System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Cant modify the user properties

SOLVED
Go to solution
skt_skt
Honored Contributor

Cant modify the user properties

here are the some of the symptoms observed.I can manullay edit the password file (vi /etc/passwd; vi /etc/group). But any of th e commands which triger the simiar operations fails(like usermod)

Infact we were doing a h/w migration and not sure if any files were missed to copy.

# vipw
vipw: Can't set context for /etc/ptmpvipw: /etc/ptmp: Invalid argument
vipw: /etc/passwd unchanged


# usermod -c "Modi Jagdish" modij
usermod: cannot rewrite password file

any hints would be apprecaited
10 REPLIES
TwoProc
Honored Contributor

Re: Cant modify the user properties

I'd suggest running lsof to determine if there is another process out there holding a lock on /etc/ptmpvipw. This may tell you what the issue is, maybe another process out there that needs to be killed off.
We are the people our parents warned us about --Jimmy Buffett
Ivan Ferreira
Honored Contributor
Solution

Re: Cant modify the user properties

>>> Can't set context for

It seems a SELinux related problem, if you have SELinux enabled, you probably need to relabel the system. If you don't use SELinux, consider disabling it.

See getenforce/setenforce man pages.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
skt_skt
Honored Contributor

Re: Cant modify the user properties


Disabling SELinux fixed the problem.

# getenforce
Permissive

I have other systems where "SELINUX=enforcing" is set. Those are working fine too. So that make a little confused. Could some one explain that..
skt_skt
Honored Contributor

Re: Cant modify the user properties

Also what is SELinux mode?
Ivan Ferreira
Honored Contributor

Re: Cant modify the user properties

You must set SELinux to disabled intead or permissive, or you will get your log files full of SELinux messages, even more than when SELinux is enabled. Configure it to:

SELINUX="disabled"

>>>> I have other systems where "SELINUX=enforcing" is set. Those are working fine too. So that make a little confused. Could some one explain that..

Is hard to explain, but when SELinux is enabled, there are additional attributes on files/commands, called context. When you copy/move files, the context may not be retained. There are commands to change the context, and relabeling the system restore the context to defaults.

For example, SELinux may ve a policy where it states that commands with the context "passwd_exec_t" may modify files with contexts "passwd_t". If the context is missing, then the modifications won't be allowed. This is just one example, context names will be different.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Stuart Browne
Honored Contributor

Re: Cant modify the user properties

If you look at the output of 'ls -Z /etc/{passwd,group}', you should see something like:

-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd

If the context is different (the 'sustem_u:object_r:etc_t:s0' bit), then these need to be restored to their default values. You can use the 'restorecon' command:

restorecon /etc/{passwd,group}

One long-haired git at your service...
Stuart Browne
Honored Contributor

Re: Cant modify the user properties

Oh, what *IS* SELinux.

SELinux is 'Security Enhanced Linux'. It was developed with/for the NSA and takes the security model of Linux and extends it quite considerably, allowing files, network resources and devices to be accessed by given processes or users within a given security context.

What does this mean? An exmaple.

If you run a web server on your machine, it will run in a context of 'httpd_exec_t'. It can access files which have a context of 'httpd_sys_content_t'. If you look at 'ls -Z /usr/sbin/httpd /var/www', you'll see these contexts.

It also means that if your server is running in SELinux = Enforcing, the web server will not be able to access any file without that context, even if the file permissions are 777.

As a test of SELinux when it was being developed, one of the developers gave root access to a machine on the 'net, with the simple challenge of 'Do anything'. All failed. What he did was tie the system's contexts down so tight, that even 'root' was incapable of doing anything.

Perhaps it would be easier to read http://www.nsa.gov/selinux/ .
One long-haired git at your service...
Alexander Chuzhoy
Honored Contributor

Re: Cant modify the user properties

Edit the file /etc/sysconfig/selinux and make sure there's a line:
SELINUX=disabled

otherwise, you'll get the same behaviour after reboot.

If you want to check the current mode:
getenforce

If you want temporarily (until the next reboot) to switch between enforcing/permissive modes:
setenforce 1/0
skt_skt
Honored Contributor

Re: Cant modify the user properties

the file "/etc/sysconfig/selinux" was already taken care..
skt_skt
Honored Contributor

Re: Cant modify the user properties

closing..