All Products
Search

This Product

    :Resolve the "passwd: Permission denied" error when changing the root password of a Linux ECS instance

    Document Center

    :Resolve the "passwd: Permission denied" error when changing the root password of a Linux ECS instance

    Last Updated:Nov 11, 2025

    Problem description

    When you run the passwd command to change the root password, the system returns a Permission denied error.

    Causes

    • File lock: The core authentication files, such as /etc/passwd and /etc/shadow, have an immutable attribute, which prevents any modifications.

    • Incorrect permissions: Incorrect read and write permissions on one or more files prevent the passwd command from modifying the password.

    • SELinux policy restrictions: The SELinux security policy prevents the passwd command from modifying the password.

    • Incorrect PAM configuration file format: A Pluggable Authentication Modules (PAM) configuration file in /etc/pam.d/ uses the DOS format, which Linux cannot parse correctly.

    Solution

    Important

    Before you modify any system files, create a snapshot of your system disk to back up configuration data. This lets you quickly restore the system if a problem occurs.

    Step 1: Check and modify file attributes

    1. Check the file attributes.

      sudo lsattr /etc/passwd /etc/shadow

    2. If the output contains the i attribute or the a attribute (for example, ----ia------), the file is locked. Run the following commands to remove these attributes.

      sudo chattr -ia /etc/passwd
sudo chattr -ia /etc/shadow

    3. After removing the attributes, retry the passwd command.

    Step 2: Check and fix file permissions

    1. Check the file permissions.

      sudo ls -l /etc/passwd /etc/shadow

    2. Ensure the permissions are correct. If not, use the chmod command to correct them.

      • The correct permissions for /etc/passwd are 644 (-rw-r--r--).

      • The correct permissions for /etc/shadow are 000 (----------) or 600 (-rw-------).

      sudo chmod 644 /etc/passwd
sudo chmod 000 /etc/shadow

    3. After correcting the permissions, retry the passwd command.

    Step 3: Check the SELinux status

    1. Check the current status of SELinux.

      sestatus

    2. If the Current mode is enforcing, SELinux is in enforcing mode and will block modifications that violate its security policy. Temporarily switch SELinux to permissive mode to allow the modification.

      setenforce 0

    3. After setting SELinux to permissive mode, retry the passwd command.

    Step 4: Check the PAM configuration file format

    1. Check the format of the PAM configuration file.

      sudo file -i /etc/pam.d/passwd

    2. If the output includes ASCII text, with CRLF line terminators, the file is in DOS format. Convert the file format because Linux cannot parse files with CRLF line endings (\r\n). 

      sudo yum install -y dos2unix
sudo dos2unix /etc/pam.d/passwd

    3. Retry the passwd command.

    Recommendations

    After you resolve the problem, you can re-apply the immutable attribute to the /etc/passwd and /etc/shadow files to prevent accidental changes.

    sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow