Why am I unable to run sudo commands on my EC2 Linux instance?

Last updated: 2020-03-27

I'm receiving the error "sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set" or "sudo: /etc/sudoers is world writable" when trying to run sudo commands on my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance. How do I fix this?

Short Description

The error sudo: "/usr/bin/sudo must be owned by uid 0 and have the setuid bit set" occurs when the /usr/bin/sudo file is owned by a non root user. The /usr/bin/sudo file should have root:root as the owner.

The error "sudo: /etc/sudoers is world writable" occurs when the /etc/sudoers file has the incorrect permissions. The sudoers file must not be world writable. If a file is world writable, everyone can write to the file. By default, the file mode for the sudoers file is 0440. This allows the owner and group to read the file, and forbids anyone from writing to the file.

You can correct both of these errors on Red Hat-based distributions such as SUSE, CentOS, Amazon Linux 1, Amazon Linux 2, and RHEL or Debian-based distributions (such as Ubuntu) using the user data script.

Resolution

1.    Open the Amazon EC2 console, and then select your instance.

2.    Choose Actions, Instance State, Stop.

Note: If Stop is disabled, either the instance is already stopped, or its root device is an instance store volume.

3.     Choose Actions, Instance Settings, View/Change User Data.

4.     Copy and paste the following script into the User Data field, and then choose Save. Be sure to copy the entire script. Don't insert any additional spaces when pasting the script.

Red Hat-based distributions

For Red Hat-based distributions, use the following user data script.

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:
rpm --setugids sudo && rpm --setperms sudo
--//

Debian-based distributions

For Debian-based distributions, use the following user data script.

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
/bin/chown root:root /usr/bin/sudo
/bin/chmod 4111 /usr/bin/sudo
/bin/chmod 644 /usr/lib/sudo/sudoers.so
/bin/chmod 0440 /etc/sudoers
--//

5.    Start the instance and then connect to the instance using SSH.

Note: If you receive syntax errors when trying to connect to the instance using SSH after editing the sudoers file, see I edited the sudoers file on my EC2 instance and now I'm receiving syntax errors when trying to run sudo commands. How do I fix this?


Did this article help you?

Anything we could improve?


Need more help?