1: .\"
2: .\" Copyright (c) 1996,1998-2005, 2007-2014
3: .\" Todd C. Miller <Todd.Miller@courtesan.com>
4: .\"
5: .\" Permission to use, copy, modify, and distribute this software for any
6: .\" purpose with or without fee is hereby granted, provided that the above
7: .\" copyright notice and this permission notice appear in all copies.
8: .\"
9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17: .\"
18: .\" Sponsored in part by the Defense Advanced Research Projects
19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
21: .\"
22: .Dd February 15, 2014
23: .Dt VISUDO @mansectsu@
24: .Os Sudo @PACKAGE_VERSION@
25: .Sh NAME
26: .Nm visudo
27: .Nd edit the sudoers file
28: .Sh SYNOPSIS
29: .Nm visudo
30: .Op Fl chqsV
31: .Op Fl f Ar sudoers
32: .Op Fl x Ar file
33: .Sh DESCRIPTION
34: .Nm visudo
35: edits the
36: .Em sudoers
37: file in a safe fashion, analogous to
38: .Xr vipw @mansectsu@ .
39: .Nm visudo
40: locks the
41: .Em sudoers
42: file against multiple simultaneous edits, provides basic sanity checks,
43: and checks for parse errors.
44: If the
45: .Em sudoers
46: file is currently being edited you will receive a message to try again later.
47: .Pp
48: There is a hard-coded list of one or more editors that
49: .Nm visudo
50: will use set at compile-time that may be overridden via the
51: .Em editor
52: .Em sudoers
53: .Li Default
54: variable.
55: This list defaults to
56: .Li "@editor@" .
57: Normally,
58: .Nm visudo
59: does not honor the
60: .Ev VISUAL
61: or
62: .Ev EDITOR
63: environment variables unless they contain an editor in the aforementioned
64: editors list.
65: However, if
66: .Nm visudo
67: is configured with the
68: .Li --with-env-editor
69: option or the
70: .Em env_editor
71: .Li Default
72: variable is set in
73: .Em sudoers ,
74: .Nm visudo
75: will use any the editor defines by
76: .Ev VISUAL
77: or
78: .Ev EDITOR .
79: Note that this can be a security hole since it allows the user to
80: execute any program they wish simply by setting
81: .Ev VISUAL
82: or
83: .Ev EDITOR .
84: .Pp
85: .Nm visudo
86: parses the
87: .Em sudoers
88: file after the edit and will
89: not save the changes if there is a syntax error.
90: Upon finding an error,
91: .Nm visudo
92: will print a message stating the line number(s)
93: where the error occurred and the user will receive the
94: .Dq What now?
95: prompt.
96: At this point the user may enter
97: .Ql e
98: to re-edit the
99: .Em sudoers
100: file,
101: .Ql x
102: to exit without saving the changes, or
103: .Ql Q
104: to quit and save changes.
105: The
106: .Ql Q
107: option should be used with extreme care because if
108: .Nm visudo
109: believes there to be a parse error, so will
110: .Nm sudo
111: and no one
112: will be able to
113: .Nm sudo
114: again until the error is fixed.
115: If
116: .Ql e
117: is typed to edit the
118: .Em sudoers
119: file after a parse error has been detected, the cursor will be placed on
120: the line where the error occurred (if the editor supports this feature).
121: .Pp
122: The options are as follows:
123: .Bl -tag -width Fl
124: .It Fl c , -check
125: Enable
126: .Em check-only
127: mode.
128: The existing
129: .Em sudoers
130: file will be
131: checked for syntax errors, owner and mode.
132: A message will be printed to the standard output describing the status of
133: .Em sudoers
134: unless the
135: .Fl q
136: option was specified.
137: If the check completes successfully,
138: .Nm visudo
139: will exit with a value of 0.
140: If an error is encountered,
141: .Nm visudo
142: will exit with a value of 1.
143: .It Fl f Ar sudoers , Fl -file Ns = Ns Ar sudoers
144: Specify an alternate
145: .Em sudoers
146: file location.
147: With this option,
148: .Nm visudo
149: will edit (or check) the
150: .Em sudoers
151: file of your choice,
152: instead of the default,
153: .Pa @sysconfdir@/sudoers .
154: The lock file used is the specified
155: .Em sudoers
156: file with
157: .Dq \.tmp
158: appended to it.
159: In
160: .Em check-only
161: mode only, the argument to
162: .Fl f
163: may be
164: .Ql - ,
165: indicating that
166: .Em sudoers
167: will be read from the standard input.
168: .It Fl h , -help
169: Display a short help message to the standard output and exit.
170: .It Fl q , -quiet
171: Enable
172: .Em quiet
173: mode.
