chroots and recovery media

[mark-hahn]

I didn't make a recovery flash card when I got my chromebook. The last few weeks I have added and removed a zillion chroots and even have one chroot that can't be deleted.

Is there any way for me to recover my chromebook to a pristine manufacturer state? If I have to do that with a flash card can I get one from google or somewhere else? Should I contact service? I know this is more of a chromebook question than crouton but I thought people here would understand what crouton can do to a chromebook.

The reason I want it pristine is that I have been trying to fix the keyboard target on my machine (#1558) by going back to cleaner and cleaner installs. I've done as much as I can by installing clean chroots.

[tedm]

I would try a powerwash first, then recovery. Be sure to backup any / all local data first.

I've never had luck with the recovery, it just seems broken, but a good idea in theory. Some say you just need a windows machine to create the image, check out some pixel related forums if you want to see if usb recovery (chrome://imageburner) is currently working and how to do it. Here's a general overview of how it was supposed to work at some point:

https://plus.google.com/+CraigTumblison/posts/7524EfhMrdi

[divx118]

You can make a recovery now. It doesn't include the chroots or any other user data. There is also a linux utility/script which I had to use a few days ago, because my recovery disk failed. https://support.google.com/chromebook/answer/6002417?hl=en&source=genius-rts Below step 6.
That said, the chroots can normally not mess up your chromeos root filesystem, because that is readonly mounted on boot. Your chroots are normally created in /usr/local/chroots Instead of using delete-chroot, you can also cd to that directory and delete the dir with the name of your chroot.

[mathuin]

I have successfully created a recovery image by using an app on the app store named 'Recovery'. My biggest problem with the recovery is it brings the machine to a pristine state, which means setting up accounts and WiFi access and everything all over again. It will also require a new 'restart to update' if your recovery image is stale, so keep it up to date!

[mark-hahn]

Thanks to all. I'll try everything.

you can also cd to that directory and delete the dir

The following is off-topic ...

Yes, but I happen to have a folder from hell, as it is called. It is a dropbox folder in a chroot and I've tried everything to delete the folder. It says permission error even though I am root and nothing is accessing it. I even tried getting the inode numbers and deleting them using the number. I didn't do anything special that I don't do in every other chroot.

I'm afraid that even a powerwash and recovery won't fix it if they don't erase the file system. If so I guess I'll have to live with that useless chroot in my chroot list. Oh well ...

Is there any way to fsck a chromebook partition?

[mark-hahn]

My biggest problem with the recovery is it brings the machine to a pristine state,

That's perfect for me. After I do my testing for the keyboard target problem I can restore my chroot. The rest of the setup will be quick and easy compared to setting up my chroot apps.

On Thu, Apr 2, 2015 at 11:23 AM, Mark Hahn mark@hahnca.com wrote:

Thanks to all. I'll try everything.

you can also cd to that directory and delete the dir

The following is off-topic ...

Yes, but I happen to have a folder from hell, as it is called. It is a dropbox folder in a chroot and I've tried everything to delete the folder. It says permission error even though I am root and nothing is accessing it. I even tried getting the inode numbers and deleting them using the number. I didn't do anything special that I don't do in every other chroot.

I'm afraid that even a powerwash and recovery won't fix it if they don't erase the file system. If so I guess I'll have to live with that useless chroot in my chroot list. Oh well ...

Is there any way to fsck a chromebook partition?

[divx118]

A recovery will solve your problem then. Just follow https://support.google.com/chromebook/answer/6002417?hl=en&source=genius-rts the first 6 steps is for on a chromebook, or use the linux method on that page.

[tedm]

@mark-hahn just out of curiosity, what are the permissions as root for that directory from hell, and output when you attempt to remove it? I presume you checked for the sticky bit?

[mark-hahn]

The permissions were drwxr-xr-x. As I understand it the last "x" would be "t" if it had the sticky bit. I made sure I was root when I tried to delete it. Just to be sure I tried "chmod -R 777 ." on the directory but I got "Operation not permitted".

Maybe I'm not really the root. I use "sudo -i" to get to be root. The prompt changes from "chronos@localhost" to "localhost". Then "whoami" says "root".

FYI: the command I'm using is "edit-chroot -d precise". I also tried a rimraf.

I'm baffled. When googling, everyone says there are hidden chars in the file name. They say to use the inode number which I tried. Also I doubt dropbox would put in a hidden char.

On Thu, Apr 2, 2015 at 11:32 AM, tedm notifications@github.com wrote:

@mark-hahn https://github.com/mark-hahn just out of curiosity, what are the permissions as root for that directory from hell? I presume you checked for the sticky bit?

— Reply to this email directly or view it on GitHub https://github.com/dnschneid/crouton/issues/1570#issuecomment-89003315.

[tedm]

@mark-hahn do an su and become real root, make sure you see a hash prompt, and whoami returns root, then

cd /

then type rm -R /pathto/directoryfromhell

perhaps backup first.

[mark-hahn]

I've always used sudo -i. su doesn't seem to work for me. I don't remember putting in a root password for the chromebook but if I did it would be the same password as for my user.

To be exact ...

• I type ctrl-alt-T and see crosh>
• I type shell and see chronos@localhost / $
• I type su and see Password:
• I type the password and see su: Permission denied (fyi: it goes away for a couple of seconds before replying).

When does the system ask to choose a root password?

On Thu, Apr 2, 2015 at 12:42 PM, tedm notifications@github.com wrote:

@mark-hahn https://github.com/mark-hahn do an su and become real root, make sure you see a hash prompt, and whoami returns root, then

cd /

then type rm -R /pathto/directoryfromhell

perhaps backup first.

— Reply to this email directly or view it on GitHub https://github.com/dnschneid/crouton/issues/1570#issuecomment-89021154.

[tedm]

@mark-hahn It probably never prompts you. It's something you need to proactively do. If after crosh / shell $

you cannot

sudo su

then someone else owns your computer access, perhaps dropbox, google, or the kid next door.

In any case, next time you powerwash and setup dev mode, explicitly sudo su, and set a passwd with:

passwd

This is the same as ubuntu, you don't get prompted to setup a root password (at least on the live CD desktop images), you have to sudo su and set a password otherwise there is no password, or it is weak like ubuntu toor or blank

[mark-hahn]

explicitly sudo su, and set a passwd with passwd

You'd think that instructions somewhere would mention that.

I just now tried sudo chromeos-setdevpasswd. It appeared to take the password but I still can't do su.

I just did passwd while root from sudo -i and it asked for a new without asking for old. I took that as a good sign. But after entering the password I got Authentication token lock busy.

I closed all apps including chrome, rebooted without starting anything except one shell. And still got the same results as above.

Googling Authentication token lock busy I found that it is probably due to the file system being read-only, which it is. I have been afraid to make the OS FS writable. It makes me nervous. I understand I couldn't go back to read-only. If I do this would recovery set it back to read-only?

I should probably just go ahead and do a recovery. I don't think it would make things worse.

On Thu, Apr 2, 2015 at 1:02 PM, tedm notifications@github.com wrote:

@mark-hahn https://github.com/mark-hahn It probably never prompts you. It's something you need to proactively do. If after crosh / shell $

you cannot

sudo su

then someone else owns your computer access, perhaps dropbox, google, or the kid next door.

In any case, next time you powerwash and setup dev mode, explicitly sudo su, and set a passwd with:

passwd

This is the same as ubuntu, you don't get prompted for root, you have to sudo su and set a password otherwise there is no password, or it is weak like ubuntu toor or blank

— Reply to this email directly or view it on GitHub https://github.com/dnschneid/crouton/issues/1570#issuecomment-89027303.

[tedm]

@mark-hahn you might want to search a bit on chromeos-setdevpasswd for any known issues, but otherwise, perhaps a powerwash and/or recovery is the way to go. After setting up dev mode, be sure to set your root password, then setup Crouton and run it awhile, after you think it's stable and you can get real root superuser on your local system, then install dropbox or other potential filesystem altering programs.

[DennisLfromGA]

Mark, Have you tried logging in as root from the Dev Console (tty2) via Ctrl+Alt+F2 after a reboot and without logging?

On Thu, Apr 2, 2015 at 5:08 PM, tedm notifications@github.com wrote:

@mark-hahn https://github.com/mark-hahn you might want to search a bit on chromeos-setdevpasswd for any known issues, but otherwise, perhaps a powerwash and/or recovery is the way to go. After setting up dev mode, be sure to set your root password, then setup Crouton and run it awhile, after you think it's stable and you can get real root superuser on your local system, then install dropbox or other potential filesystem altering programs.

— Reply to this email directly or view it on GitHub https://github.com/dnschneid/crouton/issues/1570#issuecomment-89044871.

DennyL@GMail

[mark-hahn]

Have you tried logging in as root from the Dev Console (tty2) via Ctrl+Alt+F2 after a reboot

Ah, the black frecon screen. I didn't know what that was. I've gotten in there and had to power-cycle many times. It seemed like the blue-screen-of-death to me.

Anyway, I tried root with my normal password and a blank one with no luck. There must be a root password that I don't know about.

