/etc/sudoers file corrupted and I can't run 'pkexec visudo' over SSH

Question

Following the instruction here I get:

pkexec visudo

==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/sbin/visudo' as the super user
Authenticating as: Thomas,,, (tuc) Password:  polkit-agent-helper-1:
error response to PolicyKit daemon:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for
cookie
==== AUTHENTICATION FAILED === 
Error executing command as another user: Not authorized

This incident has been reported.

I am doing this via ssh since the box I am doing this on is used as a music server with no screen and is rather inaccessible. This happened when I upgraded from Ubuntu 14.04 to 16.04. I tried to copy a sudoers file from another recent 16.04 installation, but I can't do that because of the sudoers file:

sudo mv ~/gyrf sudoers

>> /etc/sudoers: syntax error near line 36 <<<
>> /etc/sudoers: syntax error near line 37 <<<
>> /etc/sudoers: syntax error near line 38 <<<
>> /etc/sudoers: syntax error near line 39 <<<
>> /etc/sudoers: syntax error near line 40 <<<
>> /etc/sudoers: syntax error near line 41 <<<
>> /etc/sudoers: syntax error near line 42 <<<
>> /etc/sudoers: syntax error near line 43 <<<
>> /etc/sudoers: syntax error near line 44 <<<
>> /etc/sudoers: syntax error near line 45 <<<
>> /etc/sudoers: syntax error near line 46 <<<
>> /etc/sudoers: syntax error near line 47 <<<
>> /etc/sudoers: syntax error near line 48 <<<
>> /etc/sudoers: syntax error near line 49 <<< 
sudo: parse error in /etc/sudoers near line 36    
sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin

Should I go get the box from the attic and try pkexec visudo or is something else wrong here?

AFAIK pkexec only allows this for a local user (not an SSH remote user) - so yes it should work from the attic — steeldriver, Jul 17 '16 at 11:29
Either get the box, or get the drive, mount it in another computer and edit sudoers to suit. Depends on whats easiest. — vidarlo, Jun 19 '18 at 23:27

score 84 · Answer 1 · edited Jun 12 '20 at 14:37

84

I ran into this problem also and with some digging, found a working solution. The original solution is from this github issue for NixOS by EstalillaJ.

Open two ssh sessions to the target server.
In the first session, get the PID of bash by running:

echo $$
In the second session, start the authentication agent with:

pkttyagent --process (pid from step 2)
Back in the first session, run:

pkexec visudo
In the second session, you will get the password prompt. visudo will start in the first session.

edited Jun 12 '20 at 14:37

Community

1

answered Jul 09 '18 at 18:41

Satyen A.

941

14

Holy shit dude, u saved my life! thx :D – Roger Barretto Jul 31 '18 at 22:01
3

that is crazy, it works perfect! and no need to reboot the system – undefinedman Oct 16 '18 at 18:02
what if iam using non sudo user – sachin_ur Nov 08 '19 at 06:11
In the second session, can't you enter simply pkttyagent --process $$ instead of copying the process ID from the first session? – Tsundoku Nov 15 '19 at 12:55
2

Saved my a** from rebooting a server into recovery, cheers a lot! – SergeantSerk Nov 28 '19 at 00:45
1

That is just remarkable dude! Wish I could favorite answers too! – Adrian Feb 21 '20 at 22:34
4

I didn't understand why it worked, but it worked. – FarO Mar 02 '20 at 16:28
Man, I wish I'd found this answer before we took the server down to fix a bad sudoer file. – Jeffrey Van Alstine Sep 08 '20 at 20:24
2

This is a brilliant fix for those who screwed up sudoers file like me. Would be great if someone can explain it. It's great to know about PolicyKit. Thank you. – Long Apr 20 '21 at 04:32
3

I'm super glad this is helping you all out. I was just as thrilled when I found that original answer! @Long, from my understanding pkexec is similar to sudo in allowing you to escalate to root permissions. Depending on the implementation it will look for a different group on the user (wheel, sudo, etc). Since the sudoers file is corrupt, sudo cannot check if the user has permissions to escalate privs. I think the two SSH sessions is just a quirk of how pkexec was designed. I mainly see it on Desktop Environments as the password prompt – Satyen A. Jul 16 '21 at 06:48
I had given up finding a solution after I could not reboot, nor had physical access, neither succeeded with pkexec. But this worked out. Thanks a lot! (Ubuntu 16.04) – pedrovgp Aug 27 '21 at 21:06

PDD · Answer 2 · 2020-09-05T18:02:42.593

6

My answer based on Satyen's

It was tested on Debian 10.4 WITHOUT ability to run visudo

Open two ssh sessions to the target server.
In the first session, get the PID of bash by running:

echo $$
In the second session, start the authentication agent with:

pkttyagent --process (pid from step 2)
Back in the first session, run:

pkexec su
In the second session, you will get the password prompt. su will start in the first session.
Edit /etc/sudoers by (CTRL+S to save edits, CTRL+X to exit)

nano /etc/sudoers

edited Sep 05 '20 at 18:02

answered Sep 04 '20 at 06:06

PDD

75

Thanks a ton!! you have saved me huge huge effort!! – Siddharth Kumar Nov 11 '24 at 11:37

/etc/sudoers file corrupted and I can't run 'pkexec visudo' over SSH

2 Answers2

Linked