Linux – Wiping out user and/or root password in embedded linux

embeddedlinuxpassword-resetssh

We have a security camera system running an embedded linux. It boots with Lilo as a bootloader and has no tty access once booted. I don't know any username either.

SSH/22 is open, but I don't think brute force is an option.

I have tried all the common tricks to reset a linux user password (boot from the bootloader in single user mode = doesn't happen, still prompts for user login, boot to a live cd = can't access the file system…it's all loop files and other binary, etc etc), but they are all not possible as it is an embedded linux setup the way it is.

Any help/suggestions would be appreciated. Thanks

Best Answer

Ended up getting in to the running system command line with root access via a serial console cable. Found nowhere in documentation, but with a little Cisco, HP, etc. console cable experience, and @Gilles pointing it out, gave me enough motivation to work on it and get it done.

EDIT: Although I don't have access to the system anymore to test, I believe the method of editing the /etc/shadow would have worked out:

http://geekswing.com/geek/resetting-root-password-on-a-linux-system-using-clonezilla/

Related Solutions

Linux – Emulate EWF effects on Linux

Solved by following the excellent How To: Build A Read-Only Linux System.

From one of the two little scripts making the magic (uses an aufs union):

ro_mount_point="${rootmnt%/}.ro"
rw_mount_point="${rootmnt%/}.rw"

# Create mount points for the read-only and read/write layers:
mkdir "${ro_mount_point}" "${rw_mount_point}"

# Move the already-mounted root filesystem to the ro mount point:
mount --move "${rootmnt}" "${ro_mount_point}"

# Mount the read/write filesystem:
mount -t tmpfs root.rw "${rw_mount_point}"

# Mount the union:
mount -t aufs -o "dirs=${rw_mount_point}=rw:${ro_mount_point}=ro" root.union "${rootmnt}"

# Correct the permissions of /:
chmod 755 "${rootmnt}"

Results: system protected and apps can write their stuff (in RAM).

If I reboot without "committing" all the changes on the system will be lost, but if I need something to stay permanent, I can remount the partition read-write (this time r/w means "on disk" not "on RAM"), do the "commit" and remount the partition as read-only.

Scripts are so elegant that I can also switch between "protected" (for production) or "unprotected" (for development) modes by choosing its correct labelled entry in GRUB.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Linux – Emulate EWF effects on Linux

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic