If your organisation has password aging policy set for your UNIX servers, there is a possibility that the root account may also get locked out due to the existence of an expiry date set in the /etc/shadow file. Once the root account is locked, all jobs (cron, etc) that require root privileges may start to fail. To unlock the root account on a SUN SPARC machine, you will need to:
- Go to the ok prompt by typing STOP-A
- Boot off the installation CD using boot cdrom -s
- Mount the root filesystem under /a
- Remove the password policy fields for the root account by editing the /a/etc/shadow file
- Unmount the root filesystem
- Restart the server using reboot or init 6
As you can see from the recovery procedure mentioned above, the server was not shutdown cleanly. This may cause problem when you try to bring up the server again after unlocking the root account. It may get worse if you are faced with Oracle or DB2 database corruption.
An alternative is to use the program ‘suroot’ to solve the problem without a server restart. The bad thing is that you will need to have the program installed in your machine BEFORE the root account gets expired. If your root account has already expired, you have very limited choices left.
About suroot
suroot is a setuid program. When a user runs it, it will prompt for the root password and will verify the password with the entry in the /etc/shadow file. If the passwords match, it will open a root shell for the user. The program will ignore the password policy fields in /etc/shadow.
With the root shell, the user is able to modify the /etc/shadow file.
Installing suroot
To install suroot:
- Login as root
- Copy the following code to a file called suroot.c
#include <pwd.h> #include <shadow.h> #include <sys/types.h> #include <unistd.h> #include <stdlib.h> #include <crypt.h> int main (int argc, char **argv) { struct spwd *db_shadow; struct passwd *db_passwd; char *passwd1, *passwd2; setuid(geteuid()); setgid(getegid()); db_passwd = getpwnam("root"); db_shadow = getspnam("root"); if(db_shadow==NULL) { fprintf(stderr,"Unable to read shadow password.\n"); exit(1); } passwd1 = getpassphrase("Enter root password: "); passwd2 = crypt(passwd1,db_shadow->sp_pwdp); if (strcmp(passwd2,db_shadow->sp_pwdp) == 0) { fprintf(stdout,"Password verified. Forking shell...\n"); system((*db_passwd).pw_shell); } else { fprintf(stderr,"Invalid root password.\n"); exit(1); } return(0); } - Compile the program using GCC
1[root@solaris-vm ~]# gcc -o suroot suroot.c
- Set the permissions for the setuid program
1[root@solaris-vm ~]# chmod 6555 suroot
- Copy the binary to ‘/usr/bin’
1[root@solaris-vm ~]# cp suroot /usr/bin
Login to an Expired root Account
To login to the expired root account, run suroot as a normal user and enter the root password when prompted. If the password matches the root password stored in the /etc/shadow file, suroot will open a root shell. With the root shell, you can modify the contents of the /etc/shadow file and unlock the root account.
|
1 2 3 4 5 6 |
[ibrahim@solaris-vm ~]$ suroot Enter root password: Password verified. Forking shell... [root@solaris-vm ibrahim]# id uid=0(root) gid=0(root) [root@solaris-vm ibrahim]# |
I have tested suroot to be working on Solaris 10. Code modification might be necessary if you want to run it on other UNIX distributions.
Mohamed Ibrahim
ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }
