man-pages/man8/visudo.8.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of VISUDO</TITLE>
</HEAD><BODY>
<H1>VISUDO</H1>
Section: Maintenance Commands (8)<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<BR>BSD mandoc<BR>
Sudo 1.8.31

<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

<B>visudo</B>

 - edit the sudoers file

<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>visudo</B>

[-<B>chqsV</B>

]

[Bo -<B>f Bc </B><I>sudoers</I>







]

<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<B>visudo</B>


edits the
<I>sudoers</I>

file in a safe fashion, analogous to
<A HREF="/cgi-bin/man/man2html?8+vipw">vipw</A>(8).


<B>visudo</B>


locks the
<I>sudoers</I>

file against multiple simultaneous edits, provides basic sanity checks,
and checks for parse errors before installing the edited file.
If the
<I>sudoers</I>

file is currently being edited you will receive a message to try again later.
<P>

<B>visudo</B>


parses the
<I>sudoers</I>

file after editing and will not save the changes if there is a syntax error.
Upon finding an error,
<B>visudo</B>


will print a message stating the line number(s)
where the error occurred and the user will receive the
``What now?''

prompt.
At this point the user may enter
`e'

to re-edit the
<I>sudoers</I>

file,
`x'

to exit without saving the changes, or
`Q'

to quit and save changes.
The
`Q'

option should be used with extreme caution because if
<B>visudo</B>


believes there to be a parse error, so will
<B>sudo</B>

and no one will be able to run
<B>sudo</B>

again until the error is fixed.
If
`e'

is typed to edit the
<I>sudoers</I>

file after a parse error has been detected, the cursor will be placed on
the line where the error occurred (if the editor supports this feature).
<P>

There are two
<I>sudoers</I>

settings that determine which editor
<B>visudo</B>

will run.
<DL COMPACT>
<P>

<DT id="1"><B>editor</B>
<DD>
A colon
(`:'

)

separated list of editors allowed to be used with
<B>.</B>

<B>visudo</B>


will choose the editor that matches the user's
<B>SUDO_EDITOR</B>

 
<B>VISUAL</B>

or
<B>EDITOR</B>

environment variable if possible, or the first editor in the
list that exists and is executable.
Note that
<B>sudo</B>

does not preserve the
<B>SUDO_EDITOR</B>

 
<B>VISUAL</B>

or
<B>EDITOR</B>

environment variables unless they are present in the
<I>env_keep</I>

list or the
<I>env_reset</I>

option is disabled in the
<I>sudoers</I>

file.
The default editor path is
/usr/bin/editor

which can be set at compile time via the
<B>--with-editor</B>

configure option.
<DT id="2"><B>env_editor</B>
<DD>
If set,
<B>visudo</B>


will use the value of the
<B>SUDO_EDITOR</B>

 
<B>VISUAL</B>

or
<B>EDITOR</B>

environment variables before falling back on the default editor list.
Note that
<B>visudo</B>

is typically run as root so this option may allow a user with
<B>visudo</B>

privileges to run arbitrary commands as root without logging.
An alternative is to place a colon-separated list of
``safe''

editors int the
<I>editor</I>

variable.
<B>visudo</B>


will then only use
<B>SUDO_EDITOR</B>

 
<B>VISUAL</B>

or
<B>EDITOR</B>

if they match a value specified in
<I>editor</I>

 
If the
<I>env_reset</I>

flag is enabled, the
<B>SUDO_EDITOR</B>

 
<B>VISUAL</B>

and/or
<B>EDITOR</B>

environment variables must be present in the
<I>env_keep</I>

list for the
<I>env_editor</I>

flag to function when
<B>visudo</B>


is invoked via
<B>sudo</B>

 
The default value is
<I>on</I>

 
which can be set at compile time via the
<B>--with-env-editor</B>

configure option.
</DL>
<P>

<P>

The options are as follows:
<DL COMPACT>
<P>

<DT id="3"><B>-c , -check</B>


<DD>
Enable
<I>check-only</I>

mode.
The existing
<I>sudoers</I>

file (and any other files it includes) will be
checked for syntax errors.
If the path to the
<I>sudoers</I>

file was not specified,
<B>visudo</B>


will also check the file owner and mode.
A message will be printed to the standard output describing the status of
<I>sudoers</I>

unless the
-<B>q</B>

option was specified.
If the check completes successfully,
<B>visudo</B>


will exit with a value of 0.
If an error is encountered,
<B>visudo</B>


will exit with a value of 1.
<DT id="4"><B>-f </B><I>sudoers , -</I><B>-file = </B><I>sudoers</I>












