amazon linux yum update changed sudo root permissions

I ssh'ed into my server, ran sudo yum update, and now I'm asked for a password to sudo anything.

Looking back through update logs, I noticed this: /etc/sudoers.d/cloud-init saved as /etc/sudoers.d/cloud-init.rpmsave

Might be the culprit.

Regardless, I'm less interested in exactly what went wrong at this point, as much as how to fix it with as little downtime as possible as it is a live webserver. It's not a critical system, so if it has to go down for a few, fine, but obviously would prefer not.

Thanks in advance.

egreene

Posted 2014-12-20T20:50:44.577

Reputation: 11

I'm curious how downvoting the question anonymously, while offering nothing to mention why you did not like the question, is helpful towards solving my problem. Maybe instead offer a comment to tell me what's wrong with it. Thanks again in advance. – egreene – 2014-12-20T21:28:57.140

It sounds like you've already got the info you need to answer your own question (or there's a complication that you haven't articulated). You've identified the config file which probably caused the change in behaviour. Have you compared the to versions? Have you tried moving the saved version back? A web search for rpmsave would give you some background for this. – Paul Haldane – 2014-12-21T10:17:43.390

Can you upload both files? – davidbaumann – 2014-12-21T19:21:56.557

As nice as the SO community is I'd go to the owner of the distribution for this one meaning the AWS EC2 forum.

– Brad – 2014-12-22T16:18:58.483

Answers

I found a page on the ec2 FAQ that said to do the following (http://aws.amazon.com/amazon-linux-ami/faqs/). The question was actually different "Q: Why was the wheel group disabled from /etc/sudoers and how do I re-enable it?", but the result was the same.

1. Stop the affected instance (do not terminate).
2. Detach the root EBS volume, using either the EC2 Console or the EC2 API tools.
3. Attach the volume to another EC2 instance to which you have remote root access.
4. Login into that instance.
5. Mount the newly attached volume.
    sudo mount /dev/xvdf /mnt
5. regain the ability to use sudo (in this case - restoring original /etc/sudoers.d/cloud-init file),  
    ec2-user ALL = NOPASSWD: ALL
    # User rules for ec2-user
    ec2-user ALL=(ALL) NOPASSWD:ALL
6. Unmount the volume.
    sudo umount -d /dev/xvdf
7. Detach the volume
8. Reattach the volume to your stopped instance (make sure that the device is the same as it was before the detachment, usually: /dev/sda1).
9. Start the affected instance

It worked. I was hoping there was a way to do it without stopping the instance, but no matter. I actually did not have access to those config files, until I regained sudo access using the aforementioned steps to attach the volume to another instance.

egreene

Posted 2014-12-20T20:50:44.577

Reputation: 11