LinuxCommandLibrary

visudo

edit the sudoers file

TLDR

Edit the sudoers file

$ sudo visudo
copy


Check the sudoers file for errors
$ sudo visudo -c
copy


Edit the sudoers file using a specific editor
$ sudo EDITOR=[editor] visudo
copy


Display version information
$ visudo --version
copy

SYNOPSIS

visudo [-chqsV] [[]

DESCRIPTION

visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

visudo parses the sudoers file after editing and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the ``What now?'' prompt. AT&T UNIX `e' to re-edit the sudoers file, `x' to exit without saving the changes, or `Q' to quit and save changes. The `Q' option should be used with extreme caution because if visudo believes there to be a parse error, so will sudo and no one will be able to run sudo again until the error is fixed. If `e' is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature).

There are two sudoers settings that determine which editor visudo will run.

The options are as follows:

A sudoers file may be specified instead of the default, /etc/sudoers . The lock file used is the specified sudoers file with ``tmp'' appended to it. In check-only mode only, `-' may be used to indicate that sudoers will be read from the standard input. Because the policy is evaluated in its entirety, it is not sufficient to check an individual sudoers include file for syntax errors.

Debugging and sudoers plugin arguments

visudo versions 1.8.4 and higher support a flexible debugging framework that is configured via Debug lines in the sudo.conf(5) file.

Starting with sudo 1.8.12, visudo will also parse the arguments to the sudoers plugin to override the default sudoers path name, UID, GID and file mode. These arguments, if present, should be listed after the path to the plugin (i.e., after sudoers.so ) . Multiple arguments may be specified, separated by white space. For example: -literal -offset indent Plugin sudoers_policy sudoers.so sudoers_mode=0400

The following arguments are supported:

For more information on configuring sudo.conf(5), please refer to its manual.

ENVIRONMENT

The following environment variables may be consulted depending on the value of the editor and env_editor sudoers settings:

FILES

DIAGNOSTICS

In addition to reporting sudoers parse errors, visudo may produce the following messages:

AUTHORS

Many people have worked on sudo over the years; this version consists of code written primarily by: -ragged -offset indent Todd C. Miller

See the CONTRIBUTORS file in the sudo distribution (https://www.sudo.ws/contributors.html) for an exhaustive list of people who have contributed to sudo .

CAVEATS

There is no easy way to prevent a user from gaining a root shell if the editor used by visudo allows shell escapes.

BUGS

If you feel you have found a bug in , please submit a bug report at https://bugzilla.sudo.ws/

SUPPORT

Limited free support is available via the sudo-users mailing list, see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives.

DISCLAIMER

visudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with sudo or https://www.sudo.ws/license.html for complete details.

SEE ALSO

vi(1), sudo.conf(5), sudoers(5), sudo(8), vipw(8)

Copied to clipboard