Reboot without Root!
Posted by turkeytime808@reddit | linuxadmin | View on Reddit | 25 comments
Hello all,
What I am attempting to do is restart a RHEL 8 Server that does not have root access. I had implemented a security guideline that booted all my users out sudoers conf file. For that reason, I am unable to sudo up to initiate the reboot. I was looking at editing the polkit file to set a rule to allow the reboot from another user. That file is owned by root.
The error that is appearing when attempting execute from a non-root user is: failed to set wall message, ignoring interactive authentication required. failed to reboot systemd via logind failed to open initctl fifo permission denied failed to talk to init daemon.
yrro@reddit
Have you not got console access to reboot with ctrl-alt-del and then break in via the usual way?
webnestify@reddit
For RHEL 8 it's
rd.break, not the genericinit=/bin/bash. You land in a dracut shell with root mounted read-only at/sysroot:Append
enforcing=0to the kernel line alongsiderd.break. Since RHEL 8.4, SELinux blocks systemd from accessing unlabeled files, so an autorelabel boot under enforcing can fail before the relabel service runs. One permissive boot covers it.Assumes GRUB access: physical, hypervisor, IPMI, or cloud serial console. Otherwise it's attach-the-disk-to-a-sibling-instance territory.
One thing though: don't bake Copy Fail or Dirty Frag into the recovery path. They'll work today, but a procedure that relies on "the kernel hasn't been patched yet" isn't a procedure.
adjunct_@reddit
Hahahahahahaha
michaelpaoli@reddit
So, as any user with shell access, or access to the sync command, do
$ sync && sync
And once that second sync returns, reboot or power down any way you can - pull power if you have to, but a commanded soft power down or reboot would be preferable (e.g. if the "smart" power button will signal that).
And if that takes you down, then power back up, and you should have your reboot.
Might wanna fix that access issue on the way back up though.
Also, as others have commented, if you don't have patches/mitigations in place to protect against some of the recent local root compromises, may be able to get to root that way ... if permissible per applicable policy(/ies), etc. Might not want to attempt that, though, in, e.g. a shoot first ask questions later environment.
BarracudaDefiant4702@reddit
Outside the the 2 CVEs that make it easy to gain root in the last week from local user... you press the power button on the computer (or vm console). That should send the soft signal to gracefully power off. You can then press it again to power back up. RHEL used to take
as a signal to reboot. I'm not sure if that still works in EL8 but I think it does. It pretty rare I can't do init 6 as root or do a soft power button.cusco@reddit
The Linux stuff that works is SysRQ + s, u, b
However I’m assuming the server is remote and no physical access exists
GarageJazzlike6369@reddit
Get the last exploit copy fail and be a root ))
Shot-Document-2904@reddit
su root
hadrabap@reddit
Reboot a server? IPMI/BMC
ipmitool chassis power softMonitor the console with
ipmitool sol activateAnd finally
ipmitool chassis power onHotshot55@reddit
Why do you have to initiate the shutdown from the OS?
aioeu@reddit
should be all you need.
dahimi@reddit
Seems like something you'd need root access for.
bzzzzzzztt@reddit
Take the disk out and change the file from another computer.
Hotshot55@reddit
Kinda need to shut the computer down first for that.
artofthenunchaku@reddit
Seems like something you'd need to reboot for
/s
aioeu@reddit
That's OK. logind runs as root. So what you need to do is tell logind that an unprivileged user may ask it to perform the action on behalf of the user. That's what the polkit rule does.
systemctl reboot,shutdown -randrebootall ask logind to perform the reboot operation first. It's logind that checks the user's permission. Only if logind is satisfied that the user has authorization will it pass the operation on to systemd.thoriumbr@reddit
Unless you updated the kernel this week to mitigate CopyFail and DirtyFrag, there are two local privilege escalation to root available.
Use one, get a root shell, fix anything you need fixing, update the kernel, reboot.
Spicy_Poo@reddit
Boot to rescue environment, mount file systems, chroot, passwd
gmuslera@reddit
Wrong week (month?) to ask for that. So far there appeared 2 CVEs with local privilege escalation this month, that applies to RHEL8 and up, copyfail and dirtyfrag. Unless you have automatic daily updates and reboot you may have a way to gain root privileges and fix the sudoers file. And then do the kernel updates to close that hole.
LameBMX@reddit
well I mean its kinda the right month to have that screw up...
edthesmokebeard@reddit
a) log in as root
b) avoid systems where they choose not to let you reboot
m4teri4lgirl@reddit
Certainly there is someone that can push the power button on this server, whether it's physical or virtual.
timjneu@reddit
Just restore sudoers from backup. Or use su and the root password.
caenos@reddit
Just use copy fail :D
mschuster91@reddit
is it a physical machine? Plug a keyboard, ctrl-alt-delete should reboot it. Catch grub, intercept it from booting, press e to edit the kernel commandline, add init=/bin/bash, press enter to boot.
is it an on-prem VM? Establish remote desktop control somehow, there's always a "send ctrl-alt-delete" somewhere in the UI.
is it an AWS or other cloud VM? Do a "soft shutdown" of the machine, once it's stopped detach the disk, attach it to some other VM, mount it and reset the sudoers file.