1
Copyright (c) 1996,1998-2005, 2007-2012
2
Todd C. Miller <Todd.Miller@courtesan.com>
4
Permission to use, copy, modify, and distribute this software for any
5
purpose with or without fee is hereby granted, provided that the above
6
copyright notice and this permission notice appear in all copies.
8
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17
Sponsored in part by the Defense Advanced Research Projects
18
Agency (DARPA) and Air Force Research Laboratory, Air Force
19
Materiel Command, USAF, under agreement number F39502-99-1-0512.
25
visudo - edit the sudoers file
29
B<visudo> [B<-chqsV>] [B<-f> I<sudoers>]
33
B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
34
L<vipw(8)>. B<visudo> locks the I<sudoers> file against multiple
35
simultaneous edits, provides basic sanity checks, and checks
36
for parse errors. If the I<sudoers> file is currently being
37
edited you will receive a message to try again later.
39
There is a hard-coded list of one or more editors that B<visudo> will
40
use set at compile-time that may be overridden via the I<editor> I<sudoers>
41
C<Default> variable. This list defaults to C<"@editor@">. Normally,
42
B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
43
variables unless they contain an editor in the aforementioned editors
44
list. However, if B<visudo> is configured with the I<--with-env-editor>
45
option or the I<env_editor> C<Default> variable is set in I<sudoers>,
46
B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
47
Note that this can be a security hole since it allows the user to
48
execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
50
B<visudo> parses the I<sudoers> file after the edit and will
51
not save the changes if there is a syntax error. Upon finding
52
an error, B<visudo> will print a message stating the line number(s)
53
where the error occurred and the user will receive the
54
"What now?" prompt. At this point the user may enter "e"
55
to re-edit the I<sudoers> file, "x" to exit without
56
saving the changes, or "Q" to quit and save changes. The
57
"Q" option should be used with extreme care because if B<visudo>
58
believes there to be a parse error, so will B<sudo> and no one
59
will be able to B<sudo> again until the error is fixed.
60
If "e" is typed to edit the I<sudoers> file after a parse error
61
has been detected, the cursor will be placed on the line where the
62
error occurred (if the editor supports this feature).
66
B<visudo> accepts the following command line options:
72
Enable B<check-only> mode. The existing I<sudoers> file will be
73
checked for syntax errors, owner and mode. A message will be printed
74
to the standard output describing the status of I<sudoers> unless
75
the B<-q> option was specified. If the check completes successfully,
76
B<visudo> will exit with a value of 0. If an error is encountered,
77
B<visudo> will exit with a value of 1.
81
Specify and alternate I<sudoers> file location. With this option
82
B<visudo> will edit (or check) the I<sudoers> file of your choice,
83
instead of the default, F<@sysconfdir@/sudoers>. The lock file used
84
is the specified I<sudoers> file with ".tmp" appended to it.
85
In B<check-only> mode only, the argument to B<-f> may be "-",
86
indicating that I<sudoers> will be read from the standard input.
90
The B<-h> (I<help>) option causes B<visudo> to print a short help message
91
to the standard output and exit.
95
Enable B<quiet> mode. In this mode details about syntax errors
96
are not printed. This option is only useful when combined with
101
Enable B<strict> checking of the I<sudoers> file. If an alias is
102
used before it is defined, B<visudo> will consider this a parse
103
error. Note that it is not possible to differentiate between an
104
alias and a host name or user name that consists solely of uppercase
105
letters, digits, and the underscore ('_') character.
109
The B<-V> (version) option causes B<visudo> to print its version number
116
The following environment variables may be consulted depending on
117
the value of the I<editor> and I<env_editor> I<sudoers> variables:
123
Invoked by visudo as the editor to use
127
Used by visudo if VISUAL is not set
135
=item F<@sysconfdir@/sudoers>
137
List of who can run what
139
=item F<@sysconfdir@/sudoers.tmp>
149
=item sudoers file busy, try again later.
151
Someone else is currently editing the I<sudoers> file.
153
=item @sysconfdir@/sudoers.tmp: Permission denied
155
You didn't run B<visudo> as root.
157
=item Can't find you in the passwd database
159
Your userid does not appear in the system passwd file.
161
=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
163
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
164
or you have a user or host name listed that consists solely of
165
uppercase letters, digits, and the underscore ('_') character. In
166
the latter case, you can ignore the warnings (B<sudo> will not
167
complain). In B<-s> (strict) mode these are errors, not warnings.
169
=item Warning: unused {User,Runas,Host,Cmnd}_Alias
171
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
172
used. You may wish to comment out or remove the unused alias. In
173
B<-s> (strict) mode this is an error, not a warning.
175
=item Warning: cycle in {User,Runas,Host,Cmnd}_Alias
177
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
178
itself, either directly or through an alias it includes. This is
179
only a warning by default as B<sudo> will ignore cycles when parsing
186
L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
190
Many people have worked on B<sudo> over the years; this version of
191
B<visudo> was written by:
195
See the CONTRIBUTORS file in the B<sudo> distribution
196
(http://www.sudo.ws/sudo/contributors.html) for a list of people
197
who have contributed to B<sudo>.
201
There is no easy way to prevent a user from gaining a root shell if
202
the editor used by B<visudo> allows shell escapes.
206
If you feel you have found a bug in B<visudo>, please submit a bug report
207
at http://www.sudo.ws/sudo/bugs/
211
Limited free support is available via the sudo-users mailing list,
212
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
217
B<visudo> is provided ``AS IS'' and any express or implied warranties,
218
including, but not limited to, the implied warranties of merchantability
219
and fitness for a particular purpose are disclaimed. See the LICENSE
220
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
221
for complete details.