2 .\" SPDX-License-Identifier: ISC
4 .\" Copyright (c) 1996,1998-2005, 2007-2018
5 .\" Todd C. Miller <Todd.Miller@sudo.ws>
7 .\" Permission to use, copy, modify, and distribute this software for any
8 .\" purpose with or without fee is hereby granted, provided that the above
9 .\" copyright notice and this permission notice appear in all copies.
11 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 .\" Sponsored in part by the Defense Advanced Research Projects
20 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
21 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 .Dt VISUDO @mansectsu@
25 .Os Sudo @PACKAGE_VERSION@
28 .Nd edit the sudoers file
32 .Op Bo Fl f Bc Ar sudoers
37 file in a safe fashion, analogous to
38 .Xr vipw @mansectsu@ .
42 file against multiple simultaneous edits, provides basic sanity checks,
43 and checks for parse errors.
46 file is currently being edited you will receive a message to try again later.
51 file after editing and will not save the changes if there is a syntax error.
52 Upon finding an error,
54 will print a message stating the line number(s)
55 where the error occurred and the user will receive the
58 At this point the user may enter
64 to exit without saving the changes, or
66 to quit and save changes.
69 option should be used with extreme caution because if
71 believes there to be a parse error, so will
76 again until the error is fixed.
81 file after a parse error has been detected, the cursor will be placed on
82 the line where the error occurred (if the editor supports this feature).
86 settings that determine which editor
93 separated list of editors allowed to be used with
96 will choose the editor that matches the user's
101 environment variable if possible, or the first editor in the
102 list that exists and is executable.
108 environment variables are not preserved by default when the
112 The default editor path is
114 which can be set at compile time via the
120 will use the value of the
125 environment variables before falling back on the default editor list.
126 Note that this may create a security hole as it allows the user to
127 run any arbitrary command as root without logging.
128 A safer alternative is to place a colon-separated list of editors
138 if they match a value specified in
147 environment variables must be present in the
151 flag to function when
157 which can be set at compile time via the
158 .Li --with-env-editor
162 The options are as follows:
170 file (and any other files it includes) will be
171 checked for syntax errors.
174 file was not specified,
176 will also check the file owner and mode.
177 A message will be printed to the standard output describing the status of
181 option was specified.
182 If the check completes successfully,
184 will exit with a value of 0.
185 If an error is encountered,
187 will exit with a value of 1.
188 .It Fl f Ar sudoers , Fl -file Ns = Ns Ar sudoers
191 file location, see below.
192 As of version 1.8.27, the
194 path can be specified without using the
198 Display a short help message to the standard output and exit.
203 In this mode details about syntax errors are not printed.
204 This option is only useful when combined with
214 If an alias is referenced but not actually defined
215 or if there is a cycle in an alias,
217 will consider this a parse error.
218 Note that it is not possible to differentiate between an
219 alias and a host name or user name that consists solely of uppercase
220 letters, digits, and the underscore
228 grammar versions and exit.
233 file may be specified instead of the default,
234 .Pa @sysconfdir@/sudoers .
235 The lock file used is the specified
244 may be used to indicate that
246 will be read from the standard input.
247 Because the policy is evaluated in its entirety, it is not sufficient
248 to check an individual
250 include file for syntax errors.
251 .Ss Debugging and sudoers plugin arguments
253 versions 1.8.4 and higher support a flexible debugging framework
254 that is configured via
257 .Xr sudo.conf @mansectform@
264 will also parse the arguments to the
266 plugin to override the default
268 path name, UID, GID and file mode.
269 These arguments, if present, should be listed after the path to the plugin
272 Multiple arguments may be specified, separated by white space.
274 .Bd -literal -offset indent
275 Plugin sudoers_policy sudoers.so sudoers_mode=0400
278 The following arguments are supported:
280 .It sudoers_file=pathname
283 argument can be used to override the default path to the
289 argument can be used to override the default owner of the sudoers file.
290 It should be specified as a numeric user ID.
294 argument can be used to override the default group of the sudoers file.
295 It must be specified as a numeric group ID (not a group name).
296 .It sudoers_mode=mode
299 argument can be used to override the default file mode for the sudoers file.
300 It should be specified as an octal value.
303 For more information on configuring
304 .Xr sudo.conf @mansectform@ ,
305 please refer to its manual.
307 The following environment variables may be consulted depending on
336 .It Pa @sysconfdir@/sudo.conf
337 Sudo front end configuration
338 .It Pa @sysconfdir@/sudoers
339 List of who can run what
340 .It Pa @sysconfdir@/sudoers.tmp
344 In addition to reporting
348 may produce the following messages:
350 .It Li sudoers file busy, try again later.
351 Someone else is currently editing the
354 .It Li @sysconfdir@/sudoers.tmp: Permission denied
358 .It Li you do not exist in the passwd database
359 Your user ID does not appear in the system passwd database.
360 .It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
361 Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
362 or you have a user or host name listed that consists solely of
363 uppercase letters, digits, and the underscore
366 In the latter case, you can ignore the warnings
371 The message is prefixed with the path name of the
373 file and the line number where the undefined alias was used.
376 (strict) mode these are errors, not warnings.
377 .It Li Warning: unused {User,Runas,Host,Cmnd}_Alias
378 The specified {User,Runas,Host,Cmnd}_Alias was defined but never
380 The message is prefixed with the path name of the
382 file and the line number where the unused alias was defined.
383 You may wish to comment out or remove the unused alias.
384 .It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias
385 The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
386 itself, either directly or through an alias it includes.
387 The message is prefixed with the path name of the
389 file and the line number where the cycle was detected.
390 This is only a warning unless
396 will ignore cycles when parsing
400 .It Li unknown defaults entry \&"name\&"
405 setting not recognized by
410 .Xr sudo.conf @mansectform@ ,
411 .Xr sudoers @mansectform@ ,
412 .Xr sudo @mansectsu@ ,
415 Many people have worked on
417 over the years; this version consists of code written primarily by:
418 .Bd -ragged -offset indent
422 See the CONTRIBUTORS file in the
424 distribution (https://www.sudo.ws/contributors.html) for an
425 exhaustive list of people who have contributed to
428 There is no easy way to prevent a user from gaining a root shell if
431 allows shell escapes.
433 If you feel you have found a bug in
435 please submit a bug report at https://bugzilla.sudo.ws/
437 Limited free support is available via the sudo-users mailing list,
438 see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
444 and any express or implied warranties, including, but not limited
445 to, the implied warranties of merchantability and fitness for a
446 particular purpose are disclaimed.
447 See the LICENSE file distributed with
449 or https://www.sudo.ws/license.html for complete details.