris Tyler in System Recovery Week at 00:02 | Comments (2) | Trackbacks (0)

System Recovery Week: Single-user mode

This article is part of System Recovery Week, examining techniques used to perform maintenance or recovery on a Fedora system in special circumstances.

Figure 1 - Appending single-user mode ("s") to the system boot options.

There are times when a Fedora system will not boot normally, due to the state of the filesystem, the absence of startup files, or incorrect configuration. Most users will never encounter these circumstances, but it's important to know what to do if they arise.

The simplest recovery mode available is "single user" or "maintainence mode". This is a special runlevel which will take you directly into a superuser (root) shell prompt without executing most of the normal system startup scripts. Because this mode boots from the normal filesystems, it will only work when the kernel, initrd (initial ramdisk), and basic filesystem are intact; however, it does not require a valid /etc/inittab, /etc/passwd, or /etc/shadow file or a working set of boot scripts, so it can be used in many situations where a normal boot would fail.

To enter single user mode, interrupt the normal grub boot display (which usually shows a message counting down the seconds until Fedora is booted, or which may show a menu of available operating systems if you have altered the default grub boot configuration) by pressing the spacebar. If you have a boot password, press P and enter the password now.

Press the A key to append boot options to the default kernel, and type a space and the letter s to indicate that you want to enter single-user mode, as shown in Figure 1. Press Enter to continue booting.

Figure 2 - Root shell prompt in single-user mode.

The system will boot and then go directly to a root shell prompt (Figure 2). You can perform any normal administrative functions at this prompt - but since the normal system startup has not taken place, you will not be able to use networking, printing, or other services. If your init scripts are intact, you can start specific services, such as network or cups, using the service command: service nameOfService start

Operations commonly performed in single user mode include:

Selecting a new root password: passwd
Replacing or repairing the /etc/inittab, /etc/passwd, or /etc/shadow files by copying or editing the files
Checking a filesystem which will not start up cleanly during normal boot, using a command such as this (Caution! the command as written here will proceed with all repair operations without asking further questions. This will likely result in a clean filesystem which can be mounted but may in rare cases result in some data loss): fsck -f -y /dev/filesystemDevice

When you are finished using single user mode, exiting the shell with the exit command or Ctrl-D will start a normal system boot. It's usually a better idea to perform a full reboot, using the reboot command.

Note that single user mode presents an extreme security risk: any person who has physical access to your system can use single user mode to gain root (unrestricted) access to your system. A boot password will make it slightly more difficult to execute this type of attack. If you did not create a boot password at installation, you can add one at any time:

Use the grub-md5-crypt command to generate an encrypted version of your selected password:
# grub-md5-crypt
Password: hello
Retype password: hello
$1$gNc9G$BppzXI37ogNVc2aJ8tjSe0
Enter the encrypted password into the top of your Grub configuration file, /boot/grub/grub.conf:
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/concord3/f8root
# initrd /initrd-version.img
#boot=/dev/md0
password --md5 $1$gNc9G$BppzXI37ogNVc2aJ8tjSe0
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.23.1-49.fc8)
root (hd0,0)
kernel /vmlinuz-2.6.23.1-49.fc8 ro root=/dev/concord3/f8root rhgb quiet
initrd /initrd-2.6.23.1-49.fc8.img
title Fedora (2.6.23.1-42.fc8)
root (hd0,0)
kernel /vmlinuz-2.6.23.1-42.fc8 ro root=/dev/concord3/f8root rhgb quiet
initrd /initrd-2.6.23.1-42.fc8.img

However, a user with physical access to your machine can circumvent the boot password by booting from another device, as we will see later this week.

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

It's good for security:
write to /etc/inittab strings:
# password protect single user mode
su:S:wait:/sbin/sulogin
then single-user mode need password

#1 Dmitry Beketov (author of russian translation of dailypackage) (Homepage) on 2008-01-08 16:56 (Reply)

fedra core error for unable to mount the root fs 00:00
Please help to clear the problem , because the system have a lot of data's , Repaly me ASAP.

#1.1 Srini on 2009-03-17 23:31 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry