How do I edit an invalid sudoers file? It throws the below error and it's not allowing me to edit again to fix it.
Here is what happens:
$ sudo visudo
>>> /etc/sudoers: syntax error near line 28 <<<
sudo: parse error in /etc/sudoers near line 28
sudo: no valid sudoers sources found, quitting
On a modern Ubuntu system (and many other GNU/Linux distributions), fixing a corrupted sudoers file is actually quite easy, and doesn't require rebooting, using a live CD, or physical access to the machine.
To do this via SSH, log in to the machine and run the command pkexec visudo. If you have physical access to the machine, SSH is unnecessary; just open a Terminal window and run that pkexec command.
Assuming you (or some other user) are authorized to run programs as root with PolicyKit, you can enter your password, and then it will run visudo as root, and you can fix your /etc/sudoers.
If you need to edit one of the configuration files in /etc/sudoers.d (which is uncommon in this situation, but possible), use pkexec visudo -f /etc/sudoers.d/filename.
If you have a related situation where you have to perform additional system administration commands as root to fix the problem (also uncommon in this circumstance, but common in others), you can start an interactive root shell with pkexec bash. Generally speaking, any non-graphical command you'd run with sudo can be run with pkexec instead.
(If there is more than one user account on the system authorized to run programs as root with PolicyKit, then for any of those actions, you'll be asked to select which one you want to use, before being asked for your password.)
sudo parted -l to view your partitions--there is probably just one ext4 partition, and that's the root filesystem.
Suppose the installed Ubuntu system's root filesystem is on /dev/sda1. Then you could mount it with sudo mount /dev/sda1 /mnt. Then you can edit the installed system's sudoers file with sudo nano -w /mnt/etc/sudoers. Or, even better, you can edit it with
sudo visudo -f /mnt/etc/sudoers(which will prevent you from saving a sudoers file with incorrect syntax).
Type in:
pkexec visudo
Then change last line
#includedir /etc/sudoers
To:
#includedir /etc/sudoers.d
It should solve your problem.
When this happens to a non-GUI system (your production server, maybe) the pkexec fails with this error message:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized
In this situation, using pkttyagent can be helpful. If you want to remove a corrupted file in sudoers.d directory, use this:
pkttyagent -p $(echo $$) | pkexec rm /etc/sudoers.d/FILENAME
If you want to recover the default /etc/sudoers, you can use this gist to copy the default configurations, putting it in a non-root accessed place (e.g. your $HOME). Then, you can overwrite your sudoers file:
pkttyagent -p $(echo $$) | pkexec cp ~/sudoers /etc/sudoers
NOTE: Using this approach, after running your command, probably your access to the shell will be gone. But I'm sure losing one shell session is much better than losing your server! (According to the manpage, this is the normal behavior: When its services are no longer needed, the process can be killed.)
if anyone else like me didn't have pkexec installed, or was not able to run vi, visudo, nano or any other editor to change sudoers file you can be sure with this process.. I was saved with this:
remount boot device for rw, and apply exec right for user, and edit file
mount -n -o remount,rw /
chmod u+x /etc/sudoers
visudo /etc/sudoers
fix that mistake and be happy :)
If you messed up your sudoers file, you'll need to:
visudo, fix your filesource :- http://mario.net.au/content/recover-etcsudoers-ubuntu-1204
For WSL users, accessing a bad sudoers is much more straightforward:
wsl.exe -u root visudo
If you cannot recover the file manually this way, you can reset it to the default installed version (adapted from this answer) with:
wsl.exe -u root -e apt install --reinstall -o Dpkg::Options::="--force-confask,confnew,confmiss" sudo
Important: This will reset all configuration files associated with sudo, including other customizations done in /etc/sudoers.d.
There is nothing wrong #include sudoer.d removing #include sudoer.d won't make any difference.
But please make sure you don't have any syntax errors. I had same issue but and spent hours to fix and just figured out they are syntax errors. Refer to manual and make them right.
For example Say your username is : dolly I used following which is wrong
dolly ALL = (ALL) ALL NO PASSWD: ALL
correct syntax is
dolly ALL = (ALL) ALL //give permission to everything, not good
or
dolly ALL=(ALL) NOPASSWD:/usr/bin/thurderbird //good, give specific permission
hope this helps
run recovery mode then type this
chown -R root:root /etc/sudoers.d chmod u=rwx,g=rx,o=rx /etc/sudoers.d/ chmod u=r,g=r,o= /etc/sudoers.d/*
only the group and user root should have read privelege
You can also login as root on a tty console with Ctrl+Fn (Fn from 1 to 6) and run visudo.
In Ubuntu 16.04 running on a VirtualBox (shouldn't make a difference), the above methods didn't work for me (invalid row in the end of the file). What did work was:
su - and then give your own username's password.root@ubuntu-xenial:~# prompt, if the /etc/sudoers isn't too broken or empty. Not sure what would happen in that case.visudo and fix the file.Ctrl + X and it will prompt to Save modified buffer. Press Y and EnterIn case your /etc/sudoers is empty or missing something, and you can edit it, then here's the contents of mine:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
Good practice: a backup terminal window and run sudo su there. On another termianl run visudo or sudo vim /etc/sudoers. If anything goes wrong, go back to terminal one and fix the file. You may ask, why not just run sudo su before visudo in one terminal? This works as well, but has higher risk of you closing the terminal before you know it.
There is a way simpler solution. Without rebooting, recovery mode, or pkgexec (pkgexec didn't work and have no idea why or how I should use it), simply do:
su root # switch to root user, without using sudo (which is broken at this point)
your_favorite_editor /etc/sudoers # e.g. nano
And then just fix the syntax error!
Adding this for the new wave of WSL-based Linux VMs. When I locked myself out of my debian-based WSL2 VM (Pengwin) which didn't have pkexec and the root password was not set, here's what I found fixed the problem:
<distro.exe> config --default-user root
Example:
ubuntu1804.exe config --default-user root
or
pengwin.exe config --default-user root
docker run -it --rm -v /etc:/etc_host ubuntu bash
/etc/sudoers to 777:chmod 777 /etc/sudoers
vim /etc/sudoers
/etc/sudoers to default 440:chmod 440 /etc/sudoers
That's all.
You can edit your boot entry while in grub as well.
Simply reboot your pc, and wait for grub to show. Then press "e" on the "Ubuntu" entry to edit it.
Look for a line with "linux = " or "kernel = " and simply add an "single" to the end of that line.
Then press F10 to boot this temporarily modified boot entry. This will give you a shell (without GUI) with root rights and you can edit the sudoers file with s.th. like nano /etc/sudoers back to its previous state.
Then reboot and its done.
If you have access to reboot the server, you can reboot it and catch it at the grub prompt for Ubuntu. Press 'e' to edit the grub boot config.
Find the line that starts with linux and is indented, then go to the end of that line, and add a space then init=/bin/bash. Next press F10 to boot the server. At the root shell prompt enter mount -o remount,rw / and press enter.
Now you have access as root to modify the /etc/sudoers or /etc/sudoers.d/filename.
Once you have finished modifying the files as needed, enter reboot -f and the server will reboot as normal, and your sudo issues should be resolved.
