Why am I unable to run sudo commands on my EC2 Linux instance?

Short description

The error sudo: "/usr/bin/sudo must be owned by uid 0 and have the setuid bit set" occurs when the /usr/bin/sudo file is owned by a non-root user. The /usr/bin/sudo file must have root:root as the owner.

The error "sudo: /etc/sudoers is world writable" occurs when the /etc/sudoers file has the incorrect permissions. The sudoers file must not be world-writable. If a file is world-writable, then everyone can write to the file. By default, the file mode for the sudoers file is 0440. This allows the owner and group to read the file, and forbids anyone from writing to the file.

You can correct these errors using the EC2 Serial Console or a user data script.

Resolution

Method 1: Use the EC2 Serial Console

If you activated EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before using the serial console, grant access to the console at the account level. Then, create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, then follow the instructions in the section, Method 2: Use a user data script. For information on configuring the EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Method 2: Use a user data script

Use a user data script to correct these errors on the following:

• Red Hat-based distributions such as SUSE, CentOS, Amazon Linux 1, Amazon Linux 2, and RHEL.
• Debian-based distributions (such as Ubuntu).

1.    Open the Amazon EC2 console, and then select your instance.

2.    Choose Actions, Instance State, Stop.

Note: If Stop is not activated, either the instance is already stopped, or its root device is an instance store volume.

3.    Choose Actions, Instance Settings, Edit User Data.

4.    Copy and paste the following script into the Edit User Data field, and then choose Save. Be sure to copy the entire script. Don't insert additional spaces when pasting the script.

Red Hat-based distributions

For Red Hat-based distributions, use the following user data script:

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:
rpm --setugids sudo && rpm --setperms sudo
find /etc/sudoers.d/ -type f -exec /bin/chmod 0440 {} \;
find /etc/sudoers.d/ -type f -exec /bin/chown root:root {} \;
--//

Note: The final two command lines recover the permissions, owner, and group for the custom sudo security policy plugins in the directory "/etc/sudoers.d/".

Debian-based distributions

For Debian-based distributions, use the following user data script:

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
/bin/chown root:root /usr/bin/sudo
/bin/chmod 4111 /usr/bin/sudo
/bin/chmod 644 /usr/lib/sudo/sudoers.so
/bin/chmod 0440 /etc/sudoers
/bin/chmod 750 /etc/sudoers.d
find /etc/sudoers.d/ -type f -exec /bin/chmod 0440 {} \;
find /etc/sudoers.d/ -type f -exec /bin/chown root:root {} \;
--//

Note: The final two command lines recover the permissions, owner, and group for the custom sudo security policy plugins in the directory "/etc/sudoers.d/".

5.    Start the instance and then connect to the instance using SSH.

Note: If you receive syntax errors when trying to connect to the instance using SSH after editing the sudoers file, see I edited the sudoers file on my EC2 instance and now I'm receiving syntax errors when trying to run sudo commands. How do I fix this?