Return to visudo.mdoc.in CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc

v 1.8.8

    1: .\"
    2: .\" Copyright (c) 1996,1998-2005, 2007-2013
    3: .\"	Todd C. Miller <Todd.Miller@courtesan.com>
    4: .\"
    5: .\" Permission to use, copy, modify, and distribute this software for any
    6: .\" purpose with or without fee is hereby granted, provided that the above
    7: .\" copyright notice and this permission notice appear in all copies.
    8: .\"
    9: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   10: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   11: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   12: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   13: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   14: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   15: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   16: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   17: .\"
   18: .\" Sponsored in part by the Defense Advanced Research Projects
   19: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
   20: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
   21: .\"
   22: .Dd August 14, 2013
   23: .Dt VISUDO @mansectsu@
   24: .Os Sudo @PACKAGE_VERSION@
   25: .Sh NAME
   26: .Nm visudo
   27: .Nd edit the sudoers file
   28: .Sh SYNOPSIS
   29: .Nm visudo
   30: .Op Fl chqsV
   31: .Bk -words
   32: .Op Fl f Ar sudoers
   33: .Ek
   34: .Sh DESCRIPTION
   35: .Nm visudo
   36: edits the
   37: .Em sudoers
   38: file in a safe fashion, analogous to
   39: .Xr vipw @mansectsu@ .
   40: .Nm visudo
   41: locks the
   42: .Em sudoers
   43: file against multiple simultaneous edits, provides basic sanity checks,
   44: and checks for parse errors.
   45: If the
   46: .Em sudoers
   47: file is currently being edited you will receive a message to try again later.
   48: .Pp
   49: There is a hard-coded list of one or more editors that
   50: .Nm visudo
   51: will use set at compile-time that may be overridden via the
   52: .Em editor
   53: .Em sudoers
   54: .Li Default
   55: variable.
   56: This list defaults to
   57: .Li "@editor@" .
   58: Normally,
   59: .Nm visudo
   60: does not honor the
   61: .Ev VISUAL
   62: or
   63: .Ev EDITOR
   64: environment variables unless they contain an editor in the aforementioned
   65: editors list.
   66: However, if
   67: .Nm visudo
   68: is configured with the
   69: .Li --with-env-editor
   70: option or the
   71: .Em env_editor
   72: .Li Default
   73: variable is set in
   74: .Em sudoers ,
   75: .Nm visudo
   76: will use any the editor defines by
   77: .Ev VISUAL
   78: or
   79: .Ev EDITOR .
   80: Note that this can be a security hole since it allows the user to
   81: execute any program they wish simply by setting
   82: .Ev VISUAL
   83: or
   84: .Ev EDITOR .
   85: .Pp
   86: .Nm visudo
   87: parses the
   88: .Em sudoers
   89: file after the edit and will
   90: not save the changes if there is a syntax error.
   91: Upon finding an error,
   92: .Nm visudo
   93: will print a message stating the line number(s)
   94: where the error occurred and the user will receive the
   95: .Dq What now?
   96: prompt.
   97: At this point the user may enter
   98: .Ql e
   99: to re-edit the
  100: .Em sudoers
  101: file,
  102: .Ql x
  103: to exit without saving the changes, or
  104: .Ql Q
  105: to quit and save changes.
  106: The
  107: .Ql Q
  108: option should be used with extreme care because if
  109: .Nm visudo
  110: believes there to be a parse error, so will
  111: .Nm sudo
  112: and no one
  113: will be able to
  114: .Nm sudo
  115: again until the error is fixed.
  116: If
  117: .Ql e
  118: is typed to edit the
  119: .Em sudoers
  120: file after a parse error has been detected, the cursor will be placed on
  121: the line where the error occurred (if the editor supports this feature).
  122: .Pp
  123: The options are as follows:
  124: .Bl -tag -width Fl
  125: .It Fl c , -check
  126: Enable
  127: .Em check-only
  128: mode.
  129: The existing
  130: .Em sudoers
  131: file will be
  132: checked for syntax errors, owner and mode.
  133: A message will be printed to the standard output describing the status of
  134: .Em sudoers
  135: unless the
  136: .Fl q
  137: option was specified.
  138: If the check completes successfully,
  139: .Nm visudo
  140: will exit with a value of 0.
  141: If an error is encountered,
  142: .Nm visudo
  143: will exit with a value of 1.
  144: .It Fl f Ar sudoers , Fl -file Ns No = Ns Ar sudoers
  145: Specify an alternate
  146: .Em sudoers
  147: file location.
  148: With this option,
  149: .Nm visudo
  150: will edit (or check) the
  151: .Em sudoers
  152: file of your choice,
  153: instead of the default,
  154: .Pa @sysconfdir@/sudoers .
  155: The lock file used is the specified
  156: .Em sudoers
  157: file with
  158: .Dq \.tmp
  159: appended to it.
