Annotation of embedaddon/sudo/doc/visudo.pod, revision 1.1.1.2
1.1.1.2 ! misho 1: Copyright (c) 1996,1998-2005, 2007-2012
1.1 misho 2: Todd C. Miller <Todd.Miller@courtesan.com>
3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: Sponsored in part by the Defense Advanced Research Projects
18: Agency (DARPA) and Air Force Research Laboratory, Air Force
19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
20:
21: =pod
22:
23: =head1 NAME
24:
25: visudo - edit the sudoers file
26:
27: =head1 SYNOPSIS
28:
29: B<visudo> [B<-chqsV>] [B<-f> I<sudoers>]
30:
31: =head1 DESCRIPTION
32:
33: B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
34: L<vipw(8)>. B<visudo> locks the I<sudoers> file against multiple
35: simultaneous edits, provides basic sanity checks, and checks
36: for parse errors. If the I<sudoers> file is currently being
37: edited you will receive a message to try again later.
38:
39: There is a hard-coded list of one or more editors that B<visudo> will
40: use set at compile-time that may be overridden via the I<editor> I<sudoers>
41: C<Default> variable. This list defaults to C<"@editor@">. Normally,
42: B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
43: variables unless they contain an editor in the aforementioned editors
44: list. However, if B<visudo> is configured with the I<--with-env-editor>
45: option or the I<env_editor> C<Default> variable is set in I<sudoers>,
46: B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
47: Note that this can be a security hole since it allows the user to
48: execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
49:
50: B<visudo> parses the I<sudoers> file after the edit and will
51: not save the changes if there is a syntax error. Upon finding
52: an error, B<visudo> will print a message stating the line number(s)
53: where the error occurred and the user will receive the
54: "What now?" prompt. At this point the user may enter "e"
55: to re-edit the I<sudoers> file, "x" to exit without
56: saving the changes, or "Q" to quit and save changes. The
57: "Q" option should be used with extreme care because if B<visudo>
58: believes there to be a parse error, so will B<sudo> and no one
59: will be able to B<sudo> again until the error is fixed.
60: If "e" is typed to edit the I<sudoers> file after a parse error
61: has been detected, the cursor will be placed on the line where the
62: error occurred (if the editor supports this feature).
63:
64: =head1 OPTIONS
65:
66: B<visudo> accepts the following command line options:
67:
68: =over 12
69:
70: =item -c
71:
72: Enable B<check-only> mode. The existing I<sudoers> file will be
1.1.1.2 ! misho 73: checked for syntax errors, owner and mode. A message will be printed
! 74: to the standard output describing the status of I<sudoers> unless
! 75: the B<-q> option was specified. If the check completes successfully,
! 76: B<visudo> will exit with a value of 0. If an error is encountered,
1.1 misho 77: B<visudo> will exit with a value of 1.
78:
79: =item -f I<sudoers>
80:
81: Specify and alternate I<sudoers> file location. With this option
82: B<visudo> will edit (or check) the I<sudoers> file of your choice,
83: instead of the default, F<@sysconfdir@/sudoers>. The lock file used
84: is the specified I<sudoers> file with ".tmp" appended to it.
85: In B<check-only> mode only, the argument to B<-f> may be "-",
86: indicating that I<sudoers> will be read from the standard input.
87:
88: =item -h
89:
90: The B<-h> (I<help>) option causes B<visudo> to print a short help message
91: to the standard output and exit.
92:
93: =item -q
94:
95: Enable B<quiet> mode. In this mode details about syntax errors
96: are not printed. This option is only useful when combined with
97: the B<-c> option.
98:
99: =item -s
100:
101: Enable B<strict> checking of the I<sudoers> file. If an alias is
102: used before it is defined, B<visudo> will consider this a parse
103: error. Note that it is not possible to differentiate between an
104: alias and a host name or user name that consists solely of uppercase
105: letters, digits, and the underscore ('_') character.
106:
107: =item -V
108:
109: The B<-V> (version) option causes B<visudo> to print its version number
110: and exit.
111:
112: =back
113:
114: =head1 ENVIRONMENT
115:
116: The following environment variables may be consulted depending on
117: the value of the I<editor> and I<env_editor> I<sudoers> variables:
118:
119: =over 16
120:
121: =item C<VISUAL>
122:
123: Invoked by visudo as the editor to use
124:
125: =item C<EDITOR>
126:
127: Used by visudo if VISUAL is not set
128:
129: =back
130:
131: =head1 FILES
132:
133: =over 24
134:
135: =item F<@sysconfdir@/sudoers>
136:
137: List of who can run what
138:
139: =item F<@sysconfdir@/sudoers.tmp>
140:
141: Lock file for visudo
142:
143: =back
144:
145: =head1 DIAGNOSTICS
146:
147: =over 4
148:
149: =item sudoers file busy, try again later.
150:
151: Someone else is currently editing the I<sudoers> file.
152:
153: =item @sysconfdir@/sudoers.tmp: Permission denied
154:
155: You didn't run B<visudo> as root.
156:
157: =item Can't find you in the passwd database
158:
159: Your userid does not appear in the system passwd file.
160:
161: =item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
162:
163: Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
164: or you have a user or host name listed that consists solely of
165: uppercase letters, digits, and the underscore ('_') character. In
166: the latter case, you can ignore the warnings (B<sudo> will not
167: complain). In B<-s> (strict) mode these are errors, not warnings.
168:
169: =item Warning: unused {User,Runas,Host,Cmnd}_Alias
170:
171: The specified {User,Runas,Host,Cmnd}_Alias was defined but never
172: used. You may wish to comment out or remove the unused alias. In
173: B<-s> (strict) mode this is an error, not a warning.
174:
175: =item Warning: cycle in {User,Runas,Host,Cmnd}_Alias
176:
177: The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
178: itself, either directly or through an alias it includes. This is
179: only a warning by default as B<sudo> will ignore cycles when parsing
180: the I<sudoers> file.
181:
182: =back
183:
184: =head1 SEE ALSO
185:
186: L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
187:
188: =head1 AUTHOR
189:
1.1.1.2 ! misho 190: Many people have worked on B<sudo> over the years; this version of
1.1 misho 191: B<visudo> was written by:
192:
193: Todd Miller
194:
1.1.1.2 ! misho 195: See the CONTRIBUTORS file in the B<sudo> distribution
! 196: (http://www.sudo.ws/sudo/contributors.html) for a list of people
! 197: who have contributed to B<sudo>.
1.1 misho 198:
199: =head1 CAVEATS
200:
201: There is no easy way to prevent a user from gaining a root shell if
202: the editor used by B<visudo> allows shell escapes.
203:
204: =head1 BUGS
205:
206: If you feel you have found a bug in B<visudo>, please submit a bug report
207: at http://www.sudo.ws/sudo/bugs/
208:
209: =head1 SUPPORT
210:
211: Limited free support is available via the sudo-users mailing list,
212: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
213: search the archives.
214:
215: =head1 DISCLAIMER
216:
217: B<visudo> is provided ``AS IS'' and any express or implied warranties,
218: including, but not limited to, the implied warranties of merchantability
219: and fitness for a particular purpose are disclaimed. See the LICENSE
220: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
221: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to visudo.pod CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc