← Common fixesTroubleshooting

sudoers syntax error, locked out of sudo

One bad line in sudoers and sudo stops working entirely: it won't parse a broken file, so every `sudo` fails. The fix is twofold: never edit sudoers directly (use visudo, which refuses to save a file that won't parse), and when scoping access, grant the exact command a role needs rather than broad rights you'll be tempted to paste in fast and get wrong.

What it means

sudo parses /etc/sudoers and everything in /etc/sudoers.d on every invocation. A malformed rule, a bad alias, or an unescaped character makes the parse fail, and sudo errs on the side of granting nothing. Because the break disables the tool you'd normally use to fix it, recovery means reaching root another way.

Most common causes

  • Edited sudoers without visudo. Saving a file with a typo'd rule leaves sudo unable to parse it. visudo validates syntax before it lets you save, which is exactly what prevents this.
  • Bad drop-in in /etc/sudoers.d. A broken file in sudoers.d breaks all of sudo, not just that rule. Validate drop-ins with `visudo -cf <file>`.
  • Over-broad rule pasted in to 'just make it work'. Granting `ALL` or a whole binary (bare `systemctl`) instead of one command is both a security hole and easy to get subtly wrong. Scope to the single command.

How to fix it

  1. Recover root another way: an existing root shell, `pkexec`, a recovery/single-user boot, or `sudo -l` from an unaffected account.
  2. Validate the file: `visudo -c` (and `visudo -cf /etc/sudoers.d/<file>` for drop-ins).
  3. Fix the offending line with `visudo` so it can't save while broken.
  4. Scope each grant to the exact command the role needs, not `ALL` or a whole binary.