1VISUDO(8) BSD System Manager's Manual VISUDO(8)
2
4 visudo — edit the sudoers file
5
7 visudo [-chIOPqsV] [[-f] sudoers]
8
10 visudo edits the sudoers file in a safe fashion, analogous to vipw(8).
11 visudo locks the sudoers file against multiple simultaneous edits, per‐
12 forms basic validity checks, and checks for syntax errors before in‐
13 stalling the edited file. If the sudoers file is currently being edited
14 you will receive a message to try again later.
15
16 visudo parses the sudoers file after editing and will not save the
17 changes if there is a syntax error. Upon finding an error, visudo will
18 print a message stating the line number(s) where the error occurred and
19 the user will receive the “What now?” prompt. At this point the user may
20 enter ‘e’ to re-edit the sudoers file, ‘x’ to exit without saving the
21 changes, or ‘Q’ to quit and save changes. The ‘Q’ option should be used
22 with extreme caution because if visudo believes there to be a syntax er‐
23 ror, so will sudo. If ‘e’ is typed to edit the sudoers file after a syn‐
24 tax error has been detected, the cursor will be placed on the line where
25 the error occurred (if the editor supports this feature).
26
27 There are two sudoers settings that determine which editor visudo will
28 run.
29
30 editor A colon (‘:’) separated list of editors allowed to be used
31 with visudo. visudo will choose the editor that matches the
32 user's SUDO_EDITOR, VISUAL, or EDITOR environment variable if
33 possible, or the first editor in the list that exists and is
34 executable. sudo does not preserve the SUDO_EDITOR, VISUAL,
35 or EDITOR environment variables unless they are present in
36 the env_keep list or the env_reset option is disabled in the
37 sudoers file. The default editor path is
38 /usr/bin/nano:/usr/bin/vim:/usr/bin/vi which can be set at
39 compile time via the --with-editor configure option.
40
41 env_editor If set, visudo will use the value of the SUDO_EDITOR, VISUAL,
42 or EDITOR environment variables before falling back on the
43 default editor list. visudo is typically run as root so this
44 option may allow a user with visudo privileges to run arbi‐
45 trary commands as root without logging. An alternative is to
46 place a colon-separated list of “safe” editors in the editor
47 variable. visudo will then only use SUDO_EDITOR, VISUAL, or
48 EDITOR if they match a value specified in editor. If the
49 env_reset flag is enabled, the SUDO_EDITOR, VISUAL, and/or
50 EDITOR environment variables must be present in the env_keep
51 list for the env_editor flag to function when visudo is in‐
52 voked via sudo. The default value is on, which can be set at
53 compile time via the --with-env-editor configure option.
54
55 The options are as follows:
56
57 -c, --check
58 Enable check-only mode. The existing sudoers file (and any other
59 files it includes) will be checked for syntax errors. If the
60 path to the sudoers file was not specified, visudo will also
61 check the file ownership and permissions (see the -O and -P op‐
62 tions). A message will be printed to the standard output de‐
63 scribing the status of sudoers unless the -q option was speci‐
64 fied. If the check completes successfully, visudo will exit with
65 a value of 0. If an error is encountered, visudo will exit with
66 a value of 1.
67
68 -f sudoers, --file=sudoers
69 Specify an alternate sudoers file location, see below. As of
70 version 1.8.27, the sudoers path can be specified without using
71 the -f option.
72
73 -h, --help
74 Display a short help message to the standard output and exit.
75
76 -I, --no-includes
77 Disable the editing of include files unless there is a pre-exist‐
78 ing syntax error. By default, visudo will edit the main sudoers
79 file and any files included via @include or #include directives.
80 Files included via @includedir or #includedir are never edited
81 unless they contain a syntax error.
82
83 -O, --owner
84 Enforce the default ownership (user and group) of the sudoers
85 file. In edit mode, the owner of the edited file will be set to
86 the default. In check mode (-c), an error will be reported if
87 the owner is incorrect. This option is enabled by default if the
88 sudoers file was not specified.
89
90 -P, --perms
91 Enforce the default permissions (mode) of the sudoers file. In
92 edit mode, the permissions of the edited file will be set to the
93 default. In check mode (-c), an error will be reported if the
94 file permissions are incorrect. This option is enabled by de‐
95 fault if the sudoers file was not specified.
96
97 -q, --quiet
98 Enable quiet mode. In this mode details about syntax errors are
99 not printed. This option is only useful when combined with the
100 -c option.
101
102 -s, --strict
103 Enable strict checking of the sudoers file. If an alias is ref‐
104 erenced but not actually defined or if there is a cycle in an
105 alias, visudo will consider this a syntax error. It is not pos‐
106 sible to differentiate between an alias and a host name or user
107 name that consists solely of uppercase letters, digits, and the
108 underscore (‘_’) character.
109
110 -V, --version
111 Print the visudo and sudoers grammar versions and exit.
112
113 A sudoers file may be specified instead of the default, /etc/sudoers.
114 The temporary file used is the specified sudoers file with “.tmp” ap‐
115 pended to it. In check-only mode only, ‘-’ may be used to indicate that
116 sudoers will be read from the standard input. Because the policy is
117 evaluated in its entirety, it is not sufficient to check an individual
118 sudoers include file for syntax errors.
