I edited the sudoers file on my EC2 instance and now I'm receiving syntax errors when trying to run sudo commands. How do I fix this?

Last updated: 2020-03-27

I manually edited the sudoers file on my Amazon Elastic Compute Cloud (Amazon EC2 instance). Now I'm receiving a syntax error similar to the following when trying to run sudo su commands or commands that require privileged user access:

  • "/etc/sudoers: syntax error near line xx"
  • "sudo: parse error in /etc/sudoers near line xx"
  • "sudo: no valid sudoers sources found, quitting"
  • "sudo: unable to initialize policy plugin"

Short Description

This syntax error occurs when the /etc/sudoers file is manually edited to make changes to the sudo user and unwanted characters are added to the file. The result can be an impaired instance that can't run sudo su or commands that require privileged user access. To fix this syntax error, stop the instance, detach its root volume, attach it to a recovery instance, mount the root volume as a secondary volume, and then revert the changes to the sudoers file.

Warning: Before starting this procedure, be aware of the following:

Resolution

Note: Don't manually edit the sudoers file using a text editor such as vi, vim, or nano on a running instance that you can connect to. Always run visudo to edit the /etc/sudoers file on instances you can connect to. Visudo checks for parse errors as you edit so that any issues introduced into the file are brought to your attention before you save the changes.

1.    Open the Amazon EC2 console.

2.    Choose Instances from the navigation pane, and then select the impaired instance.

3.    Choose Actions, choose Instance State, and then choose Stop.

4.    In the Description tab, select the Root device, and then select the EBS ID.

5.    Choose Actions, choose Detach Volume (/dev/sda1 or /dev/xvda), and then choose Yes, Detach.

6.    Verify that the State is Available.

7.    Launch a new EC2 instance in same Availability Zone as the original instance. The new instance becomes your rescue instance.

8.    After the rescue instance launches, choose Volumes from the navigation pane, and then select the detached root volume of the original instance.

9.    Choose Actions, and then choose Attach Volume.

10.    Select the rescue instance ID (1-xxxx) and then enter a device name (/dev/sdf, for example).

11.    Use SSH to connect into the rescue instance using your key pair.

12.    Run the lsblk command to verify the device name of the attached volume.

lsblk

The following is an example of the output.

NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda    202:0    0    8G  0 disk
└─xvda1 202:1    0    8G  0 part /
xvdf    202:80   0  500G  0 disk
└─xvdf1 202:81   0  500G  0 part

13.    Create a mount directory and then mount with root privileges.

sudo mount /dev/xvdf1 /mnt

Check the mount point in the console for the newly attached volume. Usually it is /dev/xvdf1.

14.    Chroot into the mounted directory.

for dir in {/dev,/dev/pts,/sys,/proc}; do sudo mount -o bind $dir /mnt$dir; done
chroot /mnt

15.    Edit the sudoers file using visudo command.

visudo

There are two options for editing the file:

Option 1: Revert the changes you made that created the syntax error.

Option 2: Replace the /mnt/etc/sudoers file with a known correct file from the recovery instance by copying the file from the recovery instance.

Create a backup of the original file.

sudo mv /mnt/etc/sudoers /mnt/etc/sudoers.backup

Copy the file to the instance.

sudo cp /etc/sudoers /mnt/etc/sudoers

16.    After you edit or replace the sudoers file, unmount the volume.

for dir in {/dev,/dev/pts,/sys,/proc}; do umount /mnt$dir; done
sudo umount /mnt

17.    Attach the volume to the original instance. Specify the mount point as /dev/xvda or /dev/sda1, as this is the root volume for the original instance.

18.    Start the original instance.

19.    Connect to the instance using SSH and try running sudo commands.


Did this article help you?

Anything we could improve?


Need more help?