HPE Community
Operating System - Linux
1752565 Members
5432 Online
108788 Solutions
New Discussion юеВ

Re: Cant modify the user properties

 
SOLVED
Go to solution
skt_skt
Honored Contributor

тАО02-04-2008 07:30 AM

тАО02-04-2008 07:30 AM

Cant modify the user properties

here are the some of the symptoms observed.I can manullay edit the password file (vi /etc/passwd; vi /etc/group). But any of th e commands which triger the simiar operations fails(like usermod)

Infact we were doing a h/w migration and not sure if any files were missed to copy.

# vipw
vipw: Can't set context for /etc/ptmpvipw: /etc/ptmp: Invalid argument
vipw: /etc/passwd unchanged


# usermod -c "Modi Jagdish" modij
usermod: cannot rewrite password file

any hints would be apprecaited
0 Kudos
10 REPLIES 10
TwoProc
Honored Contributor

тАО02-04-2008 10:49 AM

тАО02-04-2008 10:49 AM

Re: Cant modify the user properties

I'd suggest running lsof to determine if there is another process out there holding a lock on /etc/ptmpvipw. This may tell you what the issue is, maybe another process out there that needs to be killed off.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Ivan Ferreira
Honored Contributor

тАО02-04-2008 11:13 AM

тАО02-04-2008 11:13 AM

Solution

Re: Cant modify the user properties

>>> Can't set context for

It seems a SELinux related problem, if you have SELinux enabled, you probably need to relabel the system. If you don't use SELinux, consider disabling it.

See getenforce/setenforce man pages.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
skt_skt
Honored Contributor

тАО02-04-2008 11:57 AM

тАО02-04-2008 11:57 AM

Re: Cant modify the user properties


Disabling SELinux fixed the problem.

# getenforce
Permissive

I have other systems where "SELINUX=enforcing" is set. Those are working fine too. So that make a little confused. Could some one explain that..
0 Kudos
skt_skt
Honored Contributor

тАО02-04-2008 12:04 PM

тАО02-04-2008 12:04 PM

Re: Cant modify the user properties

Also what is SELinux mode?
0 Kudos
Ivan Ferreira
Honored Contributor

тАО02-04-2008 12:11 PM

тАО02-04-2008 12:11 PM

Re: Cant modify the user properties

You must set SELinux to disabled intead or permissive, or you will get your log files full of SELinux messages, even more than when SELinux is enabled. Configure it to:

SELINUX="disabled"

>>>> I have other systems where "SELINUX=enforcing" is set. Those are working fine too. So that make a little confused. Could some one explain that..

Is hard to explain, but when SELinux is enabled, there are additional attributes on files/commands, called context. When you copy/move files, the context may not be retained. There are commands to change the context, and relabeling the system restore the context to defaults.

For example, SELinux may ve a policy where it states that commands with the context "passwd_exec_t" may modify files with contexts "passwd_t". If the context is missing, then the modifications won't be allowed. This is just one example, context names will be different.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Stuart Browne
Honored Contributor

тАО02-04-2008 12:13 PM

тАО02-04-2008 12:13 PM

Re: Cant modify the user properties

If you look at the output of 'ls -Z /etc/{passwd,group}', you should see something like:

-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd

If the context is different (the 'sustem_u:object_r:etc_t:s0' bit), then these need to be restored to their default values. You can use the 'restorecon' command:

restorecon /etc/{passwd,group}

One long-haired git at your service...
0 Kudos
Stuart Browne
Honored Contributor

тАО02-04-2008 12:51 PM

тАО02-04-2008 12:51 PM

Re: Cant modify the user properties

Oh, what *IS* SELinux.

SELinux is 'Security Enhanced Linux'. It was developed with/for the NSA and takes the security model of Linux and extends it quite considerably, allowing files, network resources and devices to be accessed by given processes or users within a given security context.

What does this mean? An exmaple.

If you run a web server on your machine, it will run in a context of 'httpd_exec_t'. It can access files which have a context of 'httpd_sys_content_t'. If you look at 'ls -Z /usr/sbin/httpd /var/www', you'll see these contexts.

It also means that if your server is running in SELinux = Enforcing, the web server will not be able to access any file without that context, even if the file permissions are 777.

As a test of SELinux when it was being developed, one of the developers gave root access to a machine on the 'net, with the simple challenge of 'Do anything'. All failed. What he did was tie the system's contexts down so tight, that even 'root' was incapable of doing anything.

Perhaps it would be easier to read http://www.nsa.gov/selinux/ .
One long-haired git at your service...
0 Kudos
Alexander Chuzhoy
Honored Contributor

тАО02-04-2008 11:00 PM

тАО02-04-2008 11:00 PM

Re: Cant modify the user properties

Edit the file /etc/sysconfig/selinux and make sure there's a line:
SELINUX=disabled

otherwise, you'll get the same behaviour after reboot.

If you want to check the current mode:
getenforce

If you want temporarily (until the next reboot) to switch between enforcing/permissive modes:
setenforce 1/0
0 Kudos
skt_skt
Honored Contributor

тАО02-05-2008 06:56 AM

тАО02-05-2008 06:56 AM

Re: Cant modify the user properties

the file "/etc/sysconfig/selinux" was already taken care..
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.