174: In this mode details about syntax errors are not printed.
175: This option is only useful when combined with
176: the
177: .Fl c
178: option.
179: .It Fl s , -strict
180: Enable
181: .Em strict
182: checking of the
183: .Em sudoers
184: file.
185: If an alias is used before it is defined,
186: .Nm visudo
187: will consider this a parse error.
188: Note that it is not possible to differentiate between an
189: alias and a host name or user name that consists solely of uppercase
190: letters, digits, and the underscore
191: .Pq Ql _
192: character.
193: .It Fl V , -version
194: Print the
195: .Nm visudo
196: and
197: .Em sudoers
198: grammar versions and exit.
199: .It Fl x Ar file , Fl -export Ns = Ns Ar file
200: Export
201: .Em sudoers
202: in JSON format and write it to
203: .Ar file .
204: If
205: .Ar file
206: is
207: .Ql - ,
208: the exported
209: .Em sudoers
210: policy will be written to the standard output.
211: The exported format is intended to be easier for third-party
212: applications to parse than the traditional
213: .Em sudoers
214: format.
215: The various values have explicit types which removes much of the
216: ambiguity of the
217: .Em sudoers
218: format.
219: .El
220: .Sh ENVIRONMENT
221: The following environment variables may be consulted depending on
222: the value of the
223: .Em editor
224: and
225: .Em env_editor
226: .Em sudoers
227: settings:
228: .Bl -tag -width 15n
229: .It Ev VISUAL
230: Invoked by
231: .Nm visudo
232: as the editor to use
233: .It Ev EDITOR
234: Used by
235: .Nm visudo
236: if
237: .Ev VISUAL
238: is not set
239: .El
240: .Sh FILES
241: .Bl -tag -width 24n
242: .It Pa @sysconfdir@/sudoers
243: List of who can run what
244: .It Pa @sysconfdir@/sudoers.tmp
245: Lock file for visudo
246: .El
247: .Sh DIAGNOSTICS
248: .Bl -tag -width 4n
249: .It Li sudoers file busy, try again later.
250: Someone else is currently editing the
251: .Em sudoers
252: file.
253: .It Li @sysconfdir@/sudoers.tmp: Permission denied
254: You didn't run
255: .Nm visudo
256: as root.
257: .It Li Can't find you in the passwd database
258: Your user ID does not appear in the system passwd file.
259: .It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
260: Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
261: or you have a user or host name listed that consists solely of
262: uppercase letters, digits, and the underscore
263: .Pq Ql _
264: character.
265: In the latter case, you can ignore the warnings
266: .Po
267: .Nm sudo
268: will not complain
269: .Pc .
270: In
271: .Fl s
272: (strict) mode these are errors, not warnings.
273: .It Li Warning: unused {User,Runas,Host,Cmnd}_Alias
274: The specified {User,Runas,Host,Cmnd}_Alias was defined but never
275: used.
276: You may wish to comment out or remove the unused alias.
277: In
278: .Fl s
279: (strict) mode this is an error, not a warning.
280: .It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias
281: The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
282: itself, either directly or through an alias it includes.
283: This is only a warning by default as
284: .Nm sudo
285: will ignore cycles when parsing
286: the
287: .Em sudoers
288: file.
289: .El
290: .Sh SEE ALSO
291: .Xr vi 1 ,
292: .Xr sudoers @mansectform@ ,
293: .Xr sudo @mansectsu@ ,
294: .Xr vipw @mansectsu@
295: .Sh AUTHORS
296: Many people have worked on
297: .Nm sudo
298: over the years; this version consists of code written primarily by:
299: .Bd -ragged -offset indent
300: Todd C. Miller
301: .Ed
302: .Pp
303: See the CONTRIBUTORS file in the
304: .Nm sudo
305: distribution (http://www.sudo.ws/sudo/contributors.html) for an
306: exhaustive list of people who have contributed to
307: .Nm sudo .
308: .Sh CAVEATS
309: There is no easy way to prevent a user from gaining a root shell if
310: the editor used by
311: .Nm visudo
312: allows shell escapes.
313: .Sh BUGS
314: If you feel you have found a bug in
315: .Nm visudo ,
316: please submit a bug report at http://www.sudo.ws/sudo/bugs/
317: .Sh SUPPORT
318: Limited free support is available via the sudo-users mailing list,
319: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
320: search the archives.
321: .Sh DISCLAIMER
322: .Nm visudo
323: is provided
324: .Dq AS IS
325: and any express or implied warranties, including, but not limited
326: to, the implied warranties of merchantability and fitness for a
327: particular purpose are disclaimed.
328: See the LICENSE file distributed with
329: .Nm sudo
330: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to visudo.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc