visudo

Edit the sudoers file

$ sudo visudo

$ sudo visudo [[-c|--check]]

$ sudo EDITOR=[editor] visudo

$ visudo [[-V|--version]]

visudo [options]

-f sudoers_file
    Specify an alternate sudoers file path to edit instead of the default /etc/sudoers.

-c
    Check-only mode. Parses the sudoers file for syntax errors without opening it for editing.

-q
    Quiet mode. Suppresses non-essential output, particularly useful when checking for syntax errors with -c.

-s
    Strict mode. Enables stricter syntax checking of the sudoers file, potentially catching more subtle issues.

visudo is a command-line utility used to safely edit the sudoers file, which controls who can run what commands as whom on a Linux system.
It functions similarly to sudo by allowing only authorized users (typically root or those with sudo privileges) to modify this critical configuration file. The main advantage of visudo over directly editing /etc/sudoers is its built-in syntax checking. Before saving changes, visudo parses the file for errors. If an error is found, it prompts the user to either re-edit, quit without saving, or save anyway (which is highly discouraged as a broken sudoers file can lock out all sudo access).
It also applies a file lock to prevent multiple users from editing simultaneously and ensures the file permissions are correct upon saving. This preventative approach helps maintain system security and prevents accidental lockouts.

Always use visudo to edit the sudoers file. Directly editing can lead to syntax errors that lock out sudo access, potentially requiring a boot into single-user mode to fix.
A broken sudoers file can render sudo unusable, which is a critical security and administrative issue. Ensure proper permissions when using visudo -f on non-standard files.

visudo determines which editor to launch based on the VISUAL or EDITOR environment variables. If neither is set, it defaults to vi.

During editing, visudo applies a lock to the sudoers file to prevent multiple concurrent modifications, ensuring data integrity.

Upon exiting the editor, visudo rigorously checks the sudoers file for syntax errors. If errors are found, it provides options to re-edit, quit without saving, or save with errors (the last option is highly discouraged due to the risk of locking out sudo access).

The sudo project and visudo were developed to provide a secure and auditable way for privileged users to grant specific command execution rights to unprivileged users. visudo emerged as the standard tool to manage the sudoers file, integrating critical features like syntax checking and file locking to prevent common configuration errors and simultaneous edits, which were significant issues in earlier, less structured privilege management systems. Its design philosophy emphasizes safety and robustness in managing critical system configurations.

sudo(8), sudoers(5), sudoreplay(8)