Troubleshooting sudoers files
The page provides tips on using thesudo command-line utility, managing thesudoers plugin, and preventing or fixing issues that arise.
Causes of problems
During each execution of thesudo command, the following process takes placeto validate thesudoers files:
- The syntax is checked for correctness.
- The content is analyzed to exclude some of the logical errors.
- Ownership and permissions are checked.
The validation of thesudoers files might fail due to any of the followingerrors:
Syntax errors
You must follow specific syntax rules when you make changes to thesudoersfiles. Any deviation from this syntax, including but not limited to amissing or extra character or an inappropriate comma, can make the fileinvalid. Invalidation of the file makes it impossible to use thesudoutility.
Solution
The solution is to usevisudo utility to edit thesudoers files. Itvalidates the file content before saving and notifies in case of issues. Thevisudo utility was created for editing the file in a safe fashion.
The following examples shows both correct and incorrect syntax samples:
Correct syntax
user ALL=(ALL) ALLIncorrect syntax
user ALL=(ALL), ALLSyntax error example
$ sudo useradd username/etc/sudoers:20:17: syntax erroruser ALL=(ALL), ALL ^Logical errors
Errors of this type can be caused by one of the following:
- A misunderstanding of the principles of the
sudoersplugin. - Deviations from the correct syntax.
However, logical errors are not recognized during validation, because theydo not violate syntax rules and therefore are tricky to detect.
Solution
You must carefully read the official documentation and adhere to itsprinciples when you edit the file.
Google also recommends that you use thevisudo utility to edit thesudoers files, as it can detect some types of logical errors, such as:
- Undefined or unused aliases
- Cyclic references
- Duplicate entries
If any issues are detected, you see a warning message.
The following examples shows both logically correct and incorrect samples:
Logically correct
barbara ALL=(ALL:ALL) /usr/bin/lsLogically incorrect
barbara ALL=(4LL:ALL) /usr/bin/ls ^barbara ALL=(ALL;ALL) /usr/bin/ls ^bar6ara ALL=(ALL:ALL) /usr/bin/1s ^ ^Incorrect permissions
In addition to errors caused by the content of thesudoers files, theirexcessive file permissions or incorrect ownership can also cause thesudoutility to fail.
Solution
You see a description of these errors in the output of the failedsudocommand. Read through the error message description and make the necessarycorrections.
The following is an example of the correctfile permissions and ownership
$ ls -l /etc/sudoers-r--r----- 1 root root 700 Jan 1 12:00 /etc/sudoers$ sudo useradd usernameThe following example shows the errorthat is displayed when there are redundant permissions for theall userspermission group:
$ ls -l /etc/sudoers-r--r---w- 1 root root 700 Jan 1 12:00 /etc/sudoers$ sudo useradd usernamesudo: /etc/sudoers is world writablesudo: no valid sudoers sources found, quittingsudo: error initializing audit plugin sudoers_audit The following example shows the error thatis displayed for incorrect ownership. In this example, a user with an IDthat is not0 (or a user that is notroot) is the owner of the file:
$ ls -l /etc/sudoers-r--r----- 1 user user 700 Jan 1 12:00 /etc/sudoers$ sudo useradd usernamesudo: /etc/sudoers is owned by uid 1000, should be 0sudo: no valid sudoers sources found, quittingsudo: error initializing audit plugin sudoers_auditFor more information about the configuration of thesudoers files, readSudoers Manual.
To learn how to manage and use thevisudo editor, readVisudo Manual.
Consequences of problems
Issues in thesudoers files cause negative effects and can affect thefunctionality of the entire system.
The
sudocommand no longer works.This is the most noticeable consequence of issues in the
sudoersfiles.The consequence of this is the inability to use elevated privileges forusers, which blocks their activity on the server.However, more destructive and unpredictable consequences are failures of theapplications that rely on the
Tip: If there is some kind of problem with thesudocommand. In some cases, this may causethe application to fail completely, leading to unexpected behavior, crashes,or data loss. Another example is when thesudocommand is called by anapplication during the OS boot sequence and fails. It can lead to OS failureor cause the boot sequence to get stuck.sudoersfiles, westrongly recommended that you stop the workload on the virtual machine (VM)instance, if possible, until the problem is fixed. This can be done in anumber of ways, including the following:- Temporarily disabling the startup or shutdown scripts.
