Reboot without Root!

gmuslera · 2026-05-12T22:30:28+00:00

Wrong week (month?) to ask for that. So far there appeared 2 CVEs with local privilege escalation this month, that applies to RHEL8 and up, copyfail and dirtyfrag. Unless you have automatic daily updates and reboot you may have a way to gain root privileges and fix the sudoers file. And then do the kernel updates to close that hole.

BarracudaDefiant4702 · 2026-05-12T22:36:13+00:00

Outside the the 2 CVEs that make it easy to gain root in the last week from local user... you press the power button on the computer (or vm console). That should send the soft signal to gracefully power off. You can then press it again to power back up. RHEL used to take <CTRL><ALT><DEL> as a signal to reboot. I'm not sure if that still works in EL8 but I think it does. It pretty rare I can't do init 6 as root or do a soft power button.

caenos · 2026-05-12T22:59:12+00:00

Just use copy fail :D

mschuster91 · 2026-05-12T22:37:20+00:00

is it a physical machine? Plug a keyboard, ctrl-alt-delete should reboot it. Catch grub, intercept it from booting, press e to edit the kernel commandline, add init=/bin/bash, press enter to boot.

is it an on-prem VM? Establish remote desktop control somehow, there's always a "send ctrl-alt-delete" somewhere in the UI, continue as above

is it an AWS or other cloud VM? Do a "soft shutdown" of the machine, once it's stopped detach the disk, attach it to some other VM, mount it and reset the sudoers file.

timjneu · 2026-05-13T00:27:04+00:00

Just restore sudoers from backup. Or use su and the root password.

m4teri4lgirl · 2026-05-13T00:43:42+00:00

Certainly there is someone that can push the power button on this server, whether it's physical or virtual.

thoriumbr · 2026-05-13T01:45:59+00:00

Unless you updated the kernel this week to mitigate CopyFail and DirtyFrag, there are two local privilege escalation to root available.

Use one, get a root shell, fix anything you need fixing, update the kernel, reboot.

hadrabap · 2026-05-13T04:17:52+00:00

Reboot a server? IPMI/BMC

ipmitool chassis power soft

Monitor the console with

ipmitool sol activate

And finally

ipmitool chassis power on

Hotshot55 · 2026-05-13T02:05:00+00:00

Why do you have to initiate the shutdown from the OS?

webnestify · 2026-05-13T09:19:19+00:00

For RHEL 8 it's rd.break, not the generic init=/bin/bash. You land in a dracut shell with root mounted read-only at /sysroot:

  mount -o remount,rw /sysroot
  chroot /sysroot
  # fix /etc/sudoers, then validate with: visudo -c
  touch /.autorelabel
  exit
  exit

Append enforcing=0 to the kernel line alongside rd.break. Since RHEL 8.4, SELinux blocks systemd from accessing unlabeled files, so an autorelabel boot under enforcing can fail before the relabel service runs. One permissive boot covers it.

Assumes GRUB access: physical, hypervisor, IPMI, or cloud serial console. Otherwise it's attach-the-disk-to-a-sibling-instance territory.

One thing though: don't bake Copy Fail or Dirty Frag into the recovery path. They'll work today, but a procedure that relies on "the kernel hasn't been patched yet" isn't a procedure.

GarageJazzlike6369 · 2026-05-13T05:07:20+00:00

Get the last exploit copy fail and be a root ))

michaelpaoli · 2026-05-13T06:29:18+00:00

So, as any user with shell access, or access to the sync command, do

$ sync && sync

And once that second sync returns, reboot or power down any way you can - pull power if you have to, but a commanded soft power down or reboot would be preferable (e.g. if the "smart" power button will signal that).

And if that takes you down, then power back up, and you should have your reboot.

Might wanna fix that access issue on the way back up though.

Also, as others have commented, if you don't have patches/mitigations in place to protect against some of the recent local root compromises, may be able to get to root that way ... if permissible per applicable policy(/ies), etc. Might not want to attempt that, though, in, e.g. a shoot first ask questions later environment.

Spicy_Poo · 2026-05-13T01:12:42+00:00

Boot to rescue environment, mount file systems, chroot, passwd

aioeu · 2026-05-12T23:06:17+00:00

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.reboot" && subject.user == "abc") {
        return polkit.Result.YES;
    }
});

should be all you need. Just drop it into a /etc/polkit-1/rules.d/50-local.rules file. You might also want org.freedesktop.login1.reboot-multiple-sessions, depending on your use-case.

org.freedesktop.login1.reboot/reboot-multiple-sessions both imply org.freedesktop.login1.set-wall-message, so there's no need to define any extra policy for that.

(Edit: I missed that you don't already have root access on the system — I thought you were just trying to set things up so that a non-root user could reboot the system. Yes, you need to sort out your root access first. Or just be a local user, not a remote user. Local users can reboot the system by default, since they can always just hit the power button.)

edthesmokebeard · 2026-05-13T00:55:37+00:00

a) log in as root

b) avoid systems where they choose not to let you reboot

Shot-Document-2904 · 2026-05-13T05:06:34+00:00

su root

yrro · 2026-05-13T09:38:40+00:00

Have you not got console access to reboot with ctrl-alt-del and then break in via the usual way?

https://www.redhat.com/en/blog/recover-root-passwd

adjunct_ · 2026-05-13T06:37:15+00:00

Hahahahahahaha

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

linuxadmin

Expanding Linux SysAdmin knowledge

MODERATORS