AWS Security ChangesHomeSearch

AWS greengrass high security documentation change

Service: greengrass · 2026-05-19 · Security-related high

File: greengrass/v2/developerguide/greengrass-nucleus-component.md

Summary

Added critical note about Ubuntu 25.10+ sudo incompatibility and workaround

Security assessment

Documents critical system failure (components won't start) due to Ubuntu's sudo change. Mitigation requires security-sensitive system modification (sudo implementation change) to preserve environment variable security context.

Diff

diff --git a/greengrass/v2/developerguide/greengrass-nucleus-component.md b/greengrass/v2/developerguide/greengrass-nucleus-component.md
index 0e8b6b9b4..3f4d7e4f3 100644
--- a//greengrass/v2/developerguide/greengrass-nucleus-component.md
+++ b//greengrass/v2/developerguide/greengrass-nucleus-component.md
@@ -164,0 +165,9 @@ Linux
+###### Important
+
+On Ubuntu 25.10 and later, the default `sudo` implementation does not support the `-E` (preserve environment) flag. Without this flag, the system does not forward environment variables to components that run as a different system user. As a result, those components fail to start.
+
+To resolve this issue, switch to the classic `sudo` implementation (`sudo.ws`). You must make this change because AWS IoT Greengrass uses the `-E` flag to pass environment variables to component processes.
+    
+    
+    sudo update-alternatives --set sudo /usr/bin/sudo.ws
+