[BACK]Return to visudo.pod CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc / visudo.pod
Revision 1.1.1.2 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Tue May 29 12:26:49 2012 UTC (12 years, 1 month ago) by misho
Branches: sudo, MAIN
CVS tags: v1_8_5p1, HEAD
sudo 1.8.5p1

    1: Copyright (c) 1996,1998-2005, 2007-2012
    2: 	Todd C. Miller <Todd.Miller@courtesan.com>
    3: 
    4: Permission to use, copy, modify, and distribute this software for any
    5: purpose with or without fee is hereby granted, provided that the above
    6: copyright notice and this permission notice appear in all copies.
    7: 
    8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
    9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   16: 
   17: Sponsored in part by the Defense Advanced Research Projects
   18: Agency (DARPA) and Air Force Research Laboratory, Air Force
   19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
   20: 
   21: =pod
   22: 
   23: =head1 NAME
   24: 
   25: visudo - edit the sudoers file
   26: 
   27: =head1 SYNOPSIS
   28: 
   29: B<visudo> [B<-chqsV>] [B<-f> I<sudoers>]
   30: 
   31: =head1 DESCRIPTION
   32: 
   33: B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
   34: L<vipw(8)>.  B<visudo> locks the I<sudoers> file against multiple
   35: simultaneous edits, provides basic sanity checks, and checks
   36: for parse errors.  If the I<sudoers> file is currently being
   37: edited you will receive a message to try again later.
   38: 
   39: There is a hard-coded list of one or more editors that B<visudo> will
   40: use set at compile-time that may be overridden via the I<editor> I<sudoers>
   41: C<Default> variable.  This list defaults to C<"@editor@">.  Normally,
   42: B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
   43: variables unless they contain an editor in the aforementioned editors
   44: list.  However, if B<visudo> is configured with the I<--with-env-editor>
   45: option or the I<env_editor> C<Default> variable is set in I<sudoers>,
   46: B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
   47: Note that this can be a security hole since it allows the user to
   48: execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
   49: 
   50: B<visudo> parses the I<sudoers> file after the edit and will
   51: not save the changes if there is a syntax error.  Upon finding
   52: an error, B<visudo> will print a message stating the line number(s)
   53: where the error occurred and the user will receive the
   54: "What now?" prompt.  At this point the user may enter "e"
   55: to re-edit the I<sudoers> file, "x" to exit without
   56: saving the changes, or "Q" to quit and save changes.  The
   57: "Q" option should be used with extreme care because if B<visudo>
   58: believes there to be a parse error, so will B<sudo> and no one
   59: will be able to B<sudo> again until the error is fixed.
   60: If "e" is typed to edit the  I<sudoers> file after a parse error
   61: has been detected, the cursor will be placed on the line where the
   62: error occurred (if the editor supports this feature).
   63: 
   64: =head1 OPTIONS
   65: 
   66: B<visudo> accepts the following command line options:
   67: 
   68: =over 12
   69: 
   70: =item -c
   71: 
   72: Enable B<check-only> mode.  The existing I<sudoers> file will be
   73: checked for syntax errors, owner and mode.  A message will be printed
   74: to the standard output describing the status of I<sudoers> unless
   75: the B<-q> option was specified.  If the check completes successfully,
   76: B<visudo> will exit with a value of 0.  If an error is encountered,
   77: B<visudo> will exit with a value of 1.
   78: 
   79: =item -f I<sudoers>
   80: 
   81: Specify and alternate I<sudoers> file location.  With this option
   82: B<visudo> will edit (or check) the I<sudoers> file of your choice,
   83: instead of the default, F<@sysconfdir@/sudoers>.  The lock file used
   84: is the specified I<sudoers> file with ".tmp" appended to it.
   85: In B<check-only> mode only, the argument to B<-f> may be "-",
   86: indicating that I<sudoers> will be read from the standard input.
   87: 
   88: =item -h
   89: 
   90: The B<-h> (I<help>) option causes B<visudo> to print a short help message
   91: to the standard output and exit.
   92: 
   93: =item -q
   94: 
   95: Enable B<quiet> mode.  In this mode details about syntax errors
   96: are not printed.  This option is only useful when combined with
   97: the B<-c> option.
