AWS greengrass high security documentation change
Summary
Added critical note about Ubuntu 25.10+ sudo incompatibility and workaround
Security assessment
Documents critical system failure (components won't start) due to Ubuntu's sudo change. Mitigation requires security-sensitive system modification (sudo implementation change) to preserve environment variable security context.
Diff
diff --git a/greengrass/v2/developerguide/greengrass-nucleus-component.md b/greengrass/v2/developerguide/greengrass-nucleus-component.md index 0e8b6b9b4..3f4d7e4f3 100644 --- a//greengrass/v2/developerguide/greengrass-nucleus-component.md +++ b//greengrass/v2/developerguide/greengrass-nucleus-component.md @@ -164,0 +165,9 @@ Linux +###### Important + +On Ubuntu 25.10 and later, the default `sudo` implementation does not support the `-E` (preserve environment) flag. Without this flag, the system does not forward environment variables to components that run as a different system user. As a result, those components fail to start. + +To resolve this issue, switch to the classic `sudo` implementation (`sudo.ws`). You must make this change because AWS IoT Greengrass uses the `-E` flag to pass environment variables to component processes. + + + sudo update-alternatives --set sudo /usr/bin/sudo.ws +