MAN-J
Man PagesPricing
LoginGet Started
visudo(8)
Original
English • 272 lines
VISUDO(8)		    System Manager's Manual		     VISUDO(8)

NAME
       visudo - edit the sudoers file

SYNOPSIS
       visudo [-chIOPqsV] [[-f] sudoers]

DESCRIPTION
       visudo edits the sudoers file in a safe fashion, analogous to vipw(8).
       visudo locks the sudoers file against multiple simultaneous edits,
       performs basic validity checks, and checks for syntax errors before
       installing the edited file.  If the sudoers file is currently being
       edited you will receive a message to try again later.

       If the sudoers file does not exist, it will be created unless the
       editor exits without writing to the file.

       visudo parses the sudoers file after editing and will not save the
       changes if there is a syntax error.  Upon finding an error, visudo will
       print a message stating the line number(s) where the error occurred and
       the user will receive the “What now?” prompt.  At this point the user
       may enter ‘e’ to re-edit the sudoers file, ‘x’ to exit without saving
       the changes, or ‘Q’ to quit and save changes.  The ‘Q’ option should be
       used with extreme caution because if visudo believes there to be a
       syntax error, so will sudo.  If ‘e’ is typed to edit the sudoers file
       after a syntax error has been detected, the cursor will be placed on
       the line where the error occurred (if the editor supports this
       feature).

       There are two sudoers settings that determine which editor visudo will
       run.

       editor	   A colon (‘:’) separated list of editors allowed to be used
		   with visudo.	 visudo will choose the editor that matches
		   the user's SUDO_EDITOR, VISUAL, or EDITOR environment
		   variable if possible, or the first editor in the list that
		   exists and is executable.  sudo does not preserve the
		   SUDO_EDITOR, VISUAL, or EDITOR environment variables unless
		   they are present in the env_keep list or the env_reset
		   option is disabled in the sudoers file.  The default editor
		   path is  which can be set at compile time via the --with-
		   editor configure option.

       env_editor  If set, visudo will use the value of the SUDO_EDITOR,
		   VISUAL, or EDITOR environment variables before falling back
		   on the default editor list.	visudo is typically run as
		   root so this option may allow a user with visudo privileges
		   to run arbitrary commands as root without logging.  An
		   alternative is to place a colon-separated list of “safe”
		   editors in the editor variable.  visudo will then only use
		   SUDO_EDITOR, VISUAL, or EDITOR if they match a value
		   specified in editor.	 If the env_reset flag is enabled, the
		   SUDO_EDITOR, VISUAL, and/or EDITOR environment variables
		   must be present in the env_keep list for the env_editor
		   flag to function when visudo is invoked via sudo.  The
		   default value is on, which can be set at compile time via
		   the --with-env-editor configure option.

       The options are as follows:

       -c, --check
	       Enable check-only mode.	The existing sudoers file (and any
	       other files it includes) will be checked for syntax errors.  If
	       the path to the sudoers file was not specified, visudo will
	       also check the file ownership and permissions (see the -O and
	       -P options).  A message will be printed to the standard output
	       describing the status of sudoers unless the -q option was
	       specified.  If the check completes successfully, visudo will
	       exit with a value of 0.	If an error is encountered, visudo
	       will exit with a value of 1.

       -f sudoers, --file=sudoers
	       Specify an alternate sudoers file location, see below.  As of
	       version 1.8.27, the sudoers path can be specified without using
	       the -f option.

       -h, --help
	       Display a short help message to the standard output and exit.

       -I, --no-includes
	       Disable the editing of include files unless there is a pre-
	       existing syntax error.  By default, visudo will edit the main
	       sudoers file and any files included via @include or #include
	       directives.  Files included via @includedir or #includedir are
	       never edited unless they contain a syntax error.

       -O, --owner
	       Enforce the default ownership (user and group) of the sudoers
	       file.  In edit mode, the owner of the edited file will be set
	       to the default.	In check mode (-c), an error will be reported
	       if the owner is incorrect.  This option is enabled by default
	       if the sudoers file was not specified.

       -P, --perms
	       Enforce the default permissions (mode) of the sudoers file.  In
	       edit mode, the permissions of the edited file will be set to
	       the default.  In check mode (-c), an error will be reported if
	       the file permissions are incorrect.  This option is enabled by
	       default if the sudoers file was not specified.

       -q, --quiet
	       Enable quiet mode.  In this mode details about syntax errors
	       are not printed.	 This option is only useful when combined with
	       the -c option.

       -s, --strict
	       Enable strict checking of the sudoers file.  If an alias is
	       referenced but not actually defined or if there is a cycle in
	       an alias, visudo will consider this a syntax error.  It is not
	       possible to differentiate between an alias and a host name or
	       user name that consists solely of uppercase letters, digits,
	       and the underscore (‘_’) character.

       -V, --version
	       Print the visudo and sudoers grammar versions and exit.

       A sudoers file may be specified instead of the default, /etc/sudoers.
       The temporary file used is the specified sudoers file with “.tmp”
       appended to it.	In check-only mode only, ‘-’ may be used to indicate
       that sudoers will be read from the standard input.  Because the policy
       is evaluated in its entirety, it is not sufficient to check an
       individual sudoers include file for syntax errors.

   Debugging and sudoers plugin arguments
       visudo versions 1.8.4 and higher support a flexible debugging framework
       that is configured via Debug lines in the sudo.conf(5) file.

