Why can't I run sudo commands on my EC2 Linux instance?

5 分的閱讀內容
0

When I run sudo commands on my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance, I receive an error.

Short description

The following error might occur when you try to run sudo commands on an Amazon EC2 Linux instance:

  • "/usr/bin/sudo must be owned by uid 0 and have the setuid bit set"

This error occurs when a non-root user owns the /usr/bin/sudo file. The /usr/bin/sudo file must have root:root as the owner.

  • The error "sudo: /etc/sudoers is world writable"

This error occurs when the /etc/sudoers file has the incorrect permissions. The sudoers file can't be world-writable. If a file is world-writable, then everyone can write to the file. By default, the file mode for the sudoers file is 0440. This allows the owner and group to read the file, and it forbids anyone from writing to the file.

To correct these errors, use the Amazon EC2 serial console or a user data script.

Resolution

Use the EC2 serial console

If you activated EC2 serial console for Linux, then you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without needing a working network connection. You can use the Amazon EC2 console or the AWS Command Line Interface (AWS CLI) to access the serial console.

Before you use the serial console, grant access to the console at the account level. Then, create AWS Identity and Access Management (IAM) policies that grant access to your IAM users. Also, every instance that uses the serial console must include at least one password-based user. If you can't access your instance or the serial console, then follow the instructions in the section Method 2: Use a user data script. For more information on configuring the EC2 serial console for Linux, see Configure access to the EC2 serial console.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Use a user data script

Use a user data script to fix sudo errors on the following distributions:

  • Red Hat-based distributions such as SUSE, CentOS, Amazon Linux 1, Amazon Linux 2, Amazon Linux 2023, and RHEL
  • Debian-based distributions such as, Ubuntu

Important: This procedure requires that you stop and start the EC2 instance. This might result in lost data, other stopped instances, and changes to the public IP address. For more information, see What happens when you stop an instance.

  1. Open the Amazon EC2 console, and then select your instance.

  2. Choose Actions, Instance State, Stop.
    Note: If you can't choose Stop, then either the instance is already stopped, or its root device is an instance store volume.

  3. Choose Actions, Instance Settings, Edit User Data.

  4. Copy and paste the following script into the Edit User Data field, and then choose Save. Be sure to copy the entire script. Don't insert additional spaces when pasting the script:
    Red Hat-based distributions

    Content-Type: multipart/mixed; boundary="//"
    MIME-Version: 1.0
    
    --//
    Content-Type: text/cloud-config; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment; filename="cloud-config.txt"
    
    #cloud-config
    cloud_final_modules:
    - [scripts-user, always]
    
    --//
    Content-Type: text/x-shellscript; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment; filename="userdata.txt"
    
    #!/bin/bash
    PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:
    rpm --setugids sudo && rpm --setperms sudo
    find /etc/sudoers.d/ -type f -exec /bin/chmod 0440 {} \;
    find /etc/sudoers.d/ -type f -exec /bin/chown root:root {} \;
    --//

    Note: The final two command lines recover the permissions, owner, and group for the custom sudo security policy plugins in the directory /etc/sudoers.d/.
    Debian-based distributions

    Content-Type: multipart/mixed; boundary="//"
    MIME-Version: 1.0
    
    --//
    Content-Type: text/cloud-config; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment; filename="cloud-config.txt"
    
    #cloud-config
    cloud_final_modules:
    - [scripts-user, always]
    
    --//
    Content-Type: text/x-shellscript; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment; filename="userdata.txt"
    
    #!/bin/bash
    /bin/chown root:root /usr/bin/sudo
    /bin/chmod 4111 /usr/bin/sudo
    /bin/chmod 644 /usr/lib/sudo/sudoers.so
    /bin/chmod 0440 /etc/sudoers
    /bin/chmod 750 /etc/sudoers.d
    find /etc/sudoers.d/ -type f -exec /bin/chmod 0440 {} \;
    find /etc/sudoers.d/ -type f -exec /bin/chown root:root {} \;
    --//

    The final two command lines recover the permissions, owner, and group for the custom sudo security policy plugins in the directory /etc/sudoers.d/.
    Important: The permissions for /usr/bin/sudo differ across various Linux distributions. Before you permanently set your permissions, verify the permissions from an instance with a similar operating system. Run ls -l /usr/bin/sudo, and then use the permissions in this example as a reference.
    Make sure that your reference instance is a clean installation and not in production, so that this file remains unchanged.

  5. Start the instance, and then connect to the instance with SSH.
    Note: If you receive a syntax error, see I edited the sudoers file on my EC2 instance and now I'm receiving syntax errors when trying to run sudo commands. How do I fix this?

AWS 官方
AWS 官方已更新 8 個月前
2 評論

How can I do the same on a lightsail instance?

Lazaros
回答 1 個月前

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
管理員
回答 1 個月前