When I edit the sudoers file on my EC2 instance, I receive syntax errors when I run sudo commands. How do I fix this?
I manually edited the sudoers file on my Amazon Elastic Compute Cloud (Amazon EC2) instance. Now I receive a syntax error similar to the following when I run sudo su commands or commands that require privileged user access: "/etc/sudoers: syntax error near line xx" "sudo: parse error in /etc/sudoers near line xx" "sudo: no valid sudoers sources found, quitting" "sudo: unable to initialize policy plugin"
Short description
This syntax error occurs when you manually edit the /etc/sudoers file to change the sudo user and add unwanted characters to the file. The result is an impaired instance that can't run sudo su or commands that require privileged user access. To fix this syntax error, complete the following steps:
- Stop the instance.
- Detach its root volume.
- Attach the root volume to a recovery instance as a secondary volume.
- Mount the attached volume.
- Undo the changes to the sudoers file.
Resolution
Prerequisites
- Stopping and restarting the instance erases any data on instance store volumes. Back up any data on the instance store volume that you want to keep. For more information, see Determine the root device type of your instance.
- Stopping and restarting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when you route external traffic to your instance.
Note: Don't use a text editor such as vi, vim, or nano to manually edit the sudoers file on a running instance you can connect to. Run the visudo command to edit the /etc/sudoers file on instances that you can connect to. The visudo command checks for parse errors while you edit and alerts you of issues that you introduce into the file before you save the changes.
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances.
3. Select the impaired instance, choose Instance state, and then choose Stop Instance.
4. On the Stop instance? pop-up, choose Stop.
5. Under the Storage tab, click on the volume ID for root device name.
6. On the Volumes page, select the volume, choose Actions, and then choose Detach volume.
7. On the pop-up, choose Detach. Verify that the Volume state is Available.
8. Launch a new EC2 instance in same Availability Zone as the original instance. The new instance becomes your rescue instance.
9. After the rescue instance launches, in the navigation pane, choose Volumes.
10. Select the detached root volume of the original instance. Choose Actions, and then choose Attach Volume.
11. For Instance, select the rescue instance ID and enter a device name. Then, choose Attach volume.
12. With your key pair, use SSH to connect into the instance.
13. To verify the device name of the attached volume, run the lsblk command.
lsblk
Example output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTxvda 202:0 0 8G 0 disk └─xvda1 202:1 0 8G 0 part / xvdf 202:80 0 500G 0 disk └─xvdf1 202:81 0 500G 0 part
14. Create a mount directory, and then mount with root privileges.
Amazon Linux, Ubuntu, and Debian:
sudo mount /dev/xvdf1 /mnt
Amazon Linux 2023, Amazon Linux 2, CentOS 7 or 8, SUSE Linux 12, and RHEL 7.x or 8.x:
sudo mount -o nouuid /dev/xvdf1 /mnt
Check the mount point in the console for the newly attached volume. The mount point is usually /dev/xvdf1.
15. Chroot into the mounted directory.
for dir in {/dev,/dev/pts,/sys,/proc}; do sudo mount -o bind $dir /mnt$dir; donechroot /mnt
16. To edit the subdoers file, run the visudo command:
visudo
When you edit the file, you can revert the changes you made that caused the syntax error. Or, you can copy the file from the recovery instance and replace the /mnt/etc/sudoers file with a known correct file:
Create a backup of the original file.
sudo mv /mnt/etc/sudoers /mnt/etc/sudoers.backup
Copy the file to the instance.
sudo cp /etc/sudoers /mnt/etc/sudoers
17. After you edit or replace the sudoers file, unmount the volume.
for dir in {/dev,/dev/pts,/sys,/proc}; do umount /mnt$dir; donesudo umount /mnt
18. Attach the volume to the original instance. Specify the mount point as /dev/xvda or /dev/sda1, because this is the root volume for the original instance.
19. Start the original instance.
20. Use SSH to connect to the instance and run sudo commands.
Related information
Step 15 and Step 17, Suggestion - Run the commands individually. There is a missing space and it would not run as intended.
Step 15 for dir in {/dev,/dev/pts,/sys,/proc}; do sudo mount -o bind $dir /mnt$dir; done chroot /mnt
Step 17 for dir in {/dev,/dev/pts,/sys,/proc}; do umount /mnt$dir; done sudo umount /mnt
Note - If step 17 commands say something like "mnt target is busy", some processes are still running and this is normal. If its a dedicated rescue instance, we can consider stopping the instance and then detach the volume. Else, run 'lsof | grep mnt' and kill all the processes individually with 'kill -15 <PID>'
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 4 months ago
- asked a year ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 9 months ago
