1: VISUDO(1m) System Manager's Manual VISUDO(1m)
2:
3: NNAAMMEE
4: vviissuuddoo - edit the sudoers file
5:
6: SSYYNNOOPPSSIISS
7: vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s] [--xx _f_i_l_e]
8:
9: DDEESSCCRRIIPPTTIIOONN
10: vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m).
11: vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits,
12: provides basic sanity checks, and checks for parse errors. If the
13: _s_u_d_o_e_r_s file is currently being edited you will receive a message to try
14: again later.
15:
16: There is a hard-coded list of one or more editors that vviissuuddoo will use
17: set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default
18: variable. This list defaults to vi. Normally, vviissuuddoo does not honor the
19: VISUAL or EDITOR environment variables unless they contain an editor in
20: the aforementioned editors list. However, if vviissuuddoo is configured with
21: the --with-env-editor option or the _e_n_v___e_d_i_t_o_r Default variable is set in
22: _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by VISUAL or EDITOR.
23: Note that this can be a security hole since it allows the user to execute
24: any program they wish simply by setting VISUAL or EDITOR.
25:
26: vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the
27: changes if there is a syntax error. Upon finding an error, vviissuuddoo will
28: print a message stating the line number(s) where the error occurred and
29: the user will receive the ``What now?'' prompt. At this point the user
30: may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the
31: changes, or `Q' to quit and save changes. The `Q' option should be used
32: with extreme care because if vviissuuddoo believes there to be a parse error,
33: so will ssuuddoo and no one will be able to ssuuddoo again until the error is
34: fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse error has
35: been detected, the cursor will be placed on the line where the error
36: occurred (if the editor supports this feature).
37:
38: The options are as follows:
39:
40: --cc, ----cchheecckk
41: Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file will be
42: checked for syntax errors, owner and mode. A message will be
43: printed to the standard output describing the status of
44: _s_u_d_o_e_r_s unless the --qq option was specified. If the check
45: completes successfully, vviissuuddoo will exit with a value of 0.
46: If an error is encountered, vviissuuddoo will exit with a value of
47: 1.
48:
49: --ff _s_u_d_o_e_r_s, ----ffiillee=_s_u_d_o_e_r_s
50: Specify an alternate _s_u_d_o_e_r_s file location. With this
51: option, vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your
52: choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file
53: used is the specified _s_u_d_o_e_r_s file with ``.tmp'' appended to
54: it. In _c_h_e_c_k_-_o_n_l_y mode only, the argument to --ff may be `-',
55: indicating that _s_u_d_o_e_r_s will be read from the standard input.
56:
57: --hh, ----hheellpp Display a short help message to the standard output and exit.
58:
59: --qq, ----qquuiieett
60: Enable _q_u_i_e_t mode. In this mode details about syntax errors
61: are not printed. This option is only useful when combined
62: with the --cc option.
63:
64: --ss, ----ssttrriicctt
65: Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is
66: used before it is defined, vviissuuddoo will consider this a parse
67: error. Note that it is not possible to differentiate between
68: an alias and a host name or user name that consists solely of
69: uppercase letters, digits, and the underscore (`_')
70: character.
71:
72: --VV, ----vveerrssiioonn
73: Print the vviissuuddoo and _s_u_d_o_e_r_s grammar versions and exit.
74:
75: --xx _f_i_l_e, ----eexxppoorrtt=_f_i_l_e
76: Export _s_u_d_o_e_r_s in JSON format and write it to _f_i_l_e. If _f_i_l_e
77: is `-', the exported _s_u_d_o_e_r_s policy will be written to the
78: standard output. The exported format is intended to be
79: easier for third-party applications to parse than the
80: traditional _s_u_d_o_e_r_s format. The various values have explicit
81: types which removes much of the ambiguity of the _s_u_d_o_e_r_s
82: format.
83:
84: EENNVVIIRROONNMMEENNTT
85: The following environment variables may be consulted depending on the
86: value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings:
87:
88: VISUAL Invoked by vviissuuddoo as the editor to use
89:
90: EDITOR Used by vviissuuddoo if VISUAL is not set
91:
92: FFIILLEESS
93: _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
94:
95: _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo
96:
97: DDIIAAGGNNOOSSTTIICCSS
98: sudoers file busy, try again later.
99: Someone else is currently editing the _s_u_d_o_e_r_s file.
100:
101: /etc/sudoers.tmp: Permission denied
102: You didn't run vviissuuddoo as root.
103:
104: Can't find you in the passwd database
105: Your user ID does not appear in the system passwd file.
106:
107: Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
108: Either you are trying to use an undeclared
109: {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
110: that consists solely of uppercase letters, digits, and the
111: underscore (`_') character. In the latter case, you can ignore the
112: warnings (ssuuddoo will not complain). In --ss (strict) mode these are
113: errors, not warnings.
114:
115: Warning: unused {User,Runas,Host,Cmnd}_Alias
116: The specified {User,Runas,Host,Cmnd}_Alias was defined but never
117: used. You may wish to comment out or remove the unused alias. In
118: --ss (strict) mode this is an error, not a warning.
119:
120: Warning: cycle in {User,Runas,Host,Cmnd}_Alias
121: The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
122: itself, either directly or through an alias it includes. This is
123: only a warning by default as ssuuddoo will ignore cycles when parsing
124: the _s_u_d_o_e_r_s file.
125:
126: SSEEEE AALLSSOO
127: vi(1), sudoers(4), sudo(1m), vipw(1m)
128:
129: AAUUTTHHOORRSS
130: Many people have worked on ssuuddoo over the years; this version consists of
131: code written primarily by:
132:
133: Todd C. Miller
134:
135: See the CONTRIBUTORS file in the ssuuddoo distribution
136: (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
137: people who have contributed to ssuuddoo.
138:
139: CCAAVVEEAATTSS
140: There is no easy way to prevent a user from gaining a root shell if the
141: editor used by vviissuuddoo allows shell escapes.
142:
143: BBUUGGSS
144: If you feel you have found a bug in vviissuuddoo, please submit a bug report at
145: http://www.sudo.ws/sudo/bugs/
146:
147: SSUUPPPPOORRTT
148: Limited free support is available via the sudo-users mailing list, see
149: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
150: archives.
151:
152: DDIISSCCLLAAIIMMEERR
153: vviissuuddoo is provided ``AS IS'' and any express or implied warranties,
154: including, but not limited to, the implied warranties of merchantability
155: and fitness for a particular purpose are disclaimed. See the LICENSE
156: file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
157: complete details.
158:
159: Sudo 1.8.10 February 15, 2014 Sudo 1.8.10
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>