Restoring /etc/passwd from file

Question

I know they say "given root access, everyone will screw up their machine eventually", and I'm discovering how true that is. In an incident of extreme fatfingering, I've managed to wipe out my /etc/passwd file. Now, I have a current backup of it, but I want to make absolutely sure how I should restore it before doing so. Can I just create a file as root, paste the old contents in, and cp the new file over the now corrupt /etc/passwd?

OS is Ubuntu Hardy

EDIT

Erm the problem just took a turn for the much worse. I now cannot use sudo. Can someone PLEASE help me here? I assume I have to mount from a liveCD to edit my /etc/passwd back into place? Now my problem here is that I use a RAID setup. Will an ubuntu live CD autodetect this?

Sorry linux software RAID, i forgot to mention that. I'm a little rattled lol — DWilliams, Jan 05 '10 at 18:23
Specifically 4 hard drives, one RAID1 partition with /boot that is very small and one large RAID5 partition for everything else — DWilliams, Jan 05 '10 at 18:24

score 3 · Accepted Answer · answered Jan 05 '10 at 18:36

3

This is totally off the top of my head, but as long as you don't have this line ~~:S:wait:/sbin/sulogin in your /etc/inittab file, you can boot into single user mode without a password and re-set your root passwd.

This also assumes that either you don't have a boot loader (grub) password or that if you do have one, you know it ;).

-phez

answered Jan 05 '10 at 18:36

This sounds goot to me. Can I get some second opinions assuring me that this will work before I power the server down? If it doesn't work then things will get a lot hairier after a restart. I currently have an open SSH session to the server that I know I can't get back once it powers down. – DWilliams Jan 05 '10 at 18:45
You mentioned your root filesystem is on a RAID device. Who makes your card? (And what driver modules are loaded for it?) for the most part any good LiveCD should include the correct drivers. I've had problems in the past with HP stuff (cciss) but if it is an off the shelf adaptec or PERC (dell), the live CD will work. As insurance, you could restore the copy of /etc/passwd you have to your /home partition (or /etc/ if you have write perms) so all you have to do is cp it in once you're in single user mode... also, when in single user mode, the FS might be in RO mode, so re-mount rw. – Jan 05 '10 at 19:24
2

There may also exist a backup copy of /etc/passwd as /etc/passwd- – TCampbell Jan 05 '10 at 19:31
+1: Single user mode is your friend. You can do ANYTHING to the system in single user mode. – Satanicpuppy Jan 05 '10 at 20:23
My concern is whether or not I can actually get INTO single user mode without a proper /etc/passwd. Doesn't it prompt for a root password? The root account currently does not exist according to my /etc/passwd file, which contains a single lowercase "h". – DWilliams Jan 05 '10 at 21:06
Accepting this answer as correct. I was not able to enter the root prompt from Ubuntu's recovery mode (it complained of a bad password file). I was, however, able to edit my boot option and add "init=/bin/bash" to boot directly into a bash shell, then remounted the filesystem as RW, and restored my backup passwd file. Thanks to everyone! Emergency over, I think. Every time I do something like this I tell myself I'll be more careful in the future, but it keeps happening. Maybe this time will do the trick. – DWilliams Jan 05 '10 at 23:46

score 0 · Answer 2 · answered Dec 20 '10 at 20:10

[public_html]$ ls -l r00t.txt 
-rw-r--r-- 1 user group 271 Aug  4  2002 r00t.txt
[public_html]$ cat r00t.txt 
once and for all: how to hack the root password on a linux box you have physical access to:
reboot or boot it
at the lilo prompt type:
<image name (linux?)> init=/bin/bash rw
in the root shell you get:
mount -a
passwd
<enter new root password>
umount -a
exec /sbin/init

score 0 · Answer 3 · answered Dec 20 '10 at 22:26

Assuming it's a physical machine you have access to, even if you've totally locked yourself out of the machine AND can't log into it in single user mode, there is nothing preventing you from simply booting into the machine via a bootable USB or CD and then restoring /etc/passwd and /etc/shadow through there.

Or, if all you need is change the password ...

Boot form CD.
Build raid arrays if using SW raid.
Build LVM volumes if using those.
Mount partition to folder.
Chroot into folder.
Execute a passwd command to change password.

score 0 · Answer 4 · answered Jan 05 '10 at 19:56

0

The one time I've had this happen (wasn't me! I just happened to have a shell on the machine, honest.) I managed to find a privilege escalation exploit on the net and hack into our own machine. Will likely not work in your situation since modern OS installs are much more secure, but...

answered Jan 05 '10 at 19:56

Luke

692
4
6

I actually came up with a similar idea a minute ago. I have some in-house web reporting system running that I wrote myself in PHP. I thought there was a security hole in my code because a certain script would include any file passed to it via url. I tried to create a php script in my home directory with a system call to restore the passwd file but unfortunately it's less of a security hole than I thought since it works relative from the /var/www/reports directory and autoescapes special characters. I couldn't get it to run the script – DWilliams Jan 05 '10 at 20:13

Restoring /etc/passwd from file

4 Answers4