   98: 
   99: =item -s
  100: 
  101: Enable B<strict> checking of the I<sudoers> file.  If an alias is
  102: used before it is defined, B<visudo> will consider this a parse
  103: error.  Note that it is not possible to differentiate between an
  104: alias and a host name or user name that consists solely of uppercase
  105: letters, digits, and the underscore ('_') character.
  106: 
  107: =item -V
  108: 
  109: The B<-V> (version) option causes B<visudo> to print its version number
  110: and exit.
  111: 
  112: =back
  113: 
  114: =head1 ENVIRONMENT
  115: 
  116: The following environment variables may be consulted depending on
  117: the value of the I<editor> and I<env_editor> I<sudoers> variables:
  118: 
  119: =over 16
  120: 
  121: =item C<VISUAL>
  122: 
  123: Invoked by visudo as the editor to use
  124: 
  125: =item C<EDITOR>
  126: 
  127: Used by visudo if VISUAL is not set
  128: 
  129: =back
  130: 
  131: =head1 FILES
  132: 
  133: =over 24
  134: 
  135: =item F<@sysconfdir@/sudoers>
  136: 
  137: List of who can run what
  138: 
  139: =item F<@sysconfdir@/sudoers.tmp>
  140: 
  141: Lock file for visudo
  142: 
  143: =back
  144: 
  145: =head1 DIAGNOSTICS
  146: 
  147: =over 4
  148: 
  149: =item sudoers file busy, try again later.
  150: 
  151: Someone else is currently editing the I<sudoers> file.
  152: 
  153: =item @sysconfdir@/sudoers.tmp: Permission denied
  154: 
  155: You didn't run B<visudo> as root.
  156: 
  157: =item Can't find you in the passwd database
  158: 
  159: Your userid does not appear in the system passwd file.
  160: 
  161: =item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
  162: 
  163: Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
  164: or you have a user or host name listed that consists solely of
  165: uppercase letters, digits, and the underscore ('_') character.  In
  166: the latter case, you can ignore the warnings (B<sudo> will not
  167: complain).  In B<-s> (strict) mode these are errors, not warnings.
  168: 
  169: =item Warning: unused {User,Runas,Host,Cmnd}_Alias
  170: 
  171: The specified {User,Runas,Host,Cmnd}_Alias was defined but never
  172: used.  You may wish to comment out or remove the unused alias.  In
  173: B<-s> (strict) mode this is an error, not a warning.
  174: 
  175: =item Warning: cycle in {User,Runas,Host,Cmnd}_Alias
  176: 
  177: The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
  178: itself, either directly or through an alias it includes.  This is
  179: only a warning by default as B<sudo> will ignore cycles when parsing
  180: the I<sudoers> file.
  181: 
  182: =back
  183: 
  184: =head1 SEE ALSO
  185: 
  186: L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
  187: 
  188: =head1 AUTHOR
  189: 
  190: Many people have worked on B<sudo> over the years; this version of
  191: B<visudo> was written by:
  192: 
  193:  Todd Miller
  194: 
  195: See the CONTRIBUTORS file in the B<sudo> distribution
  196: (http://www.sudo.ws/sudo/contributors.html) for a list of people
  197: who have contributed to B<sudo>.
  198: 
  199: =head1 CAVEATS
  200: 
  201: There is no easy way to prevent a user from gaining a root shell if 
  202: the editor used by B<visudo> allows shell escapes.
  203: 
  204: =head1 BUGS
  205: 
  206: If you feel you have found a bug in B<visudo>, please submit a bug report
  207: at http://www.sudo.ws/sudo/bugs/
  208: 
  209: =head1 SUPPORT
  210: 
  211: Limited free support is available via the sudo-users mailing list,
  212: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
  213: search the archives.
  214: 
  215: =head1 DISCLAIMER
  216: 
  217: B<visudo> is provided ``AS IS'' and any express or implied warranties,
  218: including, but not limited to, the implied warranties of merchantability
  219: and fitness for a particular purpose are disclaimed.  See the LICENSE
  220: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
  221: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>