1VISUDO(8)                 BSD System Manager's Manual                VISUDO(8)
2

NAME

4     visudo — edit the sudoers file
5

SYNOPSIS

7     visudo [-chIOPqsV] [[-f] sudoers]
8

DESCRIPTION

10     visudo edits the sudoers file in a safe fashion, analogous to vipw(8).
11     visudo locks the sudoers file against multiple simultaneous edits, per‐
12     forms basic validity checks, and checks for syntax errors before in‐
13     stalling the edited file.  If the sudoers file is currently being edited
14     you will receive a message to try again later.
15
16     visudo parses the sudoers file after editing and will not save the
17     changes if there is a syntax error.  Upon finding an error, visudo will
18     print a message stating the line number(s) where the error occurred and
19     the user will receive the “What now?” prompt.  At this point the user may
20     enter ‘e’ to re-edit the sudoers file, ‘x’ to exit without saving the
21     changes, or ‘Q’ to quit and save changes.  The ‘Q’ option should be used
22     with extreme caution because if visudo believes there to be a syntax er‐
23     ror, so will sudo.  If ‘e’ is typed to edit the sudoers file after a syn‐
24     tax error has been detected, the cursor will be placed on the line where
25     the error occurred (if the editor supports this feature).
26
27     There are two sudoers settings that determine which editor visudo will
28     run.
29
30     editor      A colon (‘:’) separated list of editors allowed to be used
31                 with visudo.  visudo will choose the editor that matches the
32                 user's SUDO_EDITOR, VISUAL, or EDITOR environment variable if
33                 possible, or the first editor in the list that exists and is
34                 executable.  sudo does not preserve the SUDO_EDITOR, VISUAL,
35                 or EDITOR environment variables unless they are present in
36                 the env_keep list or the env_reset option is disabled in the
37                 sudoers file.  The default editor path is
38                 /usr/bin/nano:/usr/bin/vim:/usr/bin/vi which can be set at
39                 compile time via the --with-editor configure option.
40
41     env_editor  If set, visudo will use the value of the SUDO_EDITOR, VISUAL,
42                 or EDITOR environment variables before falling back on the
43                 default editor list.  visudo is typically run as root so this
44                 option may allow a user with visudo privileges to run arbi‐
45                 trary commands as root without logging.  An alternative is to
46                 place a colon-separated list of “safe” editors in the editor
47                 variable.  visudo will then only use SUDO_EDITOR, VISUAL, or
48                 EDITOR if they match a value specified in editor.  If the
49                 env_reset flag is enabled, the SUDO_EDITOR, VISUAL, and/or
50                 EDITOR environment variables must be present in the env_keep
51                 list for the env_editor flag to function when visudo is in‐
52                 voked via sudo.  The default value is on, which can be set at
53                 compile time via the --with-env-editor configure option.
54
55     The options are as follows:
56
57     -c, --check
58             Enable check-only mode.  The existing sudoers file (and any other
59             files it includes) will be checked for syntax errors.  If the
60             path to the sudoers file was not specified, visudo will also
61             check the file ownership and permissions (see the -O and -P op‐
62             tions).  A message will be printed to the standard output de‐
63             scribing the status of sudoers unless the -q option was speci‐
64             fied.  If the check completes successfully, visudo will exit with
65             a value of 0.  If an error is encountered, visudo will exit with
66             a value of 1.
67
68     -f sudoers, --file=sudoers
69             Specify an alternate sudoers file location, see below.  As of
70             version 1.8.27, the sudoers path can be specified without using
71             the -f option.
72
73     -h, --help
74             Display a short help message to the standard output and exit.
75
76     -I, --no-includes
77             Disable the editing of include files unless there is a pre-exist‐
78             ing syntax error.  By default, visudo will edit the main sudoers
79             file and any files included via @include or #include directives.
80             Files included via @includedir or #includedir are never edited
81             unless they contain a syntax error.
82
83     -O, --owner
84             Enforce the default ownership (user and group) of the sudoers
85             file.  In edit mode, the owner of the edited file will be set to
86             the default.  In check mode (-c), an error will be reported if
87             the owner is incorrect.  This option is enabled by default if the
88             sudoers file was not specified.
89
90     -P, --perms
91             Enforce the default permissions (mode) of the sudoers file.  In
92             edit mode, the permissions of the edited file will be set to the
93             default.  In check mode (-c), an error will be reported if the
94             file permissions are incorrect.  This option is enabled by de‐
95             fault if the sudoers file was not specified.
96
97     -q, --quiet
98             Enable quiet mode.  In this mode details about syntax errors are
99             not printed.  This option is only useful when combined with the
100             -c option.
101
102     -s, --strict
103             Enable strict checking of the sudoers file.  If an alias is ref‐
104             erenced but not actually defined or if there is a cycle in an
105             alias, visudo will consider this a syntax error.  It is not pos‐
106             sible to differentiate between an alias and a host name or user
107             name that consists solely of uppercase letters, digits, and the
108             underscore (‘_’) character.
109
110     -V, --version
111             Print the visudo and sudoers grammar versions and exit.
112
113     A sudoers file may be specified instead of the default, /etc/sudoers.
114     The temporary file used is the specified sudoers file with “.tmp” ap‐
115     pended to it.  In check-only mode only, ‘-’ may be used to indicate that
116     sudoers will be read from the standard input.  Because the policy is
117     evaluated in its entirety, it is not sufficient to check an individual
118     sudoers include file for syntax errors.
119
120   Debugging and sudoers plugin arguments
121     visudo versions 1.8.4 and higher support a flexible debugging framework
122     that is configured via Debug lines in the sudo.conf(5) file.
123
124     Starting with sudo 1.8.12, visudo will also parse the arguments to the
125     sudoers plugin to override the default sudoers path name, user-ID, group-
126     ID, and file mode.  These arguments, if present, should be listed after
127     the path to the plugin (i.e., after sudoers.so).  Multiple arguments may
128     be specified, separated by white space.  For example:
129
130         Plugin sudoers_policy sudoers.so sudoers_mode=0400
131
132     The following arguments are supported:
133
134     sudoers_file=pathname
135           The sudoers_file argument can be used to override the default path
136           to the sudoers file.
137
138     sudoers_uid=user-ID
139           The sudoers_uid argument can be used to override the default owner
140           of the sudoers file.  It should be specified as a numeric user-ID.
141
142     sudoers_gid=group-ID
143           The sudoers_gid argument can be used to override the default group
144           of the sudoers file.  It must be specified as a numeric group-ID
145           (not a group name).
146
147     sudoers_mode=mode
148           The sudoers_mode argument can be used to override the default file
149           mode for the sudoers file.  It should be specified as an octal
150           value.
151
152     For more information on configuring sudo.conf(5), refer to its manual.
153

