FreeBSD Manual Pages

Contact · VISUDO

VISUDO(8)		    System Manager's Manual		     VISUDO(8)

NAME
       visudo -- edit the sudoers file

SYNOPSIS
       visudo [-chIOPqsV] [[-f]	sudoers]

DESCRIPTION
       visudo  edits the sudoers file in a safe	fashion, analogous to vipw(8).
       visudo locks the	sudoers	file against multiple simultaneous edits, per-
       forms basic validity checks, and	checks for syntax  errors  before  in-
       stalling	 the  edited  file.   If  the  sudoers file is currently being
       edited you will receive a message to try	again later.

       If the sudoers file does	not exist, it will be created unless the  edi-
       tor exits without writing to the	file.

       visudo  parses  the  sudoers  file  after editing and will not save the
       changes if there	is a syntax error.  Upon finding an error, visudo will
       print a message stating the line	number(s) where	the error occurred and
       the user	will receive the "What now?" prompt.  At this point  the  user
       may  enter  `e' to re-edit the sudoers file, `x'	to exit	without	saving
       the changes, or `Q' to quit and save changes.  The `Q' option should be
       used with extreme caution because if visudo believes there to be	a syn-
       tax error, so will sudo.	 If `e'	is typed to edit the sudoers file  af-
       ter  a syntax error has been detected, the cursor will be placed	on the
       line where the error occurred (if the editor supports this feature).

       There are two sudoers settings that determine which editor visudo  will
       run.

       editor	   A  colon (`:') separated list of editors allowed to be used
		   with	visudo.	 visudo	will choose the	 editor	 that  matches
		   the user's SUDO_EDITOR, VISUAL, or EDITOR environment vari-
		   able	 if possible, or the first editor in the list that ex-
		   ists	 and  is  executable.	sudo  does  not	 preserve  the
		   SUDO_EDITOR,	VISUAL,	or EDITOR environment variables	unless
		   they	 are present in	the env_keep list or the env_reset op-
		   tion	is disabled in the sudoers file.  The  default	editor
		   path	 is  /usr/bin/vi  which	can be set at compile time via
		   the --with-editor configure option.

       env_editor  If set, visudo will	use  the  value	 of  the  SUDO_EDITOR,
		   VISUAL, or EDITOR environment variables before falling back
		   on  the  default  editor  list.  visudo is typically	run as
		   root	so this	option may allow a user	with visudo privileges
		   to run arbitrary commands as	root without logging.  An  al-
		   ternative is	to place a colon-separated list	of "safe" edi-
		   tors	 in  the  editor  variable.  visudo will then only use
		   SUDO_EDITOR,	VISUAL,	or EDITOR if they match	a value	speci-
		   fied	in editor.  If the  env_reset  flag  is	 enabled,  the
		   SUDO_EDITOR,	 VISUAL,  and/or  EDITOR environment variables
		   must	be present in the env_keep  list  for  the  env_editor
		   flag	 to function when visudo is invoked via	sudo.  The de-
		   fault value is on, which can	be set at compile time via the
		   --with-env-editor configure option.

       The options are as follows:

       -c, --check
	       Enable check-only mode.	The existing  sudoers  file  (and  any
	       other files it includes)	will be	checked	for syntax errors.  If
	       the  path  to  the  sudoers file	was not	specified, visudo will
	       also check the file ownership and permissions (see the  -O  and
	       -P  options).  A	message	will be	printed	to the standard	output
	       describing the status of	sudoers	unless the -q option was spec-
	       ified.  If the check completes successfully, visudo  will  exit
	       with  a	value  of  0.  If an error is encountered, visudo will
	       exit with a value of 1.

       -f sudoers, --file=sudoers
	       Specify an alternate sudoers file location, see below.	As  of
	       version 1.8.27, the sudoers path	can be specified without using
	       the -f option.

       -h, --help
	       Display a short help message to the standard output and exit.

       -I, --no-includes
	       Disable	the editing of include files unless there is a pre-ex-
	       isting syntax error.  By	default, visudo	 will  edit  the  main
	       sudoers	file  and  any files included via @include or #include
	       directives.  Files included via @includedir or #includedir  are
	       never edited unless they	contain	a syntax error.

