Symptom
Running the passwd command to change the root password returns a Permission denied error.
Causes
-
File lock: Authentication files such as
/etc/passwdand/etc/shadowhave an immutable attribute that blocks modifications. -
Incorrect permissions: Wrong read and write permissions on authentication files block the
passwdcommand. -
SELinux policy restrictions: SELinux in enforcing mode blocks the
passwdcommand. -
Incorrect PAM configuration file format: A PAM configuration file in
/etc/pam.d/uses DOS line endings, which Linux cannot parse.
Solution
Before you modify system files, create a snapshot of the system disk to enable quick rollback.
Check and modify file attributes
-
Check the file attributes.
sudo lsattr /etc/passwd /etc/shadow -
If the output contains the
ioraattribute (for example,----ia------), the file is locked. Remove these attributes:sudo chattr -ia /etc/passwd sudo chattr -ia /etc/shadow -
Retry the
passwdcommand.
Check and fix file permissions
-
Check the file permissions.
sudo ls -l /etc/passwd /etc/shadow -
Verify the permissions match the expected values. If not, fix them with
chmod:-
/etc/passwd:644(-rw-r--r--) -
/etc/shadow:000(----------) or600(-rw-------)
sudo chmod 644 /etc/passwd sudo chmod 000 /etc/shadow -
-
Retry the
passwdcommand.
Check SELinux status
-
Check SELinux status.
sestatus -
If
Current modeisenforcing, SELinux blocks password changes. SwitchSELinuxto permissive mode:setenforce 0 -
After switching
SELinuxtopermissivemode, retry thepasswdcommand.
Check PAM configuration file format
-
Check the PAM configuration file format.
sudo file -i /etc/pam.d/passwd -
If the output includes
ASCII text, with CRLF line terminators, the file has DOS line endings (\r\n). Convert it:sudo yum install -y dos2unix sudo dos2unix /etc/pam.d/passwd -
Retry the
passwdcommand.
Next steps
Re-apply the immutable attribute to /etc/passwd and /etc/shadow to prevent accidental changes:
sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow