How do I edit an invalid sudoers file? It throws the below error and it's not allowing me to edit again to fix it.
Here is what happens:
$ sudo visudo
>>> /etc/sudoers: syntax error near line 28 <<<
sudo: parse error in /etc/sudoers near line 28
sudo: no valid sudoers sources found, quitting
On a modern Ubuntu system (and many other GNU/Linux distributions), fixing a corrupted sudoers file is actually quite easy, and doesn't require rebooting, using a live CD, or physical access to the machine.
To do this via SSH, log in to the machine and run the command pkexec visudo. If you have physical access to the machine, SSH is unnecessary; just open a Terminal window and run that pkexec command.
Assuming you (or some other user) are authorized to run programs as root with PolicyKit, you can enter your password, and then it will run visudo as root, and you can fix your /etc/sudoers.
If you need to edit one of the configuration files in /etc/sudoers.d (which is uncommon in this situation, but possible), use pkexec visudo -f /etc/sudoers.d/filename.
If you have a related situation where you have to perform additional system administration commands as root to fix the problem (also uncommon in this circumstance, but common in others), you can start an interactive root shell with pkexec bash. Generally speaking, any non-graphical command you'd run with sudo can be run with pkexec instead.
(If there is more than one user account on the system authorized to run programs as root with PolicyKit, then for any of those actions, you'll be asked to select which one you want to use, before being asked for your password.)
sudo parted -l to view your partitions--there is probably just one ext4 partition, and that's the root filesystem.
Suppose the installed Ubuntu system's root filesystem is on /dev/sda1. Then you could mount it with sudo mount /dev/sda1 /mnt. Then you can edit the installed system's sudoers file with sudo nano -w /mnt/etc/sudoers. Or, even better, you can edit it with
sudo visudo -f /mnt/etc/sudoers(which will prevent you from saving a sudoers file with incorrect syntax).
#include directives in sudoers files are treated specially; the leading # does not cause the rest of the line to be interpreted as a comment, in that case. As man sudoers says: "The pound sign (‘#’) is used to indicate a comment (unless it is part of a #include directive or unless..." See also visudo: #includedir sudoers.d (archived from http://lzone.de/blog/).
– Eliah Kagan
Apr 05 '15 at 03:49
pkexec is installed by default on most desktop Ubuntu systems, though not on many server and minimal systems. If you don't have pkexec, you cannot use the pkexec-based way, as you'd have to first fix the problem in order to install pkexec. (Manual, non-root installations by copying pkexec and supporting files from another machine will not give pkexec the ability to perform actions as root.) So if you have this problem and don't have pkexec, you'll instead have to use a less convenient method, like booting into recovery mode (as Seth suggests) or using a live CD/DVD/USB.
– Eliah Kagan
Apr 16 '15 at 23:36
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie. Do not lose hope; see https://github.com/NixOS/nixpkgs/issues/18012 for a solution
– Andreas
Dec 30 '17 at 03:33
pkexec visudo asks for a password, which does not accept the correct password. It throws an "AUTHENTICATION FAILED" error.
– Juha Untinen
Aug 14 '18 at 09:30
https://askubuntu.com/questions/799669/etc-sudoers-file-corrupted-and-i-cant-run-pkexec-visudo-over-ssh?newreg=738961109f804005b8f7188bbcdf98f3
– neodim May 08 '19 at 13:43polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie - not sure what is the problem? (Debian) UPDATE Fix here
– Redsandro
Mar 23 '21 at 20:23
Always use visudo to edit your sudoers file, never edit it directly yourself. It will prevent you saving it to disk unless it validates.
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie. Do not lose hope; see github.com/NixOS/nixpkgs/issues/18012 for a solution
– Eliezer Miron
Jun 08 '22 at 19:33
Type in:
pkexec visudo
Then change last line
#includedir /etc/sudoers
To:
#includedir /etc/sudoers.d
It should solve your problem.
# from #includedir causes syntax errors, the # is part of the directive, at least on Ubuntu 12.10.
– SAFX
Apr 05 '13 at 02:46
When this happens to a non-GUI system (your production server, maybe) the pkexec fails with this error message:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized
In this situation, using pkttyagent can be helpful. If you want to remove a corrupted file in sudoers.d directory, use this:
pkttyagent -p $(echo $$) | pkexec rm /etc/sudoers.d/FILENAME
If you want to recover the default /etc/sudoers, you can use this gist to copy the default configurations, putting it in a non-root accessed place (e.g. your $HOME). Then, you can overwrite your sudoers file:
pkttyagent -p $(echo $$) | pkexec cp ~/sudoers /etc/sudoers
NOTE: Using this approach, after running your command, probably your access to the shell will be gone. But I'm sure losing one shell session is much better than losing your server! (According to the manpage, this is the normal behavior: When its services are no longer needed, the process can be killed.)
--disable-internal-agent to pkexec. Was getting GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject
– Christopher Galpin
Feb 25 '22 at 05:56
if anyone else like me didn't have pkexec installed, or was not able to run vi, visudo, nano or any other editor to change sudoers file you can be sure with this process.. I was saved with this:
remount boot device for rw, and apply exec right for user, and edit file
mount -n -o remount,rw /
chmod u+x /etc/sudoers
visudo /etc/sudoers
fix that mistake and be happy :)
visudo instead nano /etc/sudoers.
