topic Re: Cant modify the user properties in Operating System - Linux

Cant modify the user properties

skt_skt — Mon, 04 Feb 2008 15:30:18 GMT

here are the some of the symptoms observed.I can manullay edit the password file (vi /etc/passwd; vi /etc/group). But any of th e commands which triger the simiar operations fails(like usermod)

Infact we were doing a h/w migration and not sure if any files were missed to copy.

# vipw
vipw: Can't set context for /etc/ptmpvipw: /etc/ptmp: Invalid argument
vipw: /etc/passwd unchanged

# usermod -c "Modi Jagdish" modij
usermod: cannot rewrite password file

any hints would be apprecaited

Re: Cant modify the user properties

TwoProc — Mon, 04 Feb 2008 18:49:43 GMT

I'd suggest running lsof to determine if there is another process out there holding a lock on /etc/ptmpvipw. This may tell you what the issue is, maybe another process out there that needs to be killed off.

Re: Cant modify the user properties

Ivan Ferreira — Mon, 04 Feb 2008 19:13:57 GMT

>>> Can't set context for

It seems a SELinux related problem, if you have SELinux enabled, you probably need to relabel the system. If you don't use SELinux, consider disabling it.

See getenforce/setenforce man pages.

Re: Cant modify the user properties

skt_skt — Mon, 04 Feb 2008 19:57:39 GMT

Disabling SELinux fixed the problem.

# getenforce
Permissive

I have other systems where "SELINUX=enforcing" is set. Those are working fine too. So that make a little confused. Could some one explain that..

Re: Cant modify the user properties

skt_skt — Mon, 04 Feb 2008 20:04:01 GMT

Also what is SELinux mode?

Re: Cant modify the user properties

Ivan Ferreira — Mon, 04 Feb 2008 20:11:55 GMT

You must set SELinux to disabled intead or permissive, or you will get your log files full of SELinux messages, even more than when SELinux is enabled. Configure it to:

SELINUX="disabled"

>>>> I have other systems where "SELINUX=enforcing" is set. Those are working fine too. So that make a little confused. Could some one explain that..

Is hard to explain, but when SELinux is enabled, there are additional attributes on files/commands, called context. When you copy/move files, the context may not be retained. There are commands to change the context, and relabeling the system restore the context to defaults.

For example, SELinux may ve a policy where it states that commands with the context "passwd_exec_t" may modify files with contexts "passwd_t". If the context is missing, then the modifications won't be allowed. This is just one example, context names will be different.

Re: Cant modify the user properties

Stuart Browne — Mon, 04 Feb 2008 20:13:26 GMT

If you look at the output of 'ls -Z /etc/{passwd,group}', you should see something like:

-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd

If the context is different (the 'sustem_u:object_r:etc_t:s0' bit), then these need to be restored to their default values. You can use the 'restorecon' command:

restorecon /etc/{passwd,group}

Re: Cant modify the user properties

Stuart Browne — Mon, 04 Feb 2008 20:51:06 GMT

Oh, what *IS* SELinux.

SELinux is 'Security Enhanced Linux'. It was developed with/for the NSA and takes the security model of Linux and extends it quite considerably, allowing files, network resources and devices to be accessed by given processes or users within a given security context.

What does this mean? An exmaple.

If you run a web server on your machine, it will run in a context of 'httpd_exec_t'. It can access files which have a context of 'httpd_sys_content_t'. If you look at 'ls -Z /usr/sbin/httpd /var/www', you'll see these contexts.

It also means that if your server is running in SELinux = Enforcing, the web server will not be able to access any file without that context, even if the file permissions are 777.

As a test of SELinux when it was being developed, one of the developers gave root access to a machine on the 'net, with the simple challenge of 'Do anything'. All failed. What he did was tie the system's contexts down so tight, that even 'root' was incapable of doing anything.

Perhaps it would be easier to read http://www.nsa.gov/selinux/ .

Re: Cant modify the user properties

Alexander Chuzhoy — Tue, 05 Feb 2008 07:00:34 GMT

Edit the file /etc/sysconfig/selinux and make sure there's a line:
SELINUX=disabled

otherwise, you'll get the same behaviour after reboot.

If you want to check the current mode:
getenforce

If you want temporarily (until the next reboot) to switch between enforcing/permissive modes:
setenforce 1/0

Re: Cant modify the user properties

skt_skt — Tue, 05 Feb 2008 14:56:10 GMT

the file "/etc/sysconfig/selinux" was already taken care..

Re: Cant modify the user properties

skt_skt — Mon, 11 Feb 2008 00:31:57 GMT

closing..