I edited or deleted the /etc/sudoers file on my Amazon Elastic Compute Cloud (Amazon EC2) instance. Then, I receive syntax or sudo errors when I run sudo commands.
Short description
When you delete or incorrectly configure the /etc/sudoers file, the following syntax or sudo errors occur:
- "/etc/sudoers:abc:x: syntax error"
- "sudo: unable to open /etc/sudoers: No such file or directory"
- "sudo: no valid sudoers sources found, quitting"
- "sudo: error initializing audit plugin sudoers_audit"
If you receive one of these errors, then you can't grant users or user groups access permissions to system resources. To fix the /etc/sudoers file, attach the root disk to a rescue instance. If you can't attach a root disk to a rescue instance, then use user data to modify the file.
Resolution
If you receive errors when you run AWS Command Line (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Attach a root disk to a rescue instance
It's a best practice to attach a root disk to a rescue instance to modify the /etc/sudoers file.
Prerequisites: When you stop or start an instance, data on instance store volumes is deleted. Back up any data on the instance store volume that you want to keep. For more information, see Root device type. Also, when you stop or start an instance, the instance's public IP address changes. If you route external traffic to your instance, then it's a best practice to use an Elastic IP address instead of a public IP address.
To attach a root disk to a rescue instance, complete the following steps:
-
Create a new key pair.
-
Get the volume ID and device name for the original instance's root volume.
-
Stop the original instance.
-
Launch a recovery instance from an Amazon Machine Image (AMI) with the same Linux operating system (OS) version in the same Availability Zone.
-
Detach the root volume from the original instance, and then attach it to the recovery instance as a secondary volume.
-
Connect to the recovery instance with your new SSH key pair.
-
Run the following command to change to the root user:
[ec2-user ~]$ sudo su
-
To identify the blocked device name and partition, run the following command from the recovery instance:
[root ~]$ lsblkNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdf 202:80 0 101G 0 disk
└─xvdf1 202:81 0 101G 0 part
xvdg 202:96 0 30G 0 disk
In the preceding example, the /dev/xvda and /dev/xvdf volume device names are partitioned volumes, and /dev/xvdg isn't a partitioned volume.
If your volume is partitioned, then run the following command to mount the /dev/xvdf1 partition instead of the /dev/xvdf raw device:
[root ~]$ mount -o nouuid /dev/xvdf1 /mnt
If you use an instance based on AWS Nitro System, then the volume device name looks similar to /dev/nvme[0-26]n1. If your instance is built on Nitro System with NVMe, then mount the partition at the /mnt directory. Use the device name that you identified with the lsblk command:
[root ~]$ mount -o nouuid /dev/nvme1n1p1 /mnt
For more information, see Device names for volumes on Amazon EC2 instances.
-
To copy the /etc/sudoers file from the working instance as a backup, run the following command:
[root ~]$ cp /etc/sudoers /mnt/etc/sudoers.bak
-
To create a chroot environment in the /mnt directory, run the following command:
[root ~]$ for i in dev proc sys run; do mount -o bind /$i /mnt/$i; done; chroot /mnt
In the preceding example, the /dev, /proc, /sys, and /run directories are bind-mounted from the original root file system. This allows processes that run inside the chroot environment to access these system directories.
-
To edit the /etc/sudoers file, run the visudo command inside the chroot environment:
[root ~]$ visudo
Note: You must run the visudo command to edit the sudoers file. The visudo command locks the sudoers file.
If you receive errors from the preceding command, then run the following diff command to compare the /etc/sudoers file with the new file /etc/sudoers.bak:
[root ~]$ diff /etc/sudoers /etc/sudoers.bak
Note: If you didn't make custom changes before you edited the file, then restore the /etc/sudoers.bak file to /etc/sudoers.
-
To exit the chroot environment, run the following command:
[root ~]$ exit
-
To unmount the root volume, run the following command:
[root ~]$ umount -fl /mnt
-
Detach the root volume that was attached as a secondary volume from the recovery instance. Then, reattach it to the original instance with the device name from step 2.
-
Start the original instance, and then confirm that the sudo commands work correctly.
Use user data to modify the file
Note: The following troubleshooting method uses the user data input. To use this method, you must set a password for the root user.
To use user data to modify the file, complete the following steps:
-
Open the Amazon EC2 console.
-
In the navigation pane, choose Instances, and then select the instance.
-
Choose Instance state, and then choose Stop Instance.
-
Under Stop instance?, choose Stop.
-
Set a temporary password for the root user.
Example:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
chpasswd <<<"root:root"
--//
Important: This password uses plain text to pass secrets and isn't secure. Make sure that you remove the temporary password from the root user after you complete the troubleshooting steps.
-
Start the instance, and then log in as ec2-user.
-
To access the /etc/sudoers file, run the following pkexec command:
pkexec /usr/sbin/visudo
-
Enter the root user password, and then modify the /etc/sudoers file.
-
Run a sudo command to verify that sudo is working correctly.
-
Stop the instance.
To use the Amazon EC2 console to delete the user data values, including the root user password, complete the following steps:
- Open the Amazon EC2 console.
- In the navigation pane, choose Instances, and then select the instance.
- Choose Actions, and then choose Instance settings.
- Choose Edit user data, and then delete all user data.
To use the AWS CLI interface to delete the user data values, including the root user password, run the following modify-instance-attribute command:
aws ec2 modify-instance-attribute --instance-id example-instance-id --user-data Value=""
Note: Replace example-instance-id with your instance ID.
To verify that you removed the user data, run the following describe-instance-attribute command:
aws ec2 describe-instance-attribute --instance-id example-instance-id --attribute userData
Note: Replace example-instance-id with your instance ID.
After you delete the user data, start the instance.
Related information
Why can't I run sudo commands on my EC2 Linux instance?