- Pausing the
cronjobs.
Possible unauthorized access to the system.
Another risky consequence is that issues in the
sudoersfiles can lead tounauthorized access to the system. This can happen due to a logical error,when rules in thesudoersfiles give some users or groups excessivepermissions.This may also happen because the system owner temporarily disables orweakens the system's defenses in order to log in and fix the problem.
Tip: In order to avoid unauthorized access it is recommended to carefullyread the official documentation before editing thesudoersfiles.Additionally, during the recovery process, we highly recommended that youdon't use unsafe approaches such as the following:- Temporarily setting the password of the
rootuser through the startup script. - Creating a temporary user with administrator rights and the permissions to log in without a password.
- Temporarily setting the password of the
Recovery in case of problems
If you lose elevated user privileges or can't use thesudo command due toproblems with thesudoers files, then use the superuser account for recovery.
In Unix-like operating systems, the superuser is a special user account with IDequal to 0, that is usually calledroot. The superuser has full access to thesystem resources, and can perform any administrative task without restrictions.While interacting with the OS on behalf of the superuser is generally consideredinsecure, it may be the only option for certain tasks such as recovery of thesudoers files.
Logging in directly as the superuser exposes the OS to risk. To avoid this risk,Google recommends that you use a startup script functionality, as this script isexecuted on behalf of the superuser.
Read more about Compute Enginestartup scripts.
To recover thesudoers files with a startup script, do the following:
Create a backup copy of the current startup script if it's already in use.The backup approach depends on how the startup script is configured.
startup-script
If the script content is set directly in the metadata value, you cancopy the script content to theCloud Storage bucket,local file or any other temporary private storage.
Caution: Use only trusted storage so that the script doesn't leak duringthe recovery process.startup-script-url
If the contents of the script are already in the remote storage and itsURL address is used, then you can just temporary remove the
Caution: Do not remove the script file itself from the remote storage.startup-script-urlmetadata key to disable the current startup script.Update the startup scriptwith the following command sequence:
mv /etc/sudoers /etc/sudoers.backup.$(date +"%s") && echo "%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers && chown 0:0 /etc/sudoers && chmod 0440 /etc/sudoersRead more about what the commands does
mv /etc/sudoers /etc/sudoers.backup.$(date +"%s")This command creates a copy of the
/etc/sudoersfile with a different name and deletes the original file. The name of the new file contains a timestamp at the end for uniqueness (e.g.sudoers.backup.1672527600).echo "%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoersThis command creates previously deleted file
/etc/sudoerswith a single rule that allows authorized Google Cloud users with access to the VM to execute any commands on behalf of any system user. This rule always exists by default in an additional file/etc/sudoers.d/google_sudoers.chown 0:0 /etc/sudoersThis command sets the owner of the
/etc/sudoersfile to a user whose ID is0and a group of owners to a group whose ID is0.chmod 0440 /etc/sudoersThis command sets permissions for the
/etc/sudoersfile to read-only and allows only its owner and owner group to read the file.
/etc/sudoersfile can still be modified by authorized users of the system using thevisudoutility.Stop the VM, if it's running. Restart the VM totrigger the execution of the startup script.
Сonnect to the VM and edit thebroken
sudoersfile to recover it.sudovisudo/etc/sudoers.backup.TIMESTAMPsudoersfile manually, you cancreate a new VM instance with thesame boot disk image and copy the correct file from there.Save the changes and replace the current
/etc/sudoersfile with the fileyou just edited.sudomv/etc/sudoers.backup.TIMESTAMP/etc/sudoersMake sure that the original issue with using the
sudocommand and elevatedprivileges has been fixed.Remove the temporary startup script and restore the original one if it wasused.
Note: If the temporary startup script remains, the content of the/etc/sudoersfile is overwritten each time the VM is restarted.What's Next?
- Learn how torecover an inaccessible or corrupted VM.
- Learn how toadd an existing disk to another VM.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-12-15 UTC."],[],[]]
[8]ページ先頭
©2009-2025 Movatter.jp