I manually edited the sudoers file on my Amazon Elastic Compute Cloud (Amazon EC2) instance. Now I receive a syntax error similar to the following when I run sudo su commands or commands that require privileged user access: "/etc/sudoers: syntax error near line xx" "sudo: parse error in /etc/sudoers near line xx" "sudo: no valid sudoers sources found, quitting" "sudo: unable to initialize policy plugin"
Short description
This syntax error occurs when you manually edit the /etc/sudoers file to change the sudo user and add unwanted characters to the file. The result is an impaired instance that can't run sudo su or commands that require privileged user access. To fix this syntax error, complete the following steps:
- Stop the instance.
- Detach its root volume.
- Attach the root volume to a recovery instance as a secondary volume.
- Mount the attached volume.
- Undo the changes to the sudoers file.
Resolution
Prerequisites
Note: Don't use a text editor such as vi, vim, or nano to manually edit the sudoers file on a running instance you can connect to. Run the visudo command to edit the /etc/sudoers file on instances that you can connect to. The visudo command checks for parse errors while you edit and alerts you of issues that you introduce into the file before you save the changes.
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances.
3. Select the impaired instance, choose Instance state, and then choose Stop Instance.
4. On the Stop instance? pop-up, choose Stop.
5. Under the Storage tab, click on the volume ID for root device name.
6. On the Volumes page, select the volume, choose Actions, and then choose Detach volume.
7. On the pop-up, choose Detach. Verify that the Volume state is Available.
8. Launch a new EC2 instance in same Availability Zone as the original instance. The new instance becomes your rescue instance.
9. After the rescue instance launches, in the navigation pane, choose Volumes.
10. Select the detached root volume of the original instance. Choose Actions, and then choose Attach Volume.
11. For Instance, select the rescue instance ID and enter a device name. Then, choose Attach volume.
12. With your key pair, use SSH to connect into the instance.
13. To verify the device name of the attached volume, run the lsblk command.
lsblk
Example output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTxvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdf 202:80 0 500G 0 disk
└─xvdf1 202:81 0 500G 0 part
14. Create a mount directory, and then mount with root privileges.
Amazon Linux, Ubuntu, and Debian:
sudo mount /dev/xvdf1 /mnt
Amazon Linux 2023, Amazon Linux 2, CentOS 7 or 8, SUSE Linux 12, and RHEL 7.x or 8.x:
sudo mount -o nouuid /dev/xvdf1 /mnt
Check the mount point in the console for the newly attached volume. The mount point is usually /dev/xvdf1.
15. Chroot into the mounted directory.
for dir in {/dev,/dev/pts,/sys,/proc}; do sudo mount -o bind $dir /mnt$dir; donechroot /mnt
16. To edit the subdoers file, run the visudo command:
visudo
When you edit the file, you can revert the changes you made that caused the syntax error. Or, you can copy the file from the recovery instance and replace the /mnt/etc/sudoers file with a known correct file:
Create a backup of the original file.
sudo mv /mnt/etc/sudoers /mnt/etc/sudoers.backup
Copy the file to the instance.
sudo cp /etc/sudoers /mnt/etc/sudoers
17. After you edit or replace the sudoers file, unmount the volume.
for dir in {/dev,/dev/pts,/sys,/proc}; do umount /mnt$dir; donesudo umount /mnt
18. Attach the volume to the original instance. Specify the mount point as /dev/xvda or /dev/sda1, because this is the root volume for the original instance.
19. Start the original instance.
20. Use SSH to connect to the instance and run sudo commands.
Related information
Why can't I run sudo commands on my EC2 Linux instance?