EDK corrupted all my passwords? Can't find /etc/shadow file to edit!
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
EDK corrupted all my passwords? Can't find /etc/shadow file to edit!
Hi all,
I am in DEEP trouble!!! I have recently inherited a Debian box from a departed employee. In it, he installed a timesheet server and a repository that has lots of critical company data stored. The problem is none of us knows Linux! In other words I am a complete Newbie trying to “figure this out” all on my own... A few days ago, I managed to connect the box remotely via Putty. I tried login as root and a few user id’s and passwords, they all worked so I know the box was working great when I got it. I also connected a keyboard, a mouse and a monitor to the box directly and I had Debian working flawlessly – not bad for a Windows user (I thought!). The problem started with me logging in as a different user, then KDE started without asking me (but nice interface I thought!), I then changed the root passwords (just to see I could)... then BAM... I can no longer log in as root, myself or anybody!!! (Why me?!?)
Since then, I have been reading blogs, forums, tutorials and advices from anyone and anything about resetting Linux passwords... nothing seemed to work so far!
Anyway, to let you know what I did, here’s what I have tried:
Power-up Debian Linux box
Hit Ctrl-X to bring up “Debian GNU/Linux – Lilo Boot Menu”
Type “Linux init=/bin/bash”
“root@(none):/# “ prompt appears
Type “passwd root” at “root@(none):/# “
“bash: passwd: command not found” error appears
Type “mount”
“/dev/hda1 on / type ext3 (rw,error=remount-ro)
Proc on /proc type proc (rw)
Sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)
tmpfs on /dev type tmpfs (ro)
root@(none):/# ”
By the way, I was not able to locate the infamous /etc/shadow file. I am, however, able to “Cat passwd”, “Cat passwd-” and “Cat passwd.bak” with no problem.
Oh, one last thing, I tried edit the passwd file by using the “vi” command, but I get the following error:
“bash: vi: command not found
root@(none):/# ”
the only thing I can think of at this current moment is to boot to run level 1 which is a command prompt with root access without password. next try running ubuntu desktop edition iso; you get it from http://www.ubuntu.com/getubuntu/download. Then using nero or roxio. In roxio click on file(top left corner) and select burn image to disk. Basically the samething thing in nero but click on the last tab in the main work area and select the same option. Once disk is made label it with Ubunt "date made" and "version" just in case you need it for something else. Open the cd drive with a paper clip, insert it into the tiny whole in the cd drive. Put cd in and power on. Next hit enter for keyboard map then hit enter again for the first option "Try Ubuntu with out installing". Once at the desktop look at the top left corner of the screen you should see three words. Programs Places Admin, anyhow click on Places see if any devices are mounted if not then you will need to click on home then navigate to /mnt. Create a new folder just like in windows right click create new folder. give it a meaning full name. close window. next press ctrl + alt + F2 this should bring you to a command prompt, to get back to desktop press ctrl + alt + F7. you will need to use fdisk to discover you block divces and names. The hdd in question should be something like sda adb or sda1 sda2 sdb1 sdb2. You can google linux + fdisk to get the exacts on that software. Once you have that info you can type at the command prompt mount sd? /mnt/"folder name you made". If all this works you should be able to see all the info on that pc. Hopefully you have a thumb drive of some sort or external hard disk drive to save the info to.
any questions just reply to this thread someone will answer your questions.
Many thanks for your quick reply! Here are your answers:
First of all: why did you shut the thing down?
Well, I think we all know the answer to this one -- "I am a plain stupid Linux newbie"...
What happens when you try to boot it normally (w/o the init=/bin/bash)?
It would boot to the graphical logon screen with a title that says "Welcome to Linux at devsrv", it then follows with a big "K Desktop Environment" icon, then it asks for Username & Password. (All users Full names and ID's are on the left, I can select any with a click on the mouse."
What do you get from an 'ls' where you are?
abc cdrom etc initrd.img media proc sbin tmp var
bin dev home lib mnt repos_dump srv tmp2 vmlinuz
boot dumpfile initrd lost+found opt root sys usr
root@(none):/#
Thanks for your quick reply. I actually, I tried booting the Linux box up with Knoppix 6. Unfortunately, it doesn't like boot from a CDROM - and I could not hit any F key to change the Bios to boot from the CD...
Yes, I can “Cat passwd”, “Cat passwd-” and “Cat passwd.bak” with no problem.
With "cat /etc/passwd": all the password fields have the letter "x" between the user name and the user id number.
