How to reset GNU/Linux root/user password

The root account is the most privileged account on a Unix system. The root account has no security restrictions imposed upon it (Hmm…there are some exceptions though). When you are logged in as super user, you don’t have to face any questions. Therefore it is easy, with a mistyped command, to wipe out crucial system files or even the whole system all of a sudden. I have had situations where I forgot my root password and is unable to do any administrative level tasks. Due to increase in different type of cloud services, users are forced to manage large number of passwords and it is very common to forget some of them which may include the system’s own root password. What can we do in those situations? Either we recover or just reset the previous root password with a new one. The former is Read More »

Disabling password prompt for sudo users

Most often GNU/Linux users come across the sudo utility that allows users to run programs with the security privileges of another user (normally the superuser, or root). Its name is a concatenation of the su command (which grants the user a shell of another user, normally the superuser) and “do”, or take action. But on executing any command with sudo requests the user to provide his own password once and can be used afterwards. For that to occur the particular user must be in sudoers file (refer to my post regarding adding user for sudo privileges.

$ sudo vim /etc/sudoers
[sudo] password for anoop:

To disable this sudo password prompt edit the /etc/sudoers file as follows.

Read More »

Protect your GRUB from unauthorized editing with passwords


Here I consider GRUB 2 and in the following post GRUB means GRUB 2.

If you are a GNU/Linux user, GRUB will be quite familiar to you. It is the first thing you see after you switch on the system. As the expansion of GRUB (GRand Unified Bootloader) suggests it is a boot loader. This is very helpful in various situations. Earlier I had written a post regarding GRUB with its ability to modify the way it appears to the user. The other side is about the security which is of greater importance. After the installation of GRUB it is open to all i.e, anybody can edit the GRUB entries and gain the superuser privilege. So protecting the grub with passwords restricts this attack.

First of all let me introduce to you some of the grub scripts included under /etc/grub.d/


These are used to generate the grub.cfg file under /boot/grub/ on running update-grub. Among these we will consider only 00_header, 10_linux,
20_memtest86+ and 30_os-prober. A superuser must be designated. This user can select all menu entries, edit any items in the GRUB menu during the
boot process, and access the GRUB terminal.The superuser is identified as
set superusers=”<user>”
Ex:- set superusers=”root”
The format for adding the superuser password and any additional users and passwords
password <user> <password>
Ex:- password root 123456
If you wish more users to be added append those with the above line
Ex:- password root 123456
      password tom tom123
      password alen alen

Note: Encryption of passwords will be explained later.

Open /etc/grub.d/00_header and add the following at the bottom of the file.
cat << EOF
        set superusers=”root”
        password root 123456
Each type of OS entries are protected through different scripts.

For linux entries, find the following line in /etc/grub.d/10_linux
printf “menuentry ‘${title}’ ${CLASS} {\n” “${os}” “${version}”
Add –users to allow permission to superuser
printf “menuentry ‘${title}’ ${CLASS} –users {\n” “${os}” “${version}”
Add –users tom to allow permission to superuser+tom
        printf “menuentry ‘${title}’ ${CLASS} –users tom {\n” “${os}” “${version}”
Add –users tom,alen to allow permission to superuser+tom+alen
printf “menuentry ‘${title}’ ${CLASS} –users tom,alen {\n” “${os}” “${version}”

For other OS entries, find lines starting with menu entry in /etc/grub.d/30_os-prober and add –users after –class os to requires entries.
For memory test entry, modification is to be done inside /etc/grub.d/20_memtest86+ in the following lines
 menuentry “Memory test (memtest86+)” {
    menuentry “Memory test (memtest86+, serial console 115200)” {

Run sudo update-grub after all modifications.