ec2-user on Amazon Linux 2

Saturday 29 October 2022

ec2-user on Amazon Linux 2

I'm running an EC2 instance based on Amazon Linux 2 AMI:

$ cat /etc/os-release

NAME="Amazon Linux"

VERSION="2"

ID="amzn"

ID_LIKE="centos rhel fedora"

VERSION_ID="2"

PRETTY_NAME="Amazon Linux 2"

ANSI_COLOR="0;33"

CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"

HOME_URL="https://amazonlinux.com/"

SSH connection is created for ec2-user:

$ whoami

ec2-user

This user can perform a sudo command and I wanted to learn why. Let's check sudoers:

$ sudo cat /etc/sudoers

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

## This file must be edited with the 'visudo' command.

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

## Command Aliases

## These are groups of related commands...

## Networking

# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software

# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database

# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage

# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions

# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes

# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers

# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

# Refuse to run if unable to disable echo on the tty.

Defaults !visiblepw

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

Defaults always_set_home

Defaults match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not

# found in the system group database were passed to the group

# plugin, if any. Starting with 1.8.15, only groups of the form

# %:group are resolved via the group plugin by default.

# We enable always_query_group_plugin to restore old behavior.

# Disable this option for new behavior.

Defaults always_query_group_plugin

Defaults env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

# Adding HOME to env_keep may enable a user to run unrestricted

# commands via sudo.

# Defaults env_keep += "HOME"

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on

## which machines (the sudoers file can be shared between multiple

## systems).

## Syntax:

## user MACHINE=COMMANDS

## The COMMANDS section may have other options added to it.

## Allow root to run any commands anywhere

root ALL=(ALL) ALL

## Allows members of the 'sys' group to run networking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

%wheel ALL=(ALL) ALL

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system

# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir /etc/sudoers.d

Let's check what's in this included directory:

$ sudo ls /etc/sudoers.d/

90-cloud-init-users

$ sudo cat /etc/sudoers.d/90-cloud-init-users

# Created by cloud-init v. 19.3-45.amzn2 on Sun, 23 Oct 2022 10:28:25 +0000

# User rules for ec2-user

ec2-user ALL=(ALL) NOPASSWD:ALL

The last line means the following: ec2-user on any host can run any command as any user.

Syntax: User <space> OnHost = (Runas-User:Group) <space> Commands
“who where = (as_whom) what”.

Example: root ALL = (ALL:ALL) ALL

If we have some other user that we want to perform some command (e.g. restart NGINX service) that requires root rights we'd need to have in sudoers file a line like this:

my_user ALL = (root) NOPASSWD: systemctl restart nginx

---

IMPORTANT: Don't use just any editor (vi, vim, nano, ...) to edit sudoers file. If changes contain syntax or formatting errors and they get saved, the next time sudo command is executed, it would fail with message similar to:

$ sudo cat /etc/sudoers.d/90-cloud-init-users
>>> /etc/sudoers.d/90-cloud-init-users: syntax error near line 11 <<<
sudo: parse error in /etc/sudoers.d/90-cloud-init-users near line 11
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

(If this happens on EC2 instance you need to terminate (not just stop it!) and launch a new instance, with fresh, new, EBS volume.)

Always use visudo to edit sudoers file. visudo needs to be run with root privileges otherwise the permissions error is issued:

$ visudo
visudo: /etc/sudoers: Permission denied

To open non-default sudoers file use -f option:

$ sudo visudo -f /etc/sudoers.d/90-cloud-init-users

If we try to save invalid content, visudo will give us 3 options (press ENTER after What now? to see them):

$ sudo visudo -f /etc/sudoers.d/90-cloud-init-users
>>> /etc/sudoers.d/90-cloud-init-users: syntax error near line 9 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

What now? e

---