Permissions Troubleshooting

After connecting to an Oracle Linux instance as the opc user and you try to switch to the root user, the following error is seen:

[opc@<oracle-linux-instance-name> ~]$ sudo su - 

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

This issue occurs if a user or process has changed the ownership and permissions on the sudo binary, and because the /usr/bin/sudo file must be owned by root, the binaries can't be run.

To fix this issue, you must reset the user and group ownership and permissions of files within the sudo package to their original values as defined in the RPM database.

Direct SSH logins as the root user are disabled by default on Oracle Cloud Infrastructure instances for security reasons. However, if root SSH access is explicitly enabled on the instance, or you have set the root password and can use su to directly access the root account, you can fix the issue directly:

If root SSH is enabled or you have the root password:

1. SSH to the instance as the root user, or use the su command to gain root privileges.
2. Reset the ownership:

   rpm --setugids sudo

3. Reset the permissions:

   rpm --setperms sudo

4. Verify the permissions:

   ls -l /usr/bin/*sudo*

   The output shows root ownership and the setuid bit on sudo, for example:

   -rwsr-xr-x. 1 root root 151424 ... /usr/bin/sudo

5. Exit the root session.
6. Use the sudo command to switch to the root user to to verify that the issue is resolved:

   sudo -s

If root SSH access is disabled and you don't have the root password:

Because the sudo binary is unusable, you can't run these commands directly from the instance as the opc user. Use the following procedure to recover access using a rescue instance:

1. Using the Console, stop the affected instance. Open the navigation menu and select Compute. Under Compute, select Instances. Select the instance that you need to recover.
2. Detach the boot volume from the instance. Under Storage, select the boot volume. From the menu select Copy Resource ID. Note the resource ID for use later. From the menu select Detach Boot Volume. Confirm that you want to detach the boot volume.
3. Create a rescue instance with an Oracle Linux OS platform image, with the smallest available shape, in the same availability domain and compartment as the affected instance.
4. Attach the detached boot volume to the rescue instance:
   1. In the rescue instance details, under Storage, under Attached Block Volumes, select Attach Block Volume.
   2. Enter volume OCID, and provide boot volume resource ID that you copied earlier.
   3. Select "Read/Write" access type
   4. Add the volume and note the device path.
5. Connect to the rescue instance as the opc user.
6. Switch to root:

   sudo -s

7. Identify the device of the attached block volume:

   lsblk

   or

   fdisk -l

   The device matches the device path that you noted when you added the block volume.
8. Create a mount point and mount the root partition, for example:

   mkdir /mnt/recovery
   mount /dev/sdb1 /mnt/recovery

9. Bind mount system directories:

   for dir in /dev /proc /sys /run; do mount --bind $dir /mnt/recovery$dir; done

10. Chroot into the mounted file system:

    chroot /mnt/recovery

11. Reset the ownership:

    rpm --setugids sudo

12. Reset the permissions:

    rpm --setperms sudo

13. Exit the chroot:

    exit

14. Unmount the filesystems:

    for dir in /dev /proc /sys /run; do umount /mnt/recovery$dir; done
    umount /mnt/recovery

15. Exit root on the rescue instance:

    exit

16. Stop the rescue instance.
17. Detach the boot volume from the rescue instance.
18. Reattach the boot volume to the original instance as the boot volume.
19. Start the original instance and connect as the opc user.
20. Use the sudo command to switch to the root user to verify that the issue is resolved:

    sudo -s