Can't edit files /etc/passwd and /etc/shadow

Question

I have some issues with files /etc/passwd and /etc/shadow. Both of them are without permissions:

---------- 1 root root   1357 Aug  5 11:30 passwd
---------- 1 root shadow 1175 Aug  5 11:30 shadow

And i don't know how this happened or why. Basically I can't edit/remove these files or change permissions when I am logged as the root user. It ends with "Operation not permitted". Eg. when I try:

root@server:/etc# chmod 600 passwd
chmod: changing permissions of ‘passwd’: Operation not permitted

The main issue is that any logged user has "I have no name!@..." in the command line and I can't use "su" or run some services as an another user. I guess these files should have some permissions and that's the problem. My system is Ubuntu 14.04.3 LTS with the newest updates.

What happened on the 5th August at 11:30? I'll bet that your system has been compromised. — Michael Hampton, Aug 14 '15 at 01:19
I don't know, there are not logs from 5th August, the last one syslog.7.gz is from 6th August. That's possible but i haven't noticed any abnormal behavior like high traffic, cpu load, or so, except these two files. — Martin Sudolsky, Aug 14 '15 at 01:27
possible duplicate of How do I deal with a compromised server? — womble, Aug 14 '15 at 01:30
Although it's easy to close this question with the answer that the server was compromised, but I would like to know if someone else went into similar issues with these two files and if there is not any other reasonable explanation. — Martin Sudolsky, Aug 14 '15 at 01:39
You changed the permission to remove root access ? Aka, you brinked yourself — yagmoth555, Aug 14 '15 at 02:03
No, I haven't changed permissions for these files. Well, normally you can change permissions like chmod 000 some_file.txt without problems and you can change it back too. In my case I can't change permissions for passwd or shadow, even if these files are owned by root. — Martin Sudolsky, Aug 14 '15 at 02:17

score 5 · Accepted Answer · edited Aug 14 '15 at 05:39

5

Did you try:

# lsattr /etc/shadow

What's the output of this on the command line?

If is looking like this:

----i-------- /etc/shadow

Then is immutable and you can't edit/delete the file even as root.

You have to run:

chattr -i /etc/shadow

Now you can edit the file.
This procedure is available only if the immutable -i is showing on the file.

edited Aug 14 '15 at 05:39

HBruijn

80,330
24
138
209

answered Aug 14 '15 at 03:55

DoruH

135

Thank you very much! This helped! I removed the immutable attribute for both files via chattr, then I set permissions to 644 for passwd and 640 for shadow and finally i added the immutable attribute back. After reboot is all ok. Probably I won't know what happened to these two files or what did this, if the server was compromised, some broken update, broken virtual partition or file system. So for sure i am going to reinstall server. – Martin Sudolsky Aug 14 '15 at 18:32
Just to add to my bookmark, I could not change password/add user due to my attr being -----a--------e----- /etc/shadow I used sudo chattr -a /etc/shadow to remove the append only mode attribute. It works now. – Suraj Mandal Aug 13 '23 at 19:31

Can't edit files /etc/passwd and /etc/shadow

1 Answers1