With "cat /etc/passwd-": all the password fields have the letter "encripted letters such as $1$YuHUAWYj$..." between the user name and the user id number.
I read somewhere that I should be able to find a /etc/shadow file, but I cannot for some reason?!? In other words, when I do "cat /etc/shadow", it comes back with an error "cat: /etc/shadow: No such file or directory"
That's very strange behaviour; both the fact that shadow is gone, and the fact that
passwd- contains the hashes. May I suggest that you make a backup-copy of /etc/passwd
(/bin/cp /etc/passwd /etc/passwd.ori) and copy the passwd- file over the existing passwd
(/bin/cp /etc/passwd- /etc/passwd-.ori; /bin/cp /etc/passwd- /bin/cp /etc/passwd).
Many thanks for your new reply - I really apprecaite that.
I am now back home, I will do the backup first thing tomorrow morning. I am quite nervous about this, I hope the data is intact, I will be in deep do do if they are lost... Cheers. Good night!
Hi Tink, I am trying to make backup copies of the old passwd & passwd- file as suggested. Unfortunately, after doing "/bin/cp /etc/passwd /etc/pass.ogi", I got this error "/bin/cp: cannot create regular file '/etc/passwd.ori': Read-only file system".
It seems to me that the /etc directory is read-only for some reason?!?
I am still pretty confused with how Linux does things but when I type "mount", the system comes back with the following:
/dev/hda1 on / type ext3 (rw,error=remount-ro)
Proc on /proc type proc (rw)
Sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)
tmpfs on /dev type tmpfs (ro)
root@(none):/#
Sorry, I wasn't clear on that; did you see errors pertaining to
file-system problems when the machine was booted?
If you have a current back-up (of course you do, it's a production
box, right?!) it should be safe to go with the suggestion and run
the e2fsck (a file-system check).
I have never seen any errors pertaining to file-system problems when the machine was booted since the passwords were wiped out (i.e. since mid-last week).
The "Maximal mount count reached" problem I mentioned in my last reply was the first time I ever seen it.
As to a current back-up, well, I planned to do it as soon as I get used to running a Linus machine.... and yuk, it's not done and I don't have a copy of any recent backup... having said that, I did a fsck a few days ago and it didn't report any problems... what does e2fsck actually do? Does it force any repair/fixing in case it overwrites any data?
Also, I also find it strange that the /etc/shadow file was gone. As I said in my earlier posting, I ran KDE under a different user account and all hell broke lose from then on. Could KDE delete /etc/shadow for any reason? (a bug may be?). Is it possible to undelete or recover a /etc/shadow file by any chance?
I have never seen any errors pertaining to file-system problems when the machine was booted since the passwords were wiped out (i.e. since mid-last week).
The "Maximal mount count reached" problem I mentioned in my last reply was the first time I ever seen it.
OK, that's a normal occurrence then, and not the consequence of
an unclean boot. When one creates an ext2/3(/4?) file-system
it sets a value as to how many reboots/days can pass w/o a
file-system check.
Quote:
Originally Posted by fy1000000
As to a current back-up, well, I planned to do it as soon as I get used to running a Linus machine.... and yuk, it's not done and I don't have a copy of any recent backup... having said that, I did a fsck a few days ago and it didn't report any problems... what does e2fsck actually do? Does it force any repair/fixing in case it overwrites any data?
It may, if a block of disk is found faulty/unclean.
Quote:
Originally Posted by fy1000000
Also, I also find it strange that the /etc/shadow file was gone. As I said in my earlier posting, I ran KDE under a different user account and all hell broke lose from then on. Could KDE delete /etc/shadow for any reason? (a bug may be?). Is it possible to undelete or recover a /etc/shadow file by any chance?
Many thnaks for your help.
FY
I find it hard to imagine that KDE would do that (I wouldn't have
thought that it's being run w/ root privilege levels unless you
log in as root, and hence shouldn't have the power necessary to
kill /etc/shadow - unless your predecessor did something really
stupid and made /etc world-writable). As for undelete - it's not
really an easy thing to do on Linux machines, as a rule of thumb.
There was a utility for ext2 to do this, but with ext3 and journaling
that tool no longer works. One option would be to scan the raw-device
of your root-partition (using grep) for likely content of shadow,
output the context (make sure there's all the accounts in there) and
re-create it that way. Something like
egrep -A 50 "^root:[^:]+:.*$" /dev/hda1
may work; it will also find your passwd and passwd-, so be sure that
the content it outputs is different from passwd, e.g. no user-names
or groups in there. Make sure the number after the -A is large enough
to match ALL your user accounts.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.