On Thu, Apr 2, 2015 at 2:44 PM, DennisL notifications@github.com wrote:

Mark, Have you tried logging in as root from the Dev Console (tty2) via Ctrl+Alt+F2 after a reboot and without logging?

On Thu, Apr 2, 2015 at 5:08 PM, tedm notifications@github.com wrote:

@mark-hahn https://github.com/mark-hahn you might want to search a bit

on chromeos-setdevpasswd for any known issues, but otherwise, perhaps a powerwash and/or recovery is the way to go. After setting up dev mode, be sure to set your root password, then setup Crouton and run it awhile, after you think it's stable and you can get real root superuser on your local system, then install dropbox or other potential filesystem altering programs.

— Reply to this email directly or view it on GitHub <https://github.com/dnschneid/crouton/issues/1570#issuecomment-89044871 .

DennyL@GMail

— Reply to this email directly or view it on GitHub https://github.com/dnschneid/crouton/issues/1570#issuecomment-89053569.

[mark-hahn]

you might want to search a bit on chromeos-setdevpasswd for any known issues

The one big issue I saw was that if you set a blank password you are borked like I apparently am now. But since I've never heard of this command, or the idea of setting the chromeos password in general, I don't think I did this.

Also, a blank password is supposed to work in the Dev Console (frecon) but doesn't. So somehow I got a password in the system and didn't know it.

Time to do a recovery. I can't believe how helpful everyone has been on this long thread. I'll let you know how it goes. Oh, and if you are bored take a look at #1558. That is my biggest problem and the whole reason I wanted to get things cleaned up. I'll try anything to be able to use Home, End, and Backspace again.

[mark-hahn]

It is not my day.

next time you powerwash and setup dev mode, explicitly sudo su, and set a passwd with: passwd.

I did a complete wipe/recovery. Then after setting up my user, I went straight to a shell and did a sudo su. Then I put in the password twice. Then I got the same old Authentication token lock busy. That's crazy.

Edit: Duh. I remember now. I need to change the system to read/write if I want to do this. I guess I'll go all in.

[tedm]

@mark-hahn here is info. on disabling rootfs verification, and yes, it appears to be one way unless recovery mode is used:

https://www.chromium.org/chromium-os/poking-around-your-chrome-os-device

Also, read this old closed thread below, as depending on how much experimenting you are going to do with non-signed bootable OS's, etc., you may want to enable usb boot at this time as well:

https://github.com/dnschneid/crouton/issues/765

It's great that the SD/USB card recovery mechanism is working. I may give it a try this weekend.

[mark-hahn]

Interesting factoid: The chroot backup I did before wiping with a recovery created a 3.4 gig file. After I wiped I restored that backup. I just did a new backup and it is only 1.2 gigs. As far as I can tell everything is still

[tedm]

@mark-hahn wait until you are looking for something really important ;)

[DennisLfromGA]

A liitle OT but neverless important and sometimes relevant when using encrypted chroots.

---

This is my experience with Chromebooks, along with a couple of other sources that talk about it. This is by no means law nor is it sanctioned by anyone - other than me ;) { See 'when i ssh into the chromebook...' and 'Developer Shell Access' }

In Developer mode, with a password set or unset -

• You can press Ctrl+Alt+F2/-> to get a login prompt on VT2.

In Developer mode, on VT2, without a password set -

• You can login as 'chronos' or 'root' with no password prompt.
• You can 'sudo/su' as 'chronos' and become 'root' with no password prompt.

In Developer mode, on VT2, with a password set -

• You can login as 'chronos' with a password prompt.
• You cannot login as 'root'.
• You can 'sudo/su' as 'chronos' and become 'root' with a password prompt.

---

When in Chrome OS, outside of a chroot, if you want/need to set a password, use:

sudo chromeos-setdevpasswd

Never use 'passwd' - it simply won't work on a write-protected rootfs and if the rootfs is writable, it'll really bork things up.

When in a chroot, using passwd is perfectly fine and correct.

---

If anyone would like to comment / contribute / or complain about the above, please feel free.

[tedm]

@DennisLfromGA Great writeup. As soon as I finished reading your post, and the 2nd link you posted, I brought up VT2 and typed passwd ;) as I had done before successfully. No luck, it returned authentication token lock busy, and didn't take. It used to take passwd at VT2, I'm pretty sure about this, but don't recall having checked /etc/passwd or /etc/shadow which are read only, even to root.

I understand the requirement of retaining security when dev mode is disabled, but this can limit the usability of a chromebook for plain hardware use. It's kind of like buying a locked cell phone.

[DennisLfromGA]

@tedm

Never use 'passwd'

I guess I should have used reverse-logic in that statement. :)

but this can limit the usability of a chromebook for plain hardware use.

I'm not exactly sure I understand that statement. Do you mean setting a 'chronos' password limits the usability? If so, I still don't understand... :/

I've never really understood people who don't use Developer mode because it makes it less secure. All you have to do, whether in Developer mode or not is: Press and hold Ctrl+Alt+Shift+R at the login screen to do a 'powerwash' and become the owner - period, case closed.

[tedm]

@DennisLfromGA no, I mean the inability to set a root pw and do a bare metal install of any OS I want on the plastic encased ARM CPU based board is limiting. On every other computing device, not just computers, but phones and cameras running linux, etc. I can do more than toss it in a landfill if the original software on it isn't what I need on the hardware at some point.

Developer mode is insecure, because someone could run some program like crouton and linux, and then say the Ask search/toolbar in the chroot, and within hours, they will have all kinds of spyware, malware, or worse, they could stop using sudo and be at the # prompt all the time ;), maybe worse, by possibly downloading runnable programs, and these programs might not immediately do any damage, but may lie dormant, long after the system is powerwashed and back in regular mode.

I don't think powerwashing puts your hardware back in OOB mode, otherwise, why do we need the recovery media to go from dev or beta channels back to stable? Or without the backup media, if a version of chrome breaks crouton, say next week, and will take two weeks to fix, how do we access our choot? powerwashing will bring us up to the current broken level, but a chroot backup, and media recovery backup taken during a working state will enable us to continue running (if we're careful to not reboot after recovery), or that's my understanding. If powerwash offered a selective recovery, then recovery media shouldn't be needed.

[DennisLfromGA]

@tedm,

Developer mode is insecure, because someone could run some program like crouton and linux...

True, but it's no different than any other PC if you have physical access.

I don't think powerwashing puts your hardware back in OOB mode, otherwise, why do we need the recovery media to go from dev or beta channels back to stable?

A powerwash doesn't put it back to OOB mode but it does wipe out all user(s) and user(s) data. Also, you don't the recovery media to move back a channel, it's just a matter of going to Chrome://help and selecting another channel. If you're moving up a channel no powerwash is needed but if you move down a channel it does a powerwash.

[tedm]

@DennisLfromGA

True, but it's no different than any other PC if you have physical access.

Right. But the big selling point of Chromebooks has been the inherent security for the masses. Especially when used in Guest mode. So with Microsoft now giving away starter windows, the chromebook needs every advantage, and if toggling to dev mode and back, doesn't retain the OOB security model, then that selling point is compromised.

So while power washing will remove user data, enabling root in dev mode, and embracing a small market of native linux/alt. os users, could risk a chromebook being compromised when toggled out of dev mode.

No one has been able to sell linux only machines profitably yet because they can't make money on them. When you put an OS on it that is tied to apps or services related to ads, then you can justify low or negative margins. This is why almost all of our real computers are built from parts from Newegg, and the hardware on the real computers is not crippled by marketing and political hardware/software limitations.

I think my next Chromebook will be one with Seabios, and using The Angry Walrus or whoever's ChromeOS distro because I like the idea of not automatically updating and temporarily being bricked by accidentally running out of power or hitting the space bar.

[DennisLfromGA]

Go for it, I like the unique way the Chromebooks update so I'll stick with it.

On Fri, May 8, 2015 at 2:07 AM, tedm notifications@github.com wrote:

@DennisLfromGA https://github.com/DennisLfromGA

True, but it's no different than any other PC if you have physical access.

Right. But the big selling point of Chromebooks has been the inherent security for the masses. Especially when used in Guest mode. So with Microsoft now giving away starter windows, the chromebook needs every advantage, and if toggling to dev mode and back, doesn't retain the OOB security model, then that selling point is compromised.

So while power washing will remove user data, enabling root in dev mode, and embracing a small market of native linux/alt. os users, could risk a chromebook being compromised when toggled out of dev mode.

No one has been able to sell linux only machines profitably yet because they can't make money on them. When you put an OS on it that is tied to apps or services related to ads, then you can justify low or negative margins. This is why almost all of our real computers are built from parts from Newegg, and the hardware on the real computers is not crippled by marketing and political hardware/software limitations.

I think my next Chromebook will be one with Seabios, and using The Angry Walrus or whoever's ChromeOS distro because I like the idea of not automatically updating and temporarily being bricked by accidentally running out of power or hitting the space bar.

— Reply to this email directly or view it on GitHub https://github.com/dnschneid/crouton/issues/1570#issuecomment-100111535.

DennyL@GMail