fix: resolve PAM account management error for sudo in nix image#11
Merged
megheaiulian merged 2 commits intomainfrom Feb 10, 2026
Merged
fix: resolve PAM account management error for sudo in nix image#11megheaiulian merged 2 commits intomainfrom
megheaiulian merged 2 commits intomainfrom
Conversation
The coder user's shadow entry used '!' (locked account) which caused pam_unix.so account management to return PAM_PERM_DENIED. Additionally, sudo fell back to the catch-all /etc/pam.d/other config which lacked appropriate auth rules for non-root users. - Change shadow entries from '!' to '*' (no password, but not locked) - Add dedicated /etc/pam.d/sudo PAM config with pam_permit.so for auth/account (sudoers handles actual authorisation)
The devops Dockerfile expects curl from the base image, but CI was overriding BASE_IMAGE with ubuntu:noble (which lacks curl), causing the build to always fail.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes
sudo: PAM account management error: Permission deniedwhen runningsudoas thecoderuser in the Nix Docker image.Root Cause
Two issues combined to break sudo:
Locked shadow entry — The
coderuser's/etc/shadowentry used!(password locked), which causespam_unix.soaccount management to returnPAM_PERM_DENIED("Permission denied").Missing
/etc/pam.d/sudo— Without a dedicated PAM config for sudo, PAM fell back to/etc/pam.d/otherwhich only hadpam_rootok.sofor auth (only works when the caller is already root).Changes
/etc/shadow: Change!→*for bothrootandcoderentries.*means "no valid password hash" (cannot authenticate via password) but does not mark the account as locked, sopam_unix.soaccount management succeeds./etc/pam.d/sudo: Add a dedicated PAM config for sudo that usespam_permit.sofor auth and account checks (since actual authorisation is handled by sudoers), withpam_unix.sofor session setup.