/etc/sudoers.d/coreos-sudo-group is owned by uid 1000 should be 0

Ask Fedora
1

I’m seeing this problem on a newly built coreos live ISO (from stable branch) with an embedded IGN file where a user is added to the sudo group.

Seems to be related: /etc/sudoers is owned by uid 1000, should be 0 · Issue #1 · coreos/fedora-coreos-config · GitHub

If I chown root:root /etc/sudoers.d/coreos-sudo-group, it seems to work.

This IGN runs a simple script that asks users for some info, and then runs the installer. Unless I chown the sudoers file, sudo asks for a password (which works).

You need to sudo in order to do the actual install to disk:

  sudo coreos-installer install -n -i some.ign ${DEVICE}

It’s my understanding that sudo should not ask for a password since the sudoers file has this entry in it:

%sudo ALL=(ALL) NOPASSWD: ALL

Workaround is to add this to the live iso IGN:

storage:
files:

  • path: /etc/sudoers.d/coreos-sudo-group
    user:
    name: root
    group:
    name: root
2

This is not Fedora like. Fedora uses the wheel group for superuser.

%wheel	ALL=(ALL)	NOPASSWD: ALL

I checked on a Workstation, however it would be strange if FCO makes an exepton ?!

3

You’ll notice this is tagged as CoreOS.

4

Can you file an issue in the tracker with all those info? Thanks!

1 Like
5

Just to make sure that I have understood you correctly: this happens on a custom live CD, where you have integrated an Ignition file, which is applied when the live CD is booted and then installs CoreOS on your system automatically? If my understanding is correct, you might want to look at your CD creation process.

Because I have not observed this in the official ISO fedora-coreos-42.20250410.3.2-live-iso.aarch64.iso, which I have used quite recently to install a server. And I have also not observed it in the installed system:

lars@laptop > ssh server
Fedora CoreOS 42.20250410.3.2
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/tag/coreos

Last login: Tue May 13 17:04:27 2025 from [IP redacted]
lars@server:~$ sudo ls -l /etc/sudoers.d/
[sudo] password for lars: 
total 4
-r--r-----. 1 root root 87 May  9 10:07 coreos-sudo-group
lars@bela-server:~$

Note that my Ignition file does not enable the core user (I disliked the NOPASSWD for that user) and instead creates a user lars.

6

Are you building fedora-coreos-42.20250410.3.2-live-iso.aarch64 from scratch?

If not, the “officlal ISO” has no bearing here.

See: /etc/sudoers.d/coreos-sudo-group is owned by uid 1000 should be 0 · Issue #1949 · coreos/fedora-coreos-tracker · GitHub

7
8

I am not, that’s why I wrote you might want to look at your ISO creation process. And the official ISO is relevant IMHO because if a behavior occurs in your custom ISO and not in the official one, it’s time to look at what the differences are between the two ISOs. Basic debugging.

9

How they build their ISO versus building a plain Jane recreation via coreos-assembler depending on the pull has been an ongoing frustration.

Simple debugging doesn’t apply in this case.

See above posted (possible) bug.

10

OK. I guess I cannot help you then.

11

Much appreciate you wanting to help.

Many thanks!