1VISUDO(8) BSD System Manager's Manual VISUDO(8)
2
4 visudo — edit the sudoers file
5
7 visudo [-chIOPqsV] [[-f] sudoers]
8
10 visudo edits the sudoers file in a safe fashion, analogous to vipw(8).
11 visudo locks the sudoers file against multiple simultaneous edits, per‐
12 forms basic validity checks, and checks for syntax errors before in‐
13 stalling the edited file. If the sudoers file is currently being edited
14 you will receive a message to try again later.
15 visudo parses the sudoers file after editing and will not save the
17 changes if there is a syntax error. Upon finding an error, visudo will
18 print a message stating the line number(s) where the error occurred and
19 the user will receive the “What now?” prompt. At this point the user may
20 enter ‘e’ to re-edit the sudoers file, ‘x’ to exit without saving the
21 changes, or ‘Q’ to quit and save changes. The ‘Q’ option should be used
22 with extreme caution because if visudo believes there to be a syntax er‐
23 ror, so will sudo. If ‘e’ is typed to edit the sudoers file after a syn‐
24 tax error has been detected, the cursor will be placed on the line where
25 the error occurred (if the editor supports this feature).
26 There are two sudoers settings that determine which editor visudo will
28 run.
29 editor A colon (‘:’) separated list of editors allowed to be used
31 with visudo. visudo will choose the editor that matches the
32 user's SUDO_EDITOR, VISUAL, or EDITOR environment variable if
33 possible, or the first editor in the list that exists and is
34 executable. sudo does not preserve the SUDO_EDITOR, VISUAL,
35 or EDITOR environment variables unless they are present in
36 the env_keep list or the env_reset option is disabled in the
37 sudoers file. The default editor path is
38 /usr/bin/nano:/usr/bin/vim:/usr/bin/vi which can be set at
39 compile time via the --with-editor configure option.
40 env_editor If set, visudo will use the value of the SUDO_EDITOR, VISUAL,
42 or EDITOR environment variables before falling back on the
43 default editor list. visudo is typically run as root so this
44 option may allow a user with visudo privileges to run arbi‐
45 trary commands as root without logging. An alternative is to
46 place a colon-separated list of “safe” editors in the editor
47 variable. visudo will then only use SUDO_EDITOR, VISUAL, or
48 EDITOR if they match a value specified in editor. If the
49 env_reset flag is enabled, the SUDO_EDITOR, VISUAL, and/or
50 EDITOR environment variables must be present in the env_keep
51 list for the env_editor flag to function when visudo is in‐
52 voked via sudo. The default value is on, which can be set at
53 compile time via the --with-env-editor configure option.
54 The options are as follows:
56 -c, --check
58 Enable check-only mode. The existing sudoers file (and any other
59 files it includes) will be checked for syntax errors. If the
60 path to the sudoers file was not specified, visudo will also
61 check the file ownership and permissions (see the -O and -P op‐
62 tions). A message will be printed to the standard output de‐
63 scribing the status of sudoers unless the -q option was speci‐
64 fied. If the check completes successfully, visudo will exit with
65 a value of 0. If an error is encountered, visudo will exit with
66 a value of 1.
67 -f sudoers, --file=sudoers
69 Specify an alternate sudoers file location, see below. As of
70 version 1.8.27, the sudoers path can be specified without using
71 the -f option.
72 -h, --help
74 Display a short help message to the standard output and exit.
75 -I, --no-includes
77 Disable the editing of include files unless there is a pre-exist‐
78 ing syntax error. By default, visudo will edit the main sudoers
79 file and any files included via @include or #include directives.
80 Files included via @includedir or #includedir are never edited
81 unless they contain a syntax error.
82 -O, --owner
84 Enforce the default ownership (user and group) of the sudoers
85 file. In edit mode, the owner of the edited file will be set to
86 the default. In check mode (-c), an error will be reported if
87 the owner is incorrect. This option is enabled by default if the
88 sudoers file was not specified.
89 -P, --perms
91 Enforce the default permissions (mode) of the sudoers file. In
92 edit mode, the permissions of the edited file will be set to the
93 default. In check mode (-c), an error will be reported if the
94 file permissions are incorrect. This option is enabled by de‐
95 fault if the sudoers file was not specified.
96 -q, --quiet
98 Enable quiet mode. In this mode details about syntax errors are
99 not printed. This option is only useful when combined with the
100 -c option.
101 -s, --strict
103 Enable strict checking of the sudoers file. If an alias is ref‐
104 erenced but not actually defined or if there is a cycle in an
105 alias, visudo will consider this a syntax error. It is not pos‐
106 sible to differentiate between an alias and a host name or user
107 name that consists solely of uppercase letters, digits, and the
108 underscore (‘_’) character.
109 -V, --version
111 Print the visudo and sudoers grammar versions and exit.
112 A sudoers file may be specified instead of the default, /etc/sudoers.
114 The temporary file used is the specified sudoers file with “.tmp” ap‐
115 pended to it. In check-only mode only, ‘-’ may be used to indicate that
116 sudoers will be read from the standard input. Because the policy is
117 evaluated in its entirety, it is not sufficient to check an individual
118 sudoers include file for syntax errors.
119 Debugging and sudoers plugin arguments
121 visudo versions 1.8.4 and higher support a flexible debugging framework
122 that is configured via Debug lines in the sudo.conf(5) file.
123 Starting with sudo 1.8.12, visudo will also parse the arguments to the
125 sudoers plugin to override the default sudoers path name, user-ID, group-
126 ID, and file mode. These arguments, if present, should be listed after
127 the path to the plugin (i.e., after sudoers.so). Multiple arguments may
128 be specified, separated by white space. For example:
129 Plugin sudoers_policy sudoers.so sudoers_mode=0400
131 The following arguments are supported:
133 sudoers_file=pathname
135 The sudoers_file argument can be used to override the default path
136 to the sudoers file.
137 sudoers_uid=user-ID
139 The sudoers_uid argument can be used to override the default owner
140 of the sudoers file. It should be specified as a numeric user-ID.
141 sudoers_gid=group-ID
143 The sudoers_gid argument can be used to override the default group
144 of the sudoers file. It must be specified as a numeric group-ID
145 (not a group name).
146 sudoers_mode=mode
148 The sudoers_mode argument can be used to override the default file
149 mode for the sudoers file. It should be specified as an octal
150 value.
151 For more information on configuring sudo.conf(5), refer to its manual.
153
155 The following environment variables may be consulted depending on the
156 value of the editor and env_editor sudoers settings:
157 SUDO_EDITOR Invoked by visudo as the editor to use
159 VISUAL Used by visudo if SUDO_EDITOR is not set
161 EDITOR Used by visudo if neither SUDO_EDITOR nor VISUAL is set
163
165 /etc/sudo.conf Sudo front-end configuration
166 /etc/sudoers List of who can run what
168 /etc/sudoers.tmp Default temporary file used by visudo
170
172 In addition to reporting sudoers syntax errors, visudo may produce the
173 following messages:
174 sudoers file busy, try again later.
176 Someone else is currently editing the sudoers file.
177 /etc/sudoers: Permission denied
179 You didn't run visudo as root.
180 you do not exist in the passwd database
182 Your user-ID does not appear in the system passwd database.
183 Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
185 Either you are trying to use an undeclared
186 {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
187 that consists solely of uppercase letters, digits, and the under‐
188 score (‘_’) character. In the latter case, you can ignore the
189 warnings (sudo will not complain). The message is prefixed with
190 the path name of the sudoers file and the line number where the un‐
191 defined alias was used. In -s (strict) mode these are errors, not
192 warnings.
193 Warning: unused {User,Runas,Host,Cmnd}_Alias
195 The specified {User,Runas,Host,Cmnd}_Alias was defined but never
196 used. The message is prefixed with the path name of the sudoers
197 file and the line number where the unused alias was defined. You
198 may wish to comment out or remove the unused alias.
199 Warning: cycle in {User,Runas,Host,Cmnd}_Alias
201 The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
202 itself, either directly or through an alias it includes. The mes‐
203 sage is prefixed with the path name of the sudoers file and the
204 line number where the cycle was detected. This is only a warning
205 unless visudo is run in -s (strict) mode as sudo will ignore cycles
206 when parsing the sudoers file.
207 unknown defaults entry "name"
209 The sudoers file contains a Defaults setting not recognized by
210 visudo.
211
213 vi(1), sudo.conf(5), sudoers(5), sudo(8), vipw(8)
214
216 Many people have worked on sudo over the years; this version consists of
217 code written primarily by:
218 Todd C. Miller
220 See the CONTRIBUTORS.md file in the sudo distribution
222 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
223 ple who have contributed to sudo.
224
226 There is no easy way to prevent a user from gaining a root shell if the
227 editor used by visudo allows shell escapes.
228
230 If you believe you have found a bug in visudo, you can submit a bug re‐
231 port at https://bugzilla.sudo.ws/
232
234 Limited free support is available via the sudo-users mailing list, see
235 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
236 the archives.
237
239 visudo is provided “AS IS” and any express or implied warranties, includ‐
240 ing, but not limited to, the implied warranties of merchantability and
241 fitness for a particular purpose are disclaimed. See the LICENSE.md file
242 distributed with sudo or https://www.sudo.ws/about/license/ for complete
243 details.
244Sudo 1.9.13p2 January 16, 2023 Sudo 1.9.13p2