After patching to Red Hat Enterprise Linux 7.6, sudo gives a permission denied error.

Solution Verified - Updated 6 May 2025

Environment

Red Hat Enterprise Linux (RHEL) 7.
Red Hat Enterprise Linux (RHEL) 8.
Red Hat Enterprise Linux (RHEL) 9.
sudo-1.8.23-1.el7 and later.

Issue

After upgrading a server to RHEL7.6, when we run sudo su - we receive the following error, even though we have sudo rule for user.
```
  sudo: PAM account management error: Permission denied
```

Resolution

We need to add sudo to the list of allowed services in your access control rules and make sure users do not have an expired password even in cases where ssh-keys are used for the login.

For example, if we are enforcing sudo rules stored locally in /etc/sudoers, adding the following line to /etc/security/access.conf will allow users to sudo or login using a local session such as the console:
```
 + : ALL : LOCAL
```
- Note (1): The above line will allow all users to "sudo" or login using a local/console session. Here, all users include both local system accounts as well as remote accounts such as LDAP or AD authenticated users. For complete syntax of access.conf rules, refer to the man page for access.conf.
- Note (2): To enforce login restrictions to specific users or a subset of users, refer to the following KB links:
  - Permitting or Restricting a User's su Access to Privileged Accounts
  - How can I restrict logins to specific domain users in my Active Directory authentication setup in RHEL?
In an IPA/Identity Management environment, if sudo fails for IPA/trusted-AD users on IPA clients, make sure to add the sudo service in HBAC rules in IPA. To test and verify, run the IPA HBAC test command:
```
 # ipa hbactest --user=username --host=hostname --service=sudo
```

Root Cause

With sudo-1.8.23-1.el7 and later, the tool now evaluates the PAM account stack and therefore also enforces any account restrictions enforced through PAM. This affects any time and host based access control as well as password expiration.

Following document has further details Red Hat Enterprise Linux 7.6 release notes:

sudo now runs PAM stack even when no authentication is required

With this update, the sudo utility runs Pluggable Authentication Module (PAM) account management modules even when the NOPASSWD option is configured in the policy. This enables checking for restrictions imposed by PAM modules outside of the authentication phase. As a result, PAM modules, such as pam_time, now work properly in the described scenario.

For further information, please also see:

This content is not included.Bug 1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers.

Diagnostic Steps

When PAM is restricting access to sudo a similar error like this one is shown in /var/log/secure log:

  Nov  2 09:38:54 rhel76 sudo: pam_sss(sudo:account): Access denied for user tuser: 6 (Permission denied)
  Nov  2 09:38:54 rhel76 sudo: 0016066 : PAM account management error: Permission denied ; TTY=pts/0 ; PWD=/home/0016066 ; USER=root ; COMMAND=/bin/cat /etc/passwd

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

sudo

Category

Troubleshoot

Tags

ipa
security

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.