How to Fix “Must not run with sudo” Error When Setting Up a GitHub Actions Self-Hosted Runner on Ubuntu


3 views

When setting up a self-hosted GitHub Actions runner on Ubuntu, you might encounter the frustrating error: Must not run with sudo. This occurs because GitHub Actions runners are designed with security best practices in mind, which includes preventing execution with root privileges.

Running services as root poses significant security risks. GitHub enforces this restriction to:

  • Prevent accidental system-wide changes
  • Limit potential damage from malicious workflows
  • Follow principle of least privilege

Here's the correct way to set up your runner:


# Create a dedicated user
sudo adduser githubrunner
sudo usermod -aG sudo githubrunner

# Switch to the new user
su - githubrunner

# Download and configure the runner
mkdir actions-runner && cd actions-runner
curl -o actions-runner-linux-x64-2.311.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.311.0/actions-runner-linux-x64-2.311.0.tar.gz
tar xzf ./actions-runner-linux-x64-2.311.0.tar.gz
./config.sh --url https://github.com/yourorg/yourrepo --token YOURTOKEN

If you absolutely must run as root (not recommended), you can bypass the restriction temporarily:


export AGENT_ALLOW_RUNASROOT="1"
./config.sh --url https://github.com/yourorg/yourrepo --token YOURTOKEN

Note that this should only be used for testing purposes in isolated environments.

For production environments, consider these security measures:

  • Create a dedicated system user with minimal privileges
  • Set up proper directory permissions
  • Use container-based isolation when possible
  • Regularly update your runner software

If you're still facing problems, check:


# Verify user permissions
id -u
whoami

# Check environment variables
printenv | grep AGENT

# Validate directory ownership
ls -la /path/to/runner

When setting up GitHub Actions self-hosted runners on Ubuntu servers, you might encounter the frustrating "Must not run with sudo" error during configuration. This is a security measure implemented by GitHub to prevent potential system vulnerabilities that could arise from running the runner service with root privileges.

Instead of using sudo or the root user, you should create a dedicated system user specifically for running GitHub Actions:

# Create a new user for GitHub runner
sudo adduser githubrunner --system --group --shell /bin/bash

# Switch to the new user
sudo -u githubrunner -i

# Verify you're not root
whoami

Ensure your runner directory has the correct permissions:

# Assuming your runner is in /home/githubrunner/actions-runner
sudo chown -R githubrunner:githubrunner /home/githubrunner/actions-runner
sudo chmod -R 755 /home/githubrunner/actions-runner

While possible, bypassing the sudo restriction is not advised for security reasons. If absolutely necessary for testing purposes only:

# Edit the config.sh script (temporary workaround)
sed -i 's/if \[ "\$(id -u)" -eq 0 \]; then/#if \[ "\$(id -u)" -eq 0 \]; then/' config.sh

# Then run configuration normally
./config.sh --url https://github.com/your/repo --token YOURTOKEN

After successful configuration, install the service properly:

# As the githubrunner user
./svc.sh install
./svc.sh start

# Verify service status
./svc.sh status

If you still face problems:

  • Check log files in the _diag directory
  • Verify network connectivity to GitHub
  • Ensure no leftover processes from previous attempts