Troubleshooting Sudo

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

I happen to much prefer Ubuntu and Mac OS X's sudo model to the root/user one that's typical of most Linux distributions. You can read all about why Ubuntu uses sudo and all the pros and cons of that model at help.ubuntu.com/community/RootSudo.

The one thing I don't like about sudo is how fragile it is. If you don't know what you're doing (especially at the command-line), sometimes sudo can get broken. It doesn't happen very often, but it does happen. That's what this page is for.

If your sudo is "broken," meaning that you can't use the sudo command to temporarily gain administrative privileges, there are two files you should be aware of:

/etc/sudoers and /etc/group

The /etc/sudoers file should look the same for every Ubuntu user who hasn't fiddled with it:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults

Defaults !lecture,tty_tickets,!fqdn

# User privilege specification
root ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

It basically says anyone who is root can do anything, and anyone in the administrative group (people who can sudo) can do anything (with a password).

Now, the /etc/group file will look different for every Ubuntu installation. It specifies which groups each user belongs to. An example of how it might look is here:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:firstuser
tty:x:5:
disk:x:6:
lp:x:7:cupsys
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:firstuser,cupsys
fax:x:21:
voice:x:22:
cdrom:x:24:firstuser,haldaemon
floppy:x:25:firstuser,haldaemon
tape:x:26:
sudo:x:27:
audio:x:29:firstuser
dip:x:30:firstuser
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:firstuser
sasl:x:45:
plugdev:x:46:firstuser,haldaemon
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
dhcp:x:101:
syslog:x:102:
klog:x:103:
firstuser:x:1000:
lpadmin:x:104:firstuser
scanner:x:105:firstuser,cupsys
admin:x:106:firstuser
crontab:x:107:
ssh:x:108:
messagebus:x:109:
haldaemon:x:110:
slocate:x:111:

For troubleshooting purposes, the most important line in the /etc/group file is the one in bold, which specifies who is in the admin group, and hence who has sudo privileges. Substitute your actual username for firstuser, of course.

Now, this begs the question, "How can I edit the /etc/group file if I don't have sudo permissions?"

The answer is something called recovery mode.

Free Image Hosting at www.ImageShack.us Free Image Hosting at www.ImageShack.us
You know when you boot up, you get several options for how you want to boot up? There's usually a kernel, recovery mode, and memtest at the very least.

After you boot into recovery mode, you should be logged in as root. Or, if you set a root password in your installation, you'll be prompted for your root password. Either way--password or not--you'll end up logged in as root.


Once you're there, before you make any changes, it's a good idea to make backup copies of your two corrupt files. Sure, they're incorrect, but they're better than nothing, especially if you accidentally delete the contents of the original files. To back them up, type

cp /etc/group /etc/group.old
cp /etc/sudoers /etc/sudoers.old

Then, to edit the files, use these commands:

sudo visudo

This command edits the /etc/sudoers file.

nano /etc/group
This command edits the /etc/group file.


To save in nano, you press Control-X (save), Y (confirm), and Enter (exit).

If you don't want to bother editing the /etc/group file, you can also issue this command:

adduser username admin

That one command will add user username to the admin group so you can sudo

If you are trying to fix the error where it says sudo is mode _____, should be 0440, then you'll want to type

chmod 0440 /etc/sudoers

When you're done, reboot, and you should be able to sudo again.

If you have suggestions or corrections for these tutorials, please post in this Ubuntu Forums thread or leave a comment on my blog.

I will not give help to people posting in the above places. If you require technical support, start a support thread on the Ubuntu Forums. That is the appropriate place to ask for help.