<DD>
Specify an alternate
<I>sudoers</I>

file location, see below.
As of version 1.8.27, the
<I>sudoers</I>

path can be specified without using the
-<B>f</B>

option.
<DT id="5"><B>-h , -help</B>


<DD>
Display a short help message to the standard output and exit.
<DT id="6"><B>-q , -quiet</B>


<DD>
Enable
<I>quiet</I>

mode.
In this mode details about syntax errors are not printed.
This option is only useful when combined with
the
-<B>c</B>

option.
<DT id="7"><B>-s , -strict</B>


<DD>
Enable
<I>strict</I>

checking of the
<I>sudoers</I>

file.
If an alias is referenced but not actually defined
or if there is a cycle in an alias,
<B>visudo</B>


will consider this a parse error.
Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore
(`_'

)

character.
<DT id="8"><B>-V , -version</B>


<DD>
Print the
<B>visudo</B>


and
<I>sudoers</I>

grammar versions and exit.
</DL>
<P>

<P>

A
<I>sudoers</I>

file may be specified instead of the default,
/etc/sudoers

 
The temporary file used is the specified
<I>sudoers</I>

file with
``.tmp''

appended to it.
In
<I>check-only</I>

mode only,
`-'

may be used to indicate that
<I>sudoers</I>

will be read from the standard input.
Because the policy is evaluated in its entirety, it is not sufficient
to check an individual
<I>sudoers</I>

include file for syntax errors.
<A NAME="lbAE">&nbsp;</A>
<H3>Debugging and sudoers plugin arguments</H3>

<B>visudo</B>


versions 1.8.4 and higher support a flexible debugging framework
that is configured via
<B>Debug</B>

lines in the
sudo.conf5


file.
<P>

Starting with
<B>sudo</B>

1.8.12,
<B>visudo</B>


will also parse the arguments to the
<I>sudoers</I>

plugin to override the default
<I>sudoers</I>

path name, UID, GID and file mode.
These arguments, if present, should be listed after the path to the plugin
(i.e., after
sudoers.so )

 
Multiple arguments may be specified, separated by white space.
For example:

<BLOCKQUOTE>
<PRE>
Plugin sudoers_policy sudoers.so sudoers_mode=0400
</PRE>
</BLOCKQUOTE>

<P>

The following arguments are supported:
<DL COMPACT>
<P>

<DT id="9"><B>sudoers_file=pathname</B>
<DD>
The
<I>sudoers_file</I>

argument can be used to override the default path to the
<I>sudoers</I>

file.
<DT id="10"><B>sudoers_uid=uid</B>
<DD>
The
<I>sudoers_uid</I>

argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID.
<DT id="11"><B>sudoers_gid=gid</B>
<DD>
The
<I>sudoers_gid</I>

argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name).
<DT id="12"><B>sudoers_mode=mode</B>
<DD>
The
<I>sudoers_mode</I>

argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
</DL>
<P>

<P>

For more information on configuring
sudo.conf5,


please refer to its manual.
<A NAME="lbAF">&nbsp;</A>
<H2>ENVIRONMENT</H2>

The following environment variables may be consulted depending on
the value of the
<I>editor</I>

and
<I>env_editor</I>

<I>sudoers</I>

settings:
<DL COMPACT>
<P>

<DT id="13"><B>SUDO_EDITOR</B>


<DD>
Invoked by
<B>visudo</B>


as the editor to use
<DT id="14"><B>VISUAL</B>


<DD>
Used by
<B>visudo</B>


if
<B>SUDO_EDITOR</B>

is not set
<DT id="15"><B>EDITOR</B>


<DD>
Used by
<B>visudo</B>


if neither
<B>SUDO_EDITOR</B>

nor
<B>VISUAL</B>

is set
</DL>
<P>

<A NAME="lbAG">&nbsp;</A>
<H2>FILES</H2>

<DL COMPACT>
<P>

<DT id="16"><B>/etc/sudo.conf

</B>
<DD>
Sudo front end configuration
<DT id="17"><B>/etc/sudoers

</B>
<DD>
List of who can run what
<DT id="18"><B>/etc/sudoers.tmp

</B>
<DD>
Default temporary file used by visudo
</DL>
<P>

<A NAME="lbAH">&nbsp;</A>
<H2>DIAGNOSTICS</H2>

In addition to reporting
<I>sudoers</I>

parse errors,
<B>visudo</B>


may produce the following messages:
<DL COMPACT>
<P>

<DT id="19"><B>sudoers file busy, try again later.</B>


<DD>
Someone else is currently editing the
<I>sudoers</I>

file.
<DT id="20"><B>/etc/sudoers: Permission denied</B>


<DD>
You didn't run
<B>visudo</B>


as root.
<DT id="21"><B>you do not exist in the passwd database</B>


<DD>
Your user-ID does not appear in the system passwd database.
<DT id="22"><B>Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined</B>


<DD>
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore
(`_'

)

character.
In the latter case, you can ignore the warnings
Po <B>sudo</B>



will not complain
Pc .