       -O, --owner
	       Enforce	the  default ownership (user and group)	of the sudoers
	       file.  In edit mode, the	owner of the edited file will  be  set
	       to  the default.	 In check mode (-c), an	error will be reported
	       if the owner is incorrect.  This	option is enabled  by  default
	       if the sudoers file was not specified.

       -P, --perms
	       Enforce the default permissions (mode) of the sudoers file.  In
	       edit  mode,  the	 permissions of	the edited file	will be	set to
	       the default.  In	check mode (-c), an error will be reported  if
	       the  file permissions are incorrect.  This option is enabled by
	       default if the sudoers file was not specified.

       -q, --quiet
	       Enable quiet mode.  In this mode	details	 about	syntax	errors
	       are not printed.	 This option is	only useful when combined with
	       the -c option.

       -s, --strict
	       Enable  strict  checking	 of  the sudoers file.	If an alias is
	       referenced but not actually defined or if there is a  cycle  in
	       an  alias, visudo will consider this a syntax error.  It	is not
	       possible	to differentiate between an alias and a	host  name  or
	       user  name  that	 consists solely of uppercase letters, digits,
	       and the underscore (`_')	character.

       -V, --version
	       Print the visudo	and sudoers grammar versions and exit.

       A  sudoers  file	  may	be   specified	 instead   of	the   default,
       /usr/local/etc/sudoers.	 The  temporary	 file  used  is	 the specified
       sudoers file with ".tmp"	appended to it.	 In check-only mode only,  `-'
       may be used to indicate that sudoers will be read from the standard in-
       put.  Because the policy	is evaluated in	its entirety, it is not	suffi-
       cient to	check an individual sudoers include file for syntax errors.

   Debugging and sudoers plugin	arguments
       visudo versions 1.8.4 and higher	support	a flexible debugging framework
       that is configured via Debug lines in the sudo.conf(5) file.

       Starting	 with sudo 1.8.12, visudo will also parse the arguments	to the
       sudoers plugin to override the  default	sudoers	 path  name,  user-ID,
       group-ID, and file mode.	 These arguments, if present, should be	listed
       after  the path to the plugin (i.e., after sudoers.so).	Multiple argu-
       ments may be specified, separated by white space.  For example:

	   Plugin sudoers_policy sudoers.so sudoers_mode=0400

       The following arguments are supported:

       sudoers_file=pathname
	     The sudoers_file argument can be used  to	override  the  default
	     path to the sudoers file.

       sudoers_uid=user-ID
	     The  sudoers_uid  argument	 can  be  used to override the default
	     owner of the sudoers file.	 It should be specified	as  a  numeric
	     user-ID.

       sudoers_gid=group-ID
	     The  sudoers_gid  argument	 can  be  used to override the default
	     group of the sudoers file.	 It must be  specified	as  a  numeric
	     group-ID (not a group name).

       sudoers_mode=mode
	     The  sudoers_mode	argument  can  be used to override the default
	     file mode for the sudoers file.  It should	be specified as	an oc-
	     tal value.

       For more	information on configuring sudo.conf(5), refer to its manual.

ENVIRONMENT
       The following environment variables may be consulted depending  on  the
       value of	the editor and env_editor sudoers settings:

       SUDO_EDITOR	Invoked	by visudo as the editor	to use

       VISUAL		Used by	visudo if SUDO_EDITOR is not set

       EDITOR		Used  by  visudo  if neither SUDO_EDITOR nor VISUAL is
			set

FILES
       /usr/local/etc/sudo.conf	 Sudo front-end	configuration

       /usr/local/etc/sudoers	 List of who can run what

       /usr/local/etc/sudoers.tmp
				 Default temporary file	used by	visudo

DIAGNOSTICS
       In addition to reporting	sudoers	syntax errors, visudo may produce  the
       following messages:

       sudoers file busy, try again later.
	     Someone else is currently editing the sudoers file.