– pa4080
Dec 03 '18 at 12:38
If you messed up your sudoers file, you'll need to:
visudo, fix your filesource :- http://mario.net.au/content/recover-etcsudoers-ubuntu-1204
For WSL users, accessing a bad sudoers is much more straightforward:
wsl.exe -u root visudo
If you cannot recover the file manually this way, you can reset it to the default installed version (adapted from this answer) with:
wsl.exe -u root -e apt install --reinstall -o Dpkg::Options::="--force-confask,confnew,confmiss" sudo
Important: This will reset all configuration files associated with sudo, including other customizations done in /etc/sudoers.d.
apt expert, but that should force reinstallation of the sudoers files, right? Note that I did test this by deleting my own /etc/sudoers and recovering it with that command.
– NotTheDr01ds
Sep 08 '22 at 15:57
There is nothing wrong #include sudoer.d removing #include sudoer.d won't make any difference.
But please make sure you don't have any syntax errors. I had same issue but and spent hours to fix and just figured out they are syntax errors. Refer to manual and make them right.
For example Say your username is : dolly I used following which is wrong
dolly ALL = (ALL) ALL NO PASSWD: ALL
correct syntax is
dolly ALL = (ALL) ALL //give permission to everything, not good
or
dolly ALL=(ALL) NOPASSWD:/usr/bin/thurderbird //good, give specific permission
hope this helps
visudo when editing these files, which makes sure you don't have syntax errors for you, before it modifies file. visudo is not just for editing /etc/sudoers--it will also create and edit files in /etc/sudoers.d. It will also work with whatever text editor you want. See the manpage for details.
– Eliah Kagan
Jul 03 '12 at 00:12
thunderbird, which should never be run as root anyway) will effectively give the user full system access when run as root. Even seemingly simple functionality opens the door to full root access. For example, a user who can run a program that can save a file to an arbitrary location as root can gain full root access (they can install their own /etc/sudoers, or if syntax limitations prevent that, they can install their own /etc/crontab).
– Eliah Kagan
Jul 03 '12 at 00:16
run recovery mode then type this
chown -R root:root /etc/sudoers.d chmod u=rwx,g=rx,o=rx /etc/sudoers.d/ chmod u=r,g=r,o= /etc/sudoers.d/*
only the group and user root should have read privelege
You can also login as root on a tty console with Ctrl+Fn (Fn from 1 to 6) and run visudo.
pkexec visudo
then revert your mistakes
visudo has to be run as root. If sudo doesn't work, pkexec sometimes does. This is covered by my earlier answer... but it is a correct answer, visudo by itself (when not run as root) will not work, and there may be value in correct, brief answers even when their recommendations overlap considerably with other answers. Of course, if one goes into recovery mode, that's a root shell and then neither sudo nor visudo is necessary for commands like pkexec. Maybe that's what you mean...
– Eliah Kagan
Mar 29 '14 at 05:30
In Ubuntu 16.04 running on a VirtualBox (shouldn't make a difference), the above methods didn't work for me (invalid row in the end of the file). What did work was:
su - and then give your own username's password.root@ubuntu-xenial:~# prompt, if the /etc/sudoers isn't too broken or empty. Not sure what would happen in that case.visudo and fix the file.Ctrl + X and it will prompt to Save modified buffer. Press Y and EnterIn case your /etc/sudoers is empty or missing something, and you can edit it, then here's the contents of mine:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
Good practice: a backup terminal window and run sudo su there. On another termianl run visudo or sudo vim /etc/sudoers. If anything goes wrong, go back to terminal one and fix the file. You may ask, why not just run sudo su before visudo in one terminal? This works as well, but has higher risk of you closing the terminal before you know it.
There is a way simpler solution. Without rebooting, recovery mode, or pkgexec (pkgexec didn't work and have no idea why or how I should use it), simply do:
su root # switch to root user, without using sudo (which is broken at this point)
your_favorite_editor /etc/sudoers # e.g. nano
And then just fix the syntax error!
Adding this for the new wave of WSL-based Linux VMs. When I locked myself out of my debian-based WSL2 VM (Pengwin) which didn't have pkexec and the root password was not set, here's what I found fixed the problem:
<distro.exe> config --default-user root
Example:
ubuntu1804.exe config --default-user root
or
pengwin.exe config --default-user root
docker run -it --rm -v /etc:/etc_host ubuntu bash
/etc/sudoers to 777:chmod 777 /etc/sudoers
vim /etc/sudoers
/etc/sudoers to default 440:chmod 440 /etc/sudoers
That's all.
You can edit your boot entry while in grub as well.
Simply reboot your pc, and wait for grub to show. Then press "e" on the "Ubuntu" entry to edit it.
Look for a line with "linux = " or "kernel = " and simply add an "single" to the end of that line.
Then press F10 to boot this temporarily modified boot entry. This will give you a shell (without GUI) with root rights and you can edit the sudoers file with s.th. like nano /etc/sudoers back to its previous state.
Then reboot and its done.
If you have access to reboot the server, you can reboot it and catch it at the grub prompt for Ubuntu. Press 'e' to edit the grub boot config.
Find the line that starts with linux and is indented, then go to the end of that line, and add a space then init=/bin/bash. Next press F10 to boot the server. At the root shell prompt enter mount -o remount,rw / and press enter.
Now you have access as root to modify the /etc/sudoers or /etc/sudoers.d/filename.
Once you have finished modifying the files as needed, enter reboot -f and the server will reboot as normal, and your sudo issues should be resolved.