  160: In
  161: .Em check-only
  162: mode only, the argument to
  163: .Fl f
  164: may be
  165: .Ql - ,
  166: indicating that
  167: .Em sudoers
  168: will be read from the standard input.
  169: .It Fl h , -help
  170: Display a short help message to the standard output and exit.
  171: .It Fl q , -quiet
  172: Enable
  173: .Em quiet
  174: mode.
  175: In this mode details about syntax errors are not printed.
  176: This option is only useful when combined with
  177: the
  178: .Fl c
  179: option.
  180: .It Fl s , -strict
  181: Enable
  182: .Em strict
  183: checking of the
  184: .Em sudoers
  185: file.
  186: If an alias is used before it is defined,
  187: .Nm visudo
  188: will consider this a parse error.
  189: Note that it is not possible to differentiate between an
  190: alias and a host name or user name that consists solely of uppercase
  191: letters, digits, and the underscore
  192: .Pq Ql _
  193: character.
  194: .It Fl V , -version
  195: Print the
  196: .Nm visudo
  197: and
  198: .Em sudoers
  199: grammar versions and exit.
  200: .El
  201: .Sh ENVIRONMENT
  202: The following environment variables may be consulted depending on
  203: the value of the
  204: .Em editor
  205: and
  206: .Em env_editor
  207: .Em sudoers
  208: settings:
  209: .Bl -tag -width 15n
  210: .It Ev VISUAL
  211: Invoked by
  212: .Nm visudo
  213: as the editor to use
  214: .It Ev EDITOR
  215: Used by
  216: .Nm visudo
  217: if
  218: .Ev VISUAL
  219: is not set
  220: .El
  221: .Sh FILES
  222: .Bl -tag -width 24n
  223: .It Pa @sysconfdir@/sudoers
  224: List of who can run what
  225: .It Pa @sysconfdir@/sudoers.tmp
  226: Lock file for visudo
  227: .El
  228: .Sh DIAGNOSTICS
  229: .Bl -tag -width 4n
  230: .It Li sudoers file busy, try again later.
  231: Someone else is currently editing the
  232: .Em sudoers
  233: file.
  234: .It Li @sysconfdir@/sudoers.tmp: Permission denied
  235: You didn't run
  236: .Nm visudo
  237: as root.
  238: .It Li Can't find you in the passwd database
  239: Your user ID does not appear in the system passwd file.
  240: .It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
  241: Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
  242: or you have a user or host name listed that consists solely of
  243: uppercase letters, digits, and the underscore
  244: .Pq Ql _
  245: character.
  246: In the latter case, you can ignore the warnings
  247: .Po
  248: .Nm sudo
  249: will not complain
  250: .Pc .
  251: In
  252: .Fl s
  253: (strict) mode these are errors, not warnings.
  254: .It Li Warning: unused {User,Runas,Host,Cmnd}_Alias
  255: The specified {User,Runas,Host,Cmnd}_Alias was defined but never
  256: used.
  257: You may wish to comment out or remove the unused alias.
  258: In
  259: .Fl s
  260: (strict) mode this is an error, not a warning.
  261: .It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias
  262: The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
  263: itself, either directly or through an alias it includes.
  264: This is only a warning by default as
  265: .Nm sudo
  266: will ignore cycles when parsing
  267: the
  268: .Em sudoers
  269: file.
  270: .El
  271: .Sh SEE ALSO
  272: .Xr vi 1 ,
  273: .Xr sudoers @mansectform@ ,
  274: .Xr sudo @mansectsu@ ,
  275: .Xr vipw @mansectsu@
  276: .Sh AUTHORS
  277: Many people have worked on
  278: .Nm sudo
  279: over the years; this version consists of code written primarily by:
  280: .Bd -ragged -offset indent
  281: Todd C. Miller
  282: .Ed
  283: .Pp
  284: See the CONTRIBUTORS file in the
  285: .Nm sudo
  286: distribution (http://www.sudo.ws/sudo/contributors.html) for an
  287: exhaustive list of people who have contributed to
  288: .Nm sudo .
  289: .Sh CAVEATS
  290: There is no easy way to prevent a user from gaining a root shell if
  291: the editor used by
  292: .Nm visudo
  293: allows shell escapes.
  294: .Sh BUGS
  295: If you feel you have found a bug in
  296: .Nm visudo ,
  297: please submit a bug report at http://www.sudo.ws/sudo/bugs/
  298: .Sh SUPPORT
  299: Limited free support is available via the sudo-users mailing list,
  300: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
  301: search the archives.
  302: .Sh DISCLAIMER
  303: .Nm visudo
  304: is provided
  305: .Dq AS IS
  306: and any express or implied warranties, including, but not limited
  307: to, the implied warranties of merchantability and fitness for a
  308: particular purpose are disclaimed.
  309: See the LICENSE file distributed with
  310: .Nm sudo
  311: or http://www.sudo.ws/sudo/license.html for complete details.