       /usr/local/etc/sudoers: Permission denied
	     You didn't	run visudo as root.

       you do not exist	in the passwd database
	     Your user-ID does not appear in the system	passwd database.

       Warning:	{User,Runas,Host,Cmnd}_Alias referenced	but not	defined
	     Either	you	are    trying	 to    use    an    undeclared
	     {User,Runas,Host,Cmnd}_Alias or you have  a  user	or  host  name
	     listed that consists solely of uppercase letters, digits, and the
	     underscore	 (`_')	character.  In the latter case,	you can	ignore
	     the warnings (sudo	will not complain).  The message  is  prefixed
	     with  the path name of the	sudoers	file and the line number where
	     the undefined alias was used.  In -s (strict) mode	these are  er-
	     rors, not warnings.

       Warning:	unused {User,Runas,Host,Cmnd}_Alias
	     The  specified {User,Runas,Host,Cmnd}_Alias was defined but never
	     used.  The	message	is prefixed with the path name of the  sudoers
	     file and the line number where the	unused alias was defined.  You
	     may wish to comment out or	remove the unused alias.

       Warning:	cycle in {User,Runas,Host,Cmnd}_Alias
	     The  specified  {User,Runas,Host,Cmnd}_Alias includes a reference
	     to	itself,	either directly	or through an alias it includes.   The
	     message  is  prefixed  with the path name of the sudoers file and
	     the line number where the cycle was detected.   This  is  only  a
	     warning unless visudo is run in -s	(strict) mode as sudo will ig-
	     nore cycles when parsing the sudoers file.

       ignoring	editor backup file
	     While  processing	a @includedir or #includedir, a	file was found
	     with a name that ends in `~' or .bak.  Such files are skipped  by
	     sudo and visudo.

       ignoring	file name containing '.'
	     While  processing	a @includedir or #includedir, a	file was found
	     with a name that  contains	 a  `.'	 character.   Such  files  are
	     skipped by	sudo and visudo.

       unknown defaults	entry "name"
	     The  sudoers  file	 contains a Defaults setting not recognized by
	     visudo.

SEE ALSO
       vi(1), sudo.conf(5), sudoers(5),	sudo(8), vipw(8)

AUTHORS
       Many people have	worked on sudo over the	years; this  version  consists
       of code written primarily by:

	     Todd C. Miller

       See    the    CONTRIBUTORS.md	file	in   the   sudo	  distribution
       (https://www.sudo.ws/about/contributors/) for  an  exhaustive  list  of
       people who have contributed to sudo.

CAVEATS
       There is	no easy	way to prevent a user from gaining a root shell	if the
       editor used by visudo allows shell escapes.

BUGS
       If  you	believe	 you have found	a bug in visudo, you can either	file a
       bug report in the sudo bug database, https://bugzilla.sudo.ws/, or open
       an issue	at https://github.com/sudo-project/sudo/issues.	 If you	 would
       prefer  to  use email, messages may be sent to the sudo-workers mailing
       list,  https://www.sudo.ws/mailman/listinfo/sudo-workers	 (public)   or
       <sudo@sudo.ws> (private).

       Please  not  report  security vulnerabilities through public GitHub is-
       sues, Bugzilla or mailing lists.	 Instead, report  them	via  email  to
       <Todd.Miller@sudo.ws>.	You  may  encrypt your message with PGP	if you
       would like, using the key found at https://www.sudo.ws/dist/PGPKEYS.

SUPPORT
       Limited free support is available via the sudo-users mailing list,  see
       https://www.sudo.ws/mailman/listinfo/sudo-users	to subscribe or	search
       the archives.

DISCLAIMER
       visudo is provided "AS IS" and any express or implied  warranties,  in-
       cluding,	 but not limited to, the implied warranties of merchantability
       and fitness for a particular  purpose  are  disclaimed.	 See  the  LI-
       CENSE.md	 file  distributed  with sudo or https://www.sudo.ws/about/li-
       cense/ for complete details.

Sudo 1.9.16p2			 July 27, 2023			     VISUDO(8)

Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages