# phpman > man > visudo(8) [VISUDO(8)](https://www.chedong.com/phpMan.php/man/VISUDO/8/markdown) BSD System Manager's Manual [VISUDO(8)](https://www.chedong.com/phpMan.php/man/VISUDO/8/markdown) ## NAME **visudo** — edit the sudoers file ## SYNOPSIS **visudo** [**-chOPqsV**] [[**-f**] _sudoers_] ## DESCRIPTION **visudo** edits the _sudoers_ file in a safe fashion, analogous to [vipw(8)](https://www.chedong.com/phpMan.php/man/vipw/8/markdown). **visudo** locks the _sudoers_ file against multiple simultaneous edits, performs basic validity checks, and checks for syntax errors before installing the edited file. If the _sudoers_ file is currently being edited you will receive a message to try again later. **visudo** parses the _sudoers_ file after editing and will not save the changes if there is a syntax error. Upon finding an error, **visudo** will print a message stating the line number(s) where the error occurred and the user will receive the “What now?” prompt. At this point the user may enter ‘e’ to re-edit the _sudoers_ file, ‘x’ to exit without saving the changes, or ‘Q’ to quit and save changes. The ‘Q’ option should be used with extreme caution because if **visudo** be‐ lieves there to be a syntax error, so will **sudo**. If ‘e’ is typed to edit the _sudoers_ file af‐ ter a syntax error has been detected, the cursor will be placed on the line where the error oc‐ curred (if the editor supports this feature). There are two _sudoers_ settings that determine which editor **visudo** will run. editor A colon (‘:’) separated list of editors allowed to be used with **visudo**. **visudo** will choose the editor that matches the user's SUDO_EDITOR, VISUAL, or EDITOR environment variable if possible, or the first editor in the list that exists and is executable. Note that **sudo** does not preserve the SUDO_EDITOR, VISUAL, or EDITOR environment vari‐ ables unless they are present in the _env_keep_ list or the _env_reset_ option is dis‐ abled in the _sudoers_ file. The default editor path is _/usr/bin/editor_ which can be set at compile time via the --with-editor configure option. env_editor If set, **visudo** will use the value of the SUDO_EDITOR, VISUAL, or EDITOR environment variables before falling back on the default editor list. Note that **visudo** is typi‐ cally run as root so this option may allow a user with **visudo** privileges to run arbi‐ trary commands as root without logging. An alternative is to place a colon-separated list of “safe” editors int the _editor_ variable. **visudo** will then only use SUDO_EDITOR, VISUAL, or EDITOR if they match a value specified in _editor_. If the _env_reset_ flag is enabled, the SUDO_EDITOR, VISUAL, and/or EDITOR environment vari‐ ables must be present in the _env_keep_ list for the _env_editor_ flag to function when **visudo** is invoked via **sudo**. The default value is _on_, which can be set at compile time via the --with-env-editor configure option. The options are as follows: ### -c --check Enable _check-only_ mode. The existing _sudoers_ file (and any other files it in‐ cludes) will be checked for syntax errors. If the path to the _sudoers_ file was not specified, **visudo** will also check the file ownership and permissions (see the **-O** and **-P** options). A message will be printed to the standard output describing the status of _sudoers_ unless the **-q** option was specified. If the check completes suc‐ cessfully, **visudo** will exit with a value of 0. If an error is encountered, **visudo** will exit with a value of 1. ### -f --file Specify an alternate _sudoers_ file location, see below. As of version 1.8.27, the _sudoers_ path can be specified without using the **-f** option. ### -h --help ### -O --owner Enforce the default ownership (user and group) of the _sudoers_ file. In edit mode, the owner of the edited file will be set to the default. In check mode (**-c**), an error will be reported if the owner is incorrect. This option is enabled by de‐ fault if the _sudoers_ file was not specified. ### -P --perms Enforce the default permissions (mode) of the _sudoers_ file. In edit mode, the per‐ missions of the edited file will be set to the default. In check mode (**-c**), an er‐ ror will be reported if the file permissions are incorrect. This option is enabled by default if the _sudoers_ file was not specified. ### -q --quiet Enable _quiet_ mode. In this mode details about syntax errors are not printed. This option is only useful when combined with the **-c** option. ### -s --strict Enable _strict_ checking of the _sudoers_ file. If an alias is referenced but not ac‐ tually defined or if there is a cycle in an alias, **visudo** will consider this a syn‐ tax error. Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase letters, digits, and the underscore (‘_’) character. ### -V --version Print the **visudo** and _sudoers_ grammar versions and exit. A _sudoers_ file may be specified instead of the default, _/etc/sudoers_. The temporary file used is the specified _sudoers_ file with “.tmp” appended to it. In _check-only_ mode only, ‘-’ may be used to indicate that _sudoers_ will be read from the standard input. Because the policy is evaluated in its entirety, it is not sufficient to check an individual _sudoers_ include file for syntax errors. ### Debugging and sudoers plugin arguments **visudo** versions 1.8.4 and higher support a flexible debugging framework that is configured via Debug lines in the [sudo.conf(5)](https://www.chedong.com/phpMan.php/man/sudo.conf/5/markdown) file. Starting with **sudo** 1.8.12, **visudo** will also parse the arguments to the _sudoers_ plugin to over‐ ride the default _sudoers_ path name, user-ID, group-ID, and file mode. These arguments, if present, should be listed after the path to the plugin (i.e., after _sudoers.so_). Multiple ar‐ guments may be specified, separated by white space. For example: Plugin sudoers_policy sudoers.so sudoers_mode=0400 The following arguments are supported: sudoers_file=pathname The _sudoers_file_ argument can be used to override the default path to the _sudoers_ file. sudoers_uid=user-ID The _sudoers_uid_ argument can be used to override the default owner of the sudoers file. It should be specified as a numeric user-ID. sudoers_gid=group-ID The _sudoers_gid_ argument can be used to override the default group of the sudoers file. It must be specified as a numeric group-ID (not a group name). sudoers_mode=mode The _sudoers_mode_ argument can be used to override the default file mode for the sudo‐ ers file. It should be specified as an octal value. For more information on configuring [sudo.conf(5)](https://www.chedong.com/phpMan.php/man/sudo.conf/5/markdown), please refer to its manual. ## ENVIRONMENT The following environment variables may be consulted depending on the value of the _editor_ and _env_editor_ _sudoers_ settings: SUDO_EDITOR Invoked by **visudo** as the editor to use VISUAL Used by **visudo** if SUDO_EDITOR is not set EDITOR Used by **visudo** if neither SUDO_EDITOR nor VISUAL is set ## FILES /etc/sudo.conf Sudo front-end configuration /etc/sudoers List of who can run what /etc/sudoers.tmp Default temporary file used by visudo ## DIAGNOSTICS In addition to reporting _sudoers_ syntax errors, **visudo** may produce the following messages: sudoers file busy, try again later. Someone else is currently editing the _sudoers_ file. /etc/sudoers: Permission denied You didn't run **visudo** as root. you do not exist in the passwd database Your user-ID does not appear in the system passwd database. Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the un‐ derscore (‘_’) character. In the latter case, you can ignore the warnings (**sudo** will not complain). The message is prefixed with the path name of the _sudoers_ file and the line number where the undefined alias was used. In **-s** (strict) mode these are errors, not warnings. Warning: unused {User,Runas,Host,Cmnd}_Alias The specified {User,Runas,Host,Cmnd}_Alias was defined but never used. The message is prefixed with the path name of the _sudoers_ file and the line number where the unused alias was defined. You may wish to comment out or remove the unused alias. Warning: cycle in {User,Runas,Host,Cmnd}_Alias The specified {User,Runas,Host,Cmnd}_Alias includes a reference to itself, either di‐ rectly or through an alias it includes. The message is prefixed with the path name of the _sudoers_ file and the line number where the cycle was detected. This is only a warn‐ ing unless **visudo** is run in **-s** (strict) mode as **sudo** will ignore cycles when parsing the _sudoers_ file. unknown defaults entry "name" The _sudoers_ file contains a Defaults setting not recognized by **visudo**. ## SEE ALSO [vi(1)](https://www.chedong.com/phpMan.php/man/vi/1/markdown), [sudo.conf(5)](https://www.chedong.com/phpMan.php/man/sudo.conf/5/markdown), [sudoers(5)](https://www.chedong.com/phpMan.php/man/sudoers/5/markdown), [sudo(8)](https://www.chedong.com/phpMan.php/man/sudo/8/markdown), [vipw(8)](https://www.chedong.com/phpMan.php/man/vipw/8/markdown) ## AUTHORS Many people have worked on **sudo** over the years; this version consists of code written primarily by: Todd C. Miller See the CONTRIBUTORS file in the **sudo** distribution () for an exhaustive list of people who have contributed to **sudo**. ## CAVEATS There is no easy way to prevent a user from gaining a root shell if the editor used by **visudo** allows shell escapes. ## BUGS If you feel you have found a bug in **visudo**, please submit a bug report at ## SUPPORT Limited free support is available via the sudo-users mailing list, see to subscribe or search the archives. ## DISCLAIMER **visudo** is provided “AS IS” and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are dis‐ claimed. See the LICENSE file distributed with **sudo** or for complete details. ## Sudo 1.9.9 January 20, 2022 Sudo 1.9.9