ENVIRONMENT

155     The following environment variables may be consulted depending on the
156     value of the editor and env_editor sudoers settings:
157
158     SUDO_EDITOR      Invoked by visudo as the editor to use
159
160     VISUAL           Used by visudo if SUDO_EDITOR is not set
161
162     EDITOR           Used by visudo if neither SUDO_EDITOR nor VISUAL is set
163

FILES

165     /etc/sudo.conf            Sudo front-end configuration
166
167     /etc/sudoers              List of who can run what
168
169     /etc/sudoers.tmp          Default temporary file used by visudo
170

DIAGNOSTICS

172     In addition to reporting sudoers syntax errors, visudo may produce the
173     following messages:
174
175     sudoers file busy, try again later.
176           Someone else is currently editing the sudoers file.
177
178     /etc/sudoers: Permission denied
179           You didn't run visudo as root.
180
181     you do not exist in the passwd database
182           Your user-ID does not appear in the system passwd database.
183
184     Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
185           Either you are trying to use an undeclared
186           {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
187           that consists solely of uppercase letters, digits, and the under‐
188           score (‘_’) character.  In the latter case, you can ignore the
189           warnings (sudo will not complain).  The message is prefixed with
190           the path name of the sudoers file and the line number where the un‐
191           defined alias was used.  In -s (strict) mode these are errors, not
192           warnings.
193
194     Warning: unused {User,Runas,Host,Cmnd}_Alias
195           The specified {User,Runas,Host,Cmnd}_Alias was defined but never
196           used.  The message is prefixed with the path name of the sudoers
197           file and the line number where the unused alias was defined.  You
198           may wish to comment out or remove the unused alias.
199
200     Warning: cycle in {User,Runas,Host,Cmnd}_Alias
201           The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
202           itself, either directly or through an alias it includes.  The mes‐
203           sage is prefixed with the path name of the sudoers file and the
204           line number where the cycle was detected.  This is only a warning
205           unless visudo is run in -s (strict) mode as sudo will ignore cycles
206           when parsing the sudoers file.
207
208     ignoring editor backup file
209           While processing a @includedir or #includedir, a file was found
210           with a name that ends in ‘~’ or .bak.  Such files are skipped by
211           sudo and visudo.
212
213     ignoring file name containing '.'
214           While processing a @includedir or #includedir, a file was found
215           with a name that contains a ‘.’ character.  Such files are skipped
216           by sudo and visudo.
217
218     unknown defaults entry "name"
219           The sudoers file contains a Defaults setting not recognized by
220           visudo.
221

SEE ALSO

223     vi(1), sudo.conf(5), sudoers(5), sudo(8), vipw(8)
224

AUTHORS

226     Many people have worked on sudo over the years; this version consists of
227     code written primarily by:
228
229           Todd C. Miller
230
231     See the CONTRIBUTORS.md file in the sudo distribution
232     (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
233     ple who have contributed to sudo.
234

CAVEATS

236     There is no easy way to prevent a user from gaining a root shell if the
237     editor used by visudo allows shell escapes.
238

BUGS

240     If you believe you have found a bug in visudo, you can submit a bug re‐
241     port at https://bugzilla.sudo.ws/
242

SUPPORT

244     Limited free support is available via the sudo-users mailing list, see
245     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
246     the archives.
247

DISCLAIMER

249     visudo is provided “AS IS” and any express or implied warranties, includ‐
250     ing, but not limited to, the implied warranties of merchantability and
251     fitness for a particular purpose are disclaimed.  See the LICENSE.md file
252     distributed with sudo or https://www.sudo.ws/about/license/ for complete
253     details.
254
255Sudo 1.9.14p3                   March 20, 2023                   Sudo 1.9.14p3
Impressum