Linux visudo command

Updated: 05/04/2019 by Computer Hope
visudo command

On Unix-like operating systems, the visudo command edits the sudoers file, which is used by the sudo command. To change what users and groups are allowed to run sudo, run visudo.

If the user running sudo does not meet the authentication configuration in sudoers, they are denied permission to run a command with escalated privileges.

You should not edit sudoers directly, by opening it in a text editor. Instead, edit it with visudo, which will verify its validity before saving the changes to disk.

Description

visudo edits the sudoers file, which defines the users and groups with administrator rights.

Visudo edits the sudoers file in a safe fashion, similar to the way that vipw safely edits the passwd file. Visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited by someone else, or by you in another session, you will receive a message to try again later.

There is a hard-coded list of one or more editors that visudo uses, set at compile-time. The default is vi.

Note

By default, visudo doesn't honor the VISUAL or EDITOR environment variables, used by many programs to determine the default text editor. However, if visudo is configured with the --with-env-editor option or the env_editor Default variable is set in the sudoers file, visudo uses any of the editors defined by VISUAL or EDITOR. Doing so can make your system vulnerable to a security breech, however, because it allows the user to execute any program they want by setting VISUAL or EDITOR.

Visudo parses the sudoers file after the edit, and will not save the changes if there is a syntax error. Upon finding an error, visudo prints a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt. At the prompt, type e to re-edit the sudoers file, x to exit without saving the changes, or Q to quit and save changes. The "Q" option should be used with extreme care, because if visudo finds a parse error, so will sudo, and no one can run sudo again until the error is fixed. If "e" is typed to edit the sudoers file after a parse error is detected, the cursor will be placed on the line where the error occurred, if the editor supports this feature.

Syntax

visudo [-c] [-h] [-q] [-s] [-V] [-f sudoers]

Options

-c Enable check-only mode. The existing sudoers file will be checked for syntax errors, owner and mode. A message will be printed to the standard output describing the status of sudoers unless the -q option was specified. If the check completes successfully, visudo will exit with a value of 0. If an error is encountered, visudo will exit with a value of 1.
-f sudoers Specify an alternate sudoers file location. With this option, visudo will edit (or check) the sudoers file of your choice, instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with ".tmp" appended to it. In check-only mode only, the argument to -f may be -, indicating that sudoers will be read from the standard input.
-h The -h (help) option causes visudo to print a short help message to the standard output and exit.
-q Enable quiet mode. In this mode details about syntax errors are not printed. This option is only useful when combined with the -c option.
-s Enable strict checking of the sudoers file. If an alias is used before it is defined, visudo will consider this a parse error. Note that it is not possible to differentiate between an alias and a hostname or username that consists solely of uppercase letters, digits, and the underscore (‘_’) character.
-V The -V (version) option causes visudo to print its version number and exit.

The sudoers file

A typical sudoers file looks like this:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults  env_reset
Defaults  mail_badpass
Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root  ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Here, "root ALL=(ALL:ALL) ALL" states that the user root, logged in to any hostname, may run, as a user or group, any command. The general form of this directive is:

user hostname=(runas-user:runas-group) command

The special word ALL may be used for any of these values, and means that any are allowed.

If user begins with a %, it's interpreted as the name of a group, and the directive applies to all users in that group. So the line "%admin ALL=(ALL) ALL" allows users belonging to the group admin to run any command as a user or group. The same permissions are defined for members of group sudo, three lines later.

So, with this configuration, if you want a user to have sudo rights, you can add them to the admin or sudo group, and don't need to edit sudoers at all. In this case, the command:

usermod -aG sudo hope

Would grant sudo rights to the user hope next time they log in. For more information about how to use usermod to change a user's group membership, see the usermod command.

If you don't want to have a dedicated sudo group, you can define sudo rights for a user directly in sudoers, by adding a line anywhere in the file. To give user hope full sudo access, for instance, add:

hope ALL=(ALL:ALL) ALL

Then save the file and exit the text editor launched by visudo.

Important files

/etc/sudoers Permissions configuration for the sudo command.
/etc/sudoers.tmp The lock file, which prevents multiple simultaneous edits to sudoers.

Examples

To edit the sudoers file, run visudo as root. Switch user to root with su (requires the root password, which is different than your user password):

su
Password:

Then run visudo:

visudo

Or if you already have sudo rights, run visudo with sudo:

sudo visudo
[sudo] password for user:

Sudoer directives

The following are examples of lines added to sudoers when you run visudo:

hope ALL=(ALL:ALL) ALL

User hope can run all commands as any user or group, logged in to any host that this configuration applies.

%hope ALL=(ALL:ALL) ALL

Same as above, except the permission apply to any member of the group hope (which may or may not include user hope).

hope myhost=(mysqluser:mysqlusers) mysqldump

User hope, when logged in to host myhost, may run the command mysqldump as user mysqluser or a member of group mysqlusers. For example, this directive would allow user hope to run this command:

sudo -u mysqluser -g mysqlusers mysqldump

su — Become the superuser or another user.
sudo — Execute a command as the superuser.
vi — Text editor based on the visual mode of ex.
vipw — Safely edit the password file.