VISUDO(8) | System Manager's Manual | VISUDO(8) |
visudo
— edit the
sudoers file
visudo |
[-chqsV ] [[-f ]
sudoers] |
visudo
edits the sudoers
file in a safe fashion, analogous to vipw(8).
visudo
locks the sudoers file
against multiple simultaneous edits, provides basic sanity checks, and
checks for parse errors. If the sudoers file is currently
being edited you will receive a message to try again later.
visudo
parses the
sudoers file after editing and will not save the changes
if there is a syntax error. Upon finding an error,
visudo
will print a message stating the line
number(s) where the error occurred and the user will receive the
“What now?” prompt. At this point the user may enter
‘e
’ to re-edit the
sudoers file, ‘x
’ to
exit without saving the changes, or
‘Q
’ to quit and save changes. The
‘Q
’ option should be used with extreme
caution because if visudo
believes there to be a
parse error, so will sudo
and no one will be able to
run sudo
again until the error is fixed. If
‘e
’ is typed to edit the
sudoers file after a parse error has been detected, the
cursor will be placed on the line where the error occurred (if the editor
supports this feature).
There are two sudoers settings that determine
which editor visudo
will run.
:
’) separated list of
editors allowed to be used with visudo
.
visudo
will choose the editor that matches the
user's SUDO_EDITOR
, VISUAL
or EDITOR
environment variable if possible, or the
first editor in the list that exists and is executable. Note that the
SUDO_EDITOR
, VISUAL
and
EDITOR
environment variables are not preserved by
default when the env_reset sudoers
option is enabled. The default editor path is
/usr/bin/editor which can be set at compile time
via the --with-editor
configure option.visudo
will use the value of the
SUDO_EDITOR
, VISUAL
or
EDITOR
environment variables before falling back
on the default editor list. Note that this may create a security hole as
it allows the user to run any arbitrary command as root without logging. A
safer alternative is to place a colon-separated list of editors in the
editor variable. visudo
will
then only use SUDO_EDITOR
,
VISUAL
or EDITOR
if they
match a value specified in editor. If the
env_reset flag is enabled, the
SUDO_EDITOR
, VISUAL
and/or
EDITOR
environment variables must be present in
the env_keep
list for the env_editor flag to function when
visudo
is invoked via
sudo
. The default value is
on, which
can be set at compile time via the
--with-env-editor
configure option.The options are as follows:
-c
,
--check
visudo
will also check the
file owner and mode. A message will be printed to the standard output
describing the status of sudoers unless the
-q
option was specified. If the check completes
successfully, visudo
will exit with a value of 0.
If an error is encountered, visudo
will exit with
a value of 1.-f
sudoers,
--file
=sudoers-f
option.-h
,
--help
-q
,
--quiet
-c
option.-s
,
--strict
visudo
will consider this a parse error. Note that
it is not possible to differentiate between an alias and a host name or
user name that consists solely of uppercase letters, digits, and the
underscore (‘_
’) character.-V
,
--version
visudo
and sudoers
grammar versions and exit.A sudoers file may be specified instead of the
default, /etc/sudoers. The lock file used is the
specified sudoers file with “.tmp” appended
to it. In check-only mode only,
‘-
’ may be used to indicate that
sudoers will be read from the standard input. Because the
policy is evaluated in its entirety, it is not sufficient to check an
individual sudoers include file for syntax errors.
visudo
versions 1.8.4 and higher support a
flexible debugging framework that is configured via
Debug
lines in the sudo.conf(5)
file.
Starting with sudo
1.8.12,
visudo
will also parse the arguments to the
sudoers plugin to override the default
sudoers path name, UID, GID and file mode. These
arguments, if present, should be listed after the path to the plugin (i.e.,
after sudoers.so). Multiple arguments may be
specified, separated by white space. For example:
Plugin sudoers_policy sudoers.so sudoers_mode=0400
The following arguments are supported:
For more information on configuring sudo.conf(5), please refer to its manual.
The following environment variables may be consulted depending on the value of the editor and env_editor sudoers settings:
SUDO_EDITOR
visudo
as the editor to useVISUAL
visudo
if
SUDO_EDITOR
is not setEDITOR
visudo
if neither
SUDO_EDITOR
nor VISUAL
is
setIn addition to reporting sudoers parse errors,
visudo
may produce the following messages:
sudoers
file busy, try again later.
/etc/sudoers.tmp:
Permission denied
visudo
as root.you do not
exist in the passwd database
Warning:
{User,Runas,Host,Cmnd}_Alias referenced but not defined
_
’) character. In the latter case,
you can ignore the warnings (sudo
will not
complain). The message is prefixed with the path name of the
sudoers file and the line number where the undefined
alias was used. In -s
(strict) mode these are
errors, not warnings.Warning:
unused {User,Runas,Host,Cmnd}_Alias
Warning:
cycle in {User,Runas,Host,Cmnd}_Alias
visudo
is run in -s
(strict) mode as sudo
will ignore cycles when
parsing the sudoers file.unknown
defaults entry "name"
Defaults
setting not recognized by
visudo
.Many people have worked on sudo
over the
years; this version consists of code written primarily by:
See the CONTRIBUTORS file in the sudo
distribution (https://www.sudo.ws/contributors.html) for an exhaustive list
of people who have contributed to sudo
.
There is no easy way to prevent a user from gaining a root shell
if the editor used by visudo
allows shell
escapes.
If you feel you have found a bug in
visudo
, please submit a bug report at
https://bugzilla.sudo.ws/
Limited free support is available via the sudo-users mailing list, see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives.
visudo
is provided “AS IS”
and any express or implied warranties, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose
are disclaimed. See the LICENSE file distributed with
sudo
or https://www.sudo.ws/license.html for
complete details.
December 24, 2018 | Sudo 1.8.27 |