edit the sudoers file


Edit the sudoers file

$ sudo visudo

Check the sudoers file for errors
$ sudo visudo -c

Edit the sudoers file using a specific editor
$ sudo EDITOR=[editor] visudo

Display version information
$ visudo --version


visudo [-chqsV] [[]


visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

visudo parses the sudoers file after editing and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the ``What now?'' prompt. AT&T UNIX `e' to re-edit the sudoers file, `x' to exit without saving the changes, or `Q' to quit and save changes. The `Q' option should be used with extreme caution because if visudo believes there to be a parse error, so will sudo and no one will be able to run sudo again until the error is fixed. If `e' is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature).

There are two sudoers settings that determine which editor visudo will run.

The options are as follows:

A sudoers file may be specified instead of the default, /etc/sudoers . The lock file used is the specified sudoers file with ``tmp'' appended to it. In check-only mode only, `-' may be used to indicate that sudoers will be read from the standard input. Because the policy is evaluated in its entirety, it is not sufficient to check an individual sudoers include file for syntax errors.

Debugging and sudoers plugin arguments

visudo versions 1.8.4 and higher support a flexible debugging framework that is configured via Debug lines in the sudo.conf(5) file.

Starting with sudo 1.8.12, visudo will also parse the arguments to the sudoers plugin to override the default sudoers path name, UID, GID and file mode. These arguments, if present, should be listed after the path to the plugin (i.e., after ) . Multiple arguments may be specified, separated by white space. For example: -literal -offset indent Plugin sudoers_policy sudoers_mode=0400

The following arguments are supported:

For more information on configuring sudo.conf(5), please refer to its manual.


The following environment variables may be consulted depending on the value of the editor and env_editor sudoers settings:



In addition to reporting sudoers parse errors, visudo may produce the following messages:


Many people have worked on sudo over the years; this version consists of code written primarily by: -ragged -offset indent Todd C. Miller

See the CONTRIBUTORS file in the sudo distribution ( for an exhaustive list of people who have contributed to sudo .


There is no easy way to prevent a user from gaining a root shell if the editor used by visudo allows shell escapes.


If you feel you have found a bug in , please submit a bug report at


Limited free support is available via the sudo-users mailing list, see to subscribe or search the archives.


visudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with sudo or for complete details.


vi(1), sudo.conf(5), sudoers(5), sudo(8), vipw(8)

Copied to clipboard