The message is prefixed with the path name of the
<I>sudoers</I>

file and the line number where the undefined alias was used.
In
-<B>s</B>

(strict) mode these are errors, not warnings.
<DT id="23"><B>Warning: unused {User,Runas,Host,Cmnd}_Alias</B>


<DD>
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used.
The message is prefixed with the path name of the
<I>sudoers</I>

file and the line number where the unused alias was defined.
You may wish to comment out or remove the unused alias.
<DT id="24"><B>Warning: cycle in {User,Runas,Host,Cmnd}_Alias</B>


<DD>
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes.
The message is prefixed with the path name of the
<I>sudoers</I>

file and the line number where the cycle was detected.
This is only a warning unless
<B>visudo</B>


is run in
-<B>s</B>

(strict) mode as
<B>sudo</B>

will ignore cycles when parsing
the
<I>sudoers</I>

file.
<DT id="25"><B>unknown defaults entry name</B>


<DD>
The
<I>sudoers</I>

file contains a
<B>Defaults</B>

setting not recognized by
<B>.</B>

</DL>
<P>

<A NAME="lbAI">&nbsp;</A>
<H2>SEE ALSO</H2>

<A HREF="/cgi-bin/man/man2html?1+vi">vi</A>(1),


sudo.conf5,


<A HREF="/cgi-bin/man/man2html?5+sudoers">sudoers</A>(5),


<A HREF="/cgi-bin/man/man2html?8+sudo">sudo</A>(8),


<A HREF="/cgi-bin/man/man2html?8+vipw">vipw</A>(8)


<A NAME="lbAJ">&nbsp;</A>
<H2>AUTHORS</H2>

Many people have worked on
<B>sudo</B>

over the years; this version consists of code written primarily by:

<BLOCKQUOTE>

An Todd C. Miller

</BLOCKQUOTE>

<P>

See the CONTRIBUTORS file in the
<B>sudo</B>

distribution (<A HREF="https://www.sudo.ws/contributors.html)">https://www.sudo.ws/contributors.html)</A> for an
exhaustive list of people who have contributed to
<B>sudo</B>

 
<A NAME="lbAK">&nbsp;</A>
<H2>CAVEATS</H2>

There is no easy way to prevent a user from gaining a root shell if
the editor used by
<B>visudo</B>


allows shell escapes.
<A NAME="lbAL">&nbsp;</A>
<H2>BUGS</H2>

If you feel you have found a bug in
<B>,</B>

please submit a bug report at <A HREF="https://bugzilla.sudo.ws/">https://bugzilla.sudo.ws/</A>
<A NAME="lbAM">&nbsp;</A>
<H2>SUPPORT</H2>

Limited free support is available via the sudo-users mailing list,
see <A HREF="https://www.sudo.ws/mailman/listinfo/sudo-users">https://www.sudo.ws/mailman/listinfo/sudo-users</A> to subscribe or
search the archives.
<A NAME="lbAN">&nbsp;</A>
<H2>DISCLAIMER</H2>

<B>visudo</B>


is provided
``AS IS''

and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
<B>sudo</B>

or <A HREF="https://www.sudo.ws/license.html">https://www.sudo.ws/license.html</A> for complete details.
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="26"><A HREF="#lbAB">NAME</A><DD>
<DT id="27"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="28"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DL>
<DT id="29"><A HREF="#lbAE">Debugging and sudoers plugin arguments</A><DD>
</DL>
<DT id="30"><A HREF="#lbAF">ENVIRONMENT</A><DD>
<DT id="31"><A HREF="#lbAG">FILES</A><DD>
<DT id="32"><A HREF="#lbAH">DIAGNOSTICS</A><DD>
<DT id="33"><A HREF="#lbAI">SEE ALSO</A><DD>
<DT id="34"><A HREF="#lbAJ">AUTHORS</A><DD>
<DT id="35"><A HREF="#lbAK">CAVEATS</A><DD>
<DT id="36"><A HREF="#lbAL">BUGS</A><DD>
<DT id="37"><A HREF="#lbAM">SUPPORT</A><DD>
<DT id="38"><A HREF="#lbAN">DISCLAIMER</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:18 GMT, March 31, 2021
</BODY>
</HTML>