Why can't I run sudo commands on my EC2 Linux instance?

Short description

The following errors might occur when you try to run sudo commands on an Amazon EC2 Linux instance:

• "/usr/bin/sudo must be owned by uid 0 and have the setuid bit set"

This error occurs when a non-root user owns the /usr/bin/sudo file. The /usr/bin/sudo file must have root:root as the owner.

• The error "sudo: /etc/sudoers is world writable"

This error occurs when the /etc/sudoers file has the incorrect permissions. The sudoers file can't be world-writable. If a file is world-writable, then everyone can write to the file. By default, the file mode for the sudoers file is 0440. This allows the owner and group to read the file, and it forbids anyone from writing to the file.

To correct these errors, use the EC2 serial console or a user data script. 

Resolution

Use the EC2 Serial Console

If you activated EC2 serial console for Linux, then you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without needing a working network connection. You can use the Amazon EC2 console or the AWS Command Line Interface (AWS CLI) to access the serial console.

Before you use the serial console, grant access to the console at the account level. Then, create AWS Identity and Access Management (IAM) policies that grant access to your IAM users. Also, every instance that uses the serial console must include at least one password-based user. If you can't access your instance or the serial console, then follow the instructions in the section Method 2: Use a user data script. For more information on configuring the EC2 serial console for Linux, see Configure access to the EC2 serial console.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Use a user data script

Use a user data script to fix sudo errors on the following distributions:

• Red Hat-based distributions such as, SUSE, CentOS, Amazon Linux 1, Amazon Linux 2, and RHEL
• Debian-based distributions such as, Ubuntu

Important: This procedure requires that you stop and start the EC2 instance. This might result in lost data, other stopped instances, and changes to the public IP address. For more information, see What happens when you stop an instance.

1.     Open the Amazon EC2 console, and then select your instance.

2.     Choose Actions, Instance State, Stop.
Note: If you can't choose Stop, then either the instance is already stopped, or its root device is an instance store volume.

3.     Choose Actions, Instance Settings, Edit User Data.

4.     Copy and paste the following script into the Edit User Data field, and then choose Save. Be sure to copy the entire script. Don't insert additional spaces when pasting the script:

Red Hat-based distributions

Content-Type: multipart/mixed; boundary="//"  
MIME-Version: 1.0  
  
--//  
Content-Type: text/cloud-config; charset="us-ascii"  
MIME-Version: 1.0  
Content-Transfer-Encoding: 7bit  
Content-Disposition: attachment; filename="cloud-config.txt"  
  
#cloud-config  
cloud_final_modules:  
- [scripts-user, always]  
  
--//  
Content-Type: text/x-shellscript; charset="us-ascii"  
MIME-Version: 1.0  
Content-Transfer-Encoding: 7bit  
Content-Disposition: attachment; filename="userdata.txt"  
  
#!/bin/bash  
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:  
rpm --setugids sudo && rpm --setperms sudo  
find /etc/sudoers.d/ -type f -exec /bin/chmod 0440 {} \;  
find /etc/sudoers.d/ -type f -exec /bin/chown root:root {} \;  
--//

Note: The final two command lines recover the permissions, owner, and group for the custom sudo security policy plugins in the directory /etc/sudoers.d/.

Debian-based distributions

Content-Type: multipart/mixed; boundary="//"  
MIME-Version: 1.0  
  
--//  
Content-Type: text/cloud-config; charset="us-ascii"  
MIME-Version: 1.0  
Content-Transfer-Encoding: 7bit  
Content-Disposition: attachment; filename="cloud-config.txt"  
  
#cloud-config  
cloud_final_modules:  
- [scripts-user, always]  
  
--//  
Content-Type: text/x-shellscript; charset="us-ascii"  
MIME-Version: 1.0  
Content-Transfer-Encoding: 7bit  
Content-Disposition: attachment; filename="userdata.txt"  
  
#!/bin/bash  
/bin/chown root:root /usr/bin/sudo  
/bin/chmod 4111 /usr/bin/sudo  
/bin/chmod 644 /usr/lib/sudo/sudoers.so  
/bin/chmod 0440 /etc/sudoers  
/bin/chmod 750 /etc/sudoers.d  
find /etc/sudoers.d/ -type f -exec /bin/chmod 0440 {} \;  
find /etc/sudoers.d/ -type f -exec /bin/chown root:root {} \;  
--//

Note: The final two command lines recover the permissions, owner, and group for the custom sudo security policy plugins in the directory /etc/sudoers.d/.

5.    Start the instance, and then connect to the instance with SSH.
Note: If you receive a syntax error, see I edited the sudoers file on my EC2 instance and now I'm receiving syntax errors when trying to run sudo commands. How do I fix this?