       Starting with sudo 1.8.12, visudo will also parse the arguments to the
       sudoers plugin to override the default sudoers path name, user-ID,
       group-ID, and file mode.	 These arguments, if present, should be listed
       after the path to the plugin (i.e., after sudoers.so).  Multiple
       arguments may be specified, separated by white space.  For example:

	   Plugin sudoers_policy sudoers.so sudoers_mode=0400

       The following arguments are supported:

       sudoers_file=pathname
	     The sudoers_file argument can be used to override the default
	     path to the sudoers file.

       sudoers_uid=user-ID
	     The sudoers_uid argument can be used to override the default
	     owner of the sudoers file.	 It should be specified as a numeric
	     user-ID.

       sudoers_gid=group-ID
	     The sudoers_gid argument can be used to override the default
	     group of the sudoers file.	 It must be specified as a numeric
	     group-ID (not a group name).

       sudoers_mode=mode
	     The sudoers_mode argument can be used to override the default
	     file mode for the sudoers file.  It should be specified as an
	     octal value.

       For more information on configuring sudo.conf(5), refer to its manual.

ENVIRONMENT
       The following environment variables may be consulted depending on the
       value of the editor and env_editor sudoers settings:

       SUDO_EDITOR	Invoked by visudo as the editor to use

       VISUAL		Used by visudo if SUDO_EDITOR is not set

       EDITOR		Used by visudo if neither SUDO_EDITOR nor VISUAL is
			set

FILES
       /etc/sudo.conf		 Sudo front-end configuration

       /etc/sudoers		 List of who can run what

       /etc/sudoers.tmp		 Default temporary file used by visudo

DIAGNOSTICS
       In addition to reporting sudoers syntax errors, visudo may produce the
       following messages:

       sudoers file busy, try again later.
	   Someone else is currently editing the sudoers file.

       /etc/sudoers: Permission denied
	   You didn't run visudo as root.

       you do not exist in the passwd database
	   Your user-ID does not appear in the system passwd database.

       Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
	   Either you are trying to use an undeclared
	   {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
	   that consists solely of uppercase letters, digits, and the
	   underscore (‘_’) character.	In the latter case, you can ignore the
	   warnings (sudo will not complain) .	The message is prefixed with
	   the path name of the sudoers file and the line number where the
	   undefined alias was used.  In -s (strict) mode these are errors,
	   not warnings.

       Warning: unused {User,Runas,Host,Cmnd}_Alias
	   The specified {User,Runas,Host,Cmnd}_Alias was defined but never
	   used.  The message is prefixed with the path name of the sudoers
	   file and the line number where the unused alias was defined.	 You
	   may wish to comment out or remove the unused alias.

       Warning: cycle in {User,Runas,Host,Cmnd}_Alias
	   The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
	   itself, either directly or through an alias it includes.  The
	   message is prefixed with the path name of the sudoers file and the
	   line number where the cycle was detected.  This is only a warning
	   unless visudo is run in -s (strict) mode as sudo will ignore cycles
	   when parsing the sudoers file.

       ignoring editor backup file
	   While processing a @includedir or #includedir, a file was found
	   with a name that ends in ‘~’ or .bak.  Such files are skipped by
	   sudo and visudo.

       ignoring file name containing '.'
	   While processing a @includedir or #includedir, a file was found
	   with a name that contains a ‘.’ character.  Such files are skipped
	   by sudo and visudo.

       unknown defaults entry "name"
	   The sudoers file contains a Defaults setting not recognized by
	   visudo.

SEE ALSO
       vi(1), sudo.conf(5), sudoers(5), sudo(8), vipw(8)

AUTHORS
       Many people have worked on sudo over the years; this version consists
       of code written primarily by:

	     Todd C. Miller

       See the CONTRIBUTORS.md file in the sudo distribution
       (https://www.sudo.ws/about/contributors/) for an exhaustive list of
       people who have contributed to sudo.

CAVEATS
       There is no easy way to prevent a user from gaining a root shell if the
       editor used by visudo allows shell escapes.

BUGS
       If you believe you have found a bug in visudo, you can either file a
       bug report in the sudo bug database, https://bugzilla.sudo.ws/, or open
       an issue at https://github.com/sudo-project/sudo/issues.	 If you would
       prefer to use email, messages may be sent to the sudo-workers mailing
       list, https://www.sudo.ws/mailman/listinfo/sudo-workers (public) or
       <sudo@sudo.ws> (private).

       Please do not report security vulnerabilities through public GitHub
       issues, Bugzilla or mailing lists.  Instead, report them via email to
       <Todd.Miller@sudo.ws>.  You may encrypt your message with PGP if you
       would like, using the key found at https://www.sudo.ws/dist/PGPKEYS.

SUPPORT
       Limited free support is available via the sudo-users mailing list, see
       https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
       the archives.

DISCLAIMER
       visudo is provided “AS IS” and any express or implied warranties,
       including, but not limited to, the implied warranties of
       merchantability and fitness for a particular purpose are disclaimed.
       See the LICENSE.md file distributed with sudo or
       https://www.sudo.ws/about/license/ for complete details.

Sudo 1.9.17p1			 July 27, 2023			     VISUDO(8)

visudo(8)

\fBvisudo\fR

0popularity

System Information

Sudo 1.9.17p1 1.0.0
Updated July 27, 2023
Maintained by Unknown

Actions