All Products
Search

This Product

    Elastic Compute Service:Error "passwd: Permission denied" when modifying the root password of a Linux ECS instance

    Document Center

    Elastic Compute Service:Error "passwd: Permission denied" when modifying the root password of a Linux ECS instance

    Last Updated:Mar 25, 2025

    Problem description

    When modifying the root password on a Linux instance, the error "passwd: Permission denied" occurs.

    Cause analysis

    In Linux systems, /etc/passwd and /etc/shadow are core files that directly store user information and passwords. Abnormal permissions or attributes of these files directly affect password modification operations. The configuration files in the /etc/pam.d/* directory are related to PAM (Pluggable Authentication Modules), which mainly define authentication rules. These files usually do not directly cause "Permission denied" errors unless there are serious configuration errors (such as missing modules or abnormal formats). Therefore, this issue is usually caused by the following reasons:

    • Incorrect permission settings for key files such as /etc/passwd, /etc/shadow, and /etc/pam.d/*.

    • Format errors in PAM (Pluggable Authentication Modules) configuration files, such as files in DOS format.

    • Issues recorded in system logs, such as missing files or module errors.

    Solution

    Important

    Before modifying system files, we recommend that you create a snapshot or back up important data to prevent data loss due to misoperations.

    Step 1: Check the permissions of key files

    1. Run the following command to check if the file permissions are normal.

      ls -l /etc/passwd /etc/shadow /etc/pam.d/*

      Under normal circumstances:

      • The permission of /etc/passwd should be 644 (i.e., rw-r--r--), and the owner should be root.

      • The permission of /etc/shadow should be 600 (i.e., rw-------), and the owner should be root.

      • The permission of /etc/pam.d/* should be 644 (i.e., rw-r--r--), and the owner should be root.

    2. If you find abnormal permissions, you can use the following commands to fix the file permissions.

      sudo chmod 644 /etc/passwd
sudo chmod 600 /etc/shadow
sudo chmod -R 644 /etc/pam.d/*

    3. Run the following command to check the immutable attributes of the files.

      lsattr /etc/passwd /etc/shadow

    4. If the output includes i (such as ----i--------), it indicates that the file cannot be modified. You can run the following commands to remove the i attribute.

      sudo chattr -i /etc/passwd
sudo chattr -i /etc/shadow

      After modifying the password, you can set the i attribute again to enhance security.

      sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow

    Step 2: Check the SELinux status

    If SELinux is enabled on the system, it may restrict password modification operations. You can temporarily disable SELinux using the following commands.

    # Check SELinux status
sestatus

# Temporarily disable SELinux (if enabled)
sudo setenforce 0

    If the problem is resolved, you can permanently disable SELinux according to your needs. For more information, see Permanently disable SELinux.

    Step 3: Use strace to trace the password modification process

    1. Use the strace command to trace the password modification process and output the log to the /tmp/changepasswd file.

      strace -o /tmp/changepasswd passwd root

    2. Run the following command to analyze the log. If the output is similar to open("/etc/pam.d/system-auth-ac\r", O_RDONLY), it confirms that the format of the /etc/pam.d/system-auth-ac file is abnormal (caused by DOS format).

      grep "open" /tmp/changepasswd | grep "\/r"

    Step 4: Check and fix PAM configuration file format

    1. Run the following command to check the file format. If the problem is related to PAM modules, it may be due to an abnormal format of the /etc/pam.d/system-auth-ac file (such as DOS format).

      # CentOS/RHEL
file -i /etc/pam.d/system-auth-ac

# Ubuntu/Debian
file -i /etc/pam.d/passwd

      If the output contains us-ascii and with CRLF line terminators, it indicates that the file is in DOS format.

    2. If the file is in DOS format, use the following command to convert the file from DOS format to Unix format.

      # CentOS/RHEL
sudo dos2unix /etc/pam.d/system-auth-ac

# Ubuntu/Debian
sudo dos2unix /etc/pam.d/passwd

    Step 5: Verify the modification results

    1. After completing the above steps, try to modify the root password again.

      passwd root

      Enter the new password and confirm it. Check if you can successfully modify the password without the "Permission denied" error.

    2. Log on to the system using the new password to verify that the password modification is effective.

    By following the above steps, you can troubleshoot and resolve the "passwd: Permission denied" issue step by step. If the problem persists, further check the system logs or submit a ticket to contact technical support for help.