All Products
Search
Document Center

:Fix "passwd: Permission denied" on a Linux instance

Last Updated:Apr 27, 2026

Symptom

Running the passwd command to change the root password returns a Permission denied error.

Causes

  • File lock: Authentication files such as /etc/passwd and /etc/shadow have an immutable attribute that blocks modifications.

  • Incorrect permissions: Wrong read and write permissions on authentication files block the passwd command.

  • SELinux policy restrictions: SELinux in enforcing mode blocks the passwd command.

  • Incorrect PAM configuration file format: A PAM configuration file in /etc/pam.d/ uses DOS line endings, which Linux cannot parse.

Solution

Important

Before you modify system files, create a snapshot of the system disk to enable quick rollback.

Check and modify file attributes

  1. Check the file attributes.

    sudo lsattr /etc/passwd /etc/shadow
  2. If the output contains the i or a attribute (for example, ----ia------), the file is locked. Remove these attributes:

    sudo chattr -ia /etc/passwd
    sudo chattr -ia /etc/shadow
  3. Retry the passwd command.

Check and fix file permissions

  1. Check the file permissions.

    sudo ls -l /etc/passwd /etc/shadow
  2. Verify the permissions match the expected values. If not, fix them with chmod:

    • /etc/passwd: 644 (-rw-r--r--)

    • /etc/shadow: 000 (----------) or 600 (-rw-------)

    sudo chmod 644 /etc/passwd
    sudo chmod 000 /etc/shadow
  3. Retry the passwd command.

Check SELinux status

  1. Check SELinux status.

    sestatus
  2. If Current mode is enforcing, SELinux blocks password changes. Switch SELinux to permissive mode:

    setenforce 0
  3. After switching SELinux to permissive mode, retry the passwd command.

Check PAM configuration file format

  1. Check the PAM configuration file format.

    sudo file -i /etc/pam.d/passwd
  2. If the output includes ASCII text, with CRLF line terminators, the file has DOS line endings (\r\n). Convert it:

    sudo yum install -y dos2unix
    sudo dos2unix /etc/pam.d/passwd
  3. Retry the passwd command.

Next steps

Re-apply the immutable attribute to /etc/passwd and /etc/shadow to prevent accidental changes:

sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow