How does Amazon ec2-user get its sudo rights
It's in /etc/sudoers.d/cloud-init
. I, too, delete it from my production systems as soon as I can.
It is included by virtue of the line
#includedir /etc/sudoers.d
in the /etc/sudoers
file. Note that, as it says, that leading #
isn't treated as a comment sign. On some of my servers, it's also in /etc/sudoers.d/90-cloud-init-users
; it may be safest to userdel
the ec2-user user.
Indeed it is a file from /etc/sudoers.d/
From the master sudoers file, the very last part:
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
Specifically the small bit which reads # here does not mean a comment
And then:
[root@webmaster ec2-user]# cd /etc/sudoers.d/
[root@webmaster sudoers.d]# ls -l
total 4
-r--r----- 1 root root 88 May 5 09:16 cloud-init
[root@webmaster sudoers.d]# grep ec2-user *
ec2-user ALL = NOPASSWD: ALL
# User rules for ec2-user
ec2-user ALL=(ALL) NOPASSWD:ALL
Voila.