119
120 Debugging and sudoers plugin arguments
121 visudo versions 1.8.4 and higher support a flexible debugging framework
122 that is configured via Debug lines in the sudo.conf(5) file.
123
124 Starting with sudo 1.8.12, visudo will also parse the arguments to the
125 sudoers plugin to override the default sudoers path name, user-ID, group-
126 ID, and file mode. These arguments, if present, should be listed after
127 the path to the plugin (i.e., after sudoers.so). Multiple arguments may
128 be specified, separated by white space. For example:
129
130 Plugin sudoers_policy sudoers.so sudoers_mode=0400
131
132 The following arguments are supported:
133
134 sudoers_file=pathname
135 The sudoers_file argument can be used to override the default path
136 to the sudoers file.
137
138 sudoers_uid=user-ID
139 The sudoers_uid argument can be used to override the default owner
140 of the sudoers file. It should be specified as a numeric user-ID.
141
142 sudoers_gid=group-ID
143 The sudoers_gid argument can be used to override the default group
144 of the sudoers file. It must be specified as a numeric group-ID
145 (not a group name).
146
147 sudoers_mode=mode
148 The sudoers_mode argument can be used to override the default file
149 mode for the sudoers file. It should be specified as an octal
150 value.
151
152 For more information on configuring sudo.conf(5), refer to its manual.
153
155 The following environment variables may be consulted depending on the
156 value of the editor and env_editor sudoers settings:
157
158 SUDO_EDITOR Invoked by visudo as the editor to use
159
160 VISUAL Used by visudo if SUDO_EDITOR is not set
161
162 EDITOR Used by visudo if neither SUDO_EDITOR nor VISUAL is set
163
165 /etc/sudo.conf Sudo front-end configuration
166
167 /etc/sudoers List of who can run what
168
169 /etc/sudoers.tmp Default temporary file used by visudo
170
172 In addition to reporting sudoers syntax errors, visudo may produce the
173 following messages:
174
175 sudoers file busy, try again later.
176 Someone else is currently editing the sudoers file.
177
178 /etc/sudoers: Permission denied
179 You didn't run visudo as root.
180
181 you do not exist in the passwd database
182 Your user-ID does not appear in the system passwd database.
183
184 Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
185 Either you are trying to use an undeclared
186 {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
187 that consists solely of uppercase letters, digits, and the under‐
188 score (‘_’) character. In the latter case, you can ignore the
189 warnings (sudo will not complain). The message is prefixed with
190 the path name of the sudoers file and the line number where the un‐
191 defined alias was used. In -s (strict) mode these are errors, not
192 warnings.
193
194 Warning: unused {User,Runas,Host,Cmnd}_Alias
195 The specified {User,Runas,Host,Cmnd}_Alias was defined but never
196 used. The message is prefixed with the path name of the sudoers
197 file and the line number where the unused alias was defined. You
198 may wish to comment out or remove the unused alias.
199
200 Warning: cycle in {User,Runas,Host,Cmnd}_Alias
201 The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
202 itself, either directly or through an alias it includes. The mes‐
203 sage is prefixed with the path name of the sudoers file and the
204 line number where the cycle was detected. This is only a warning
205 unless visudo is run in -s (strict) mode as sudo will ignore cycles
206 when parsing the sudoers file.
207
208 ignoring editor backup file
209 While processing a @includedir or #includedir, a file was found
210 with a name that ends in ‘~’ or .bak. Such files are skipped by
211 sudo and visudo.
212
213 ignoring file name containing '.'
214 While processing a @includedir or #includedir, a file was found
215 with a name that contains a ‘.’ character. Such files are skipped
216 by sudo and visudo.
217
218 unknown defaults entry "name"
219 The sudoers file contains a Defaults setting not recognized by
220 visudo.
221
223 vi(1), sudo.conf(5), sudoers(5), sudo(8), vipw(8)
224
226 Many people have worked on sudo over the years; this version consists of
227 code written primarily by:
228
229 Todd C. Miller
230
231 See the CONTRIBUTORS.md file in the sudo distribution
232 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
233 ple who have contributed to sudo.
234
236 There is no easy way to prevent a user from gaining a root shell if the
237 editor used by visudo allows shell escapes.
238
240 If you believe you have found a bug in visudo, you can submit a bug re‐
241 port at https://bugzilla.sudo.ws/
242
244 Limited free support is available via the sudo-users mailing list, see
245 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
246 the archives.
247
249 visudo is provided “AS IS” and any express or implied warranties, includ‐
250 ing, but not limited to, the implied warranties of merchantability and
251 fitness for a particular purpose are disclaimed. See the LICENSE.md file
252 distributed with sudo or https://www.sudo.ws/about/license/ for complete
253 details.
254
255Sudo 1.9.14p3 March 20, 2023 Sudo 1.9.14p3