100

I understand that if you want to modify who can use sudo and what they can do with it that you should use visudo. I know I'm not supposed to directly modify the /etc/sudoers file myself.

What is it that visudo does that directly modifying the file doesn't do? What can go wrong?

Dason
  • 1,102

2 Answers2

123

visudo checks the file syntax before actually overwriting the sudoers file.

If you use a plain editor, mess up the syntax, and save... sudo will (probably) stop working, and, since /etc/sudoers is only modifiable by root, you're stuck (unless you have another way of gaining root).

Additionally it ensures that the edits will be one atomic operation. This locking is important if you need to ensure nobody else can mess up your carefully considered config changes. For editing other files as root besides /etc/sudoers there is the sudoedit command which also guard against such editing conflicts.

Community
  • 1
Mat
  • 52,586
  • 3
    Wow, never knew about sudoedit. It doesn't work on OS X so I assume it's a GNU tool? Anyway, cool info here. I'd always edited manually and never had a problem - I understand now that it was just luck and the tool can help prevent catastrophe. Thanks! – Harv Dec 26 '11 at 20:01
  • 2
    @Harv. There is no GNU sudo and OS X does have GNU tools. As sudo was first created as an open source application, there's probably no reason for their being many implementations. sudo and sudoedit are the same command, sudo behaves as sudo -e when called as sudoedit. I believe it's just that OS X forgot to add the sudoedit -> sudo link, but you should still be able to use sudo -e or call sudo with argv[0] set to sudoedit to get the same behavior. – Stéphane Chazelas Jan 23 '13 at 22:41
  • Interestingly, visudo uses nano by default. – Tim Aug 27 '14 at 17:52
  • 3
    @Tim: The "real" default is vi, but it can be configured to use something else. So nano could indeed be the default on your distro/setup. See the man page. – Mat Aug 28 '14 at 07:42
  • you're stuck - so what to do then? :) and can you please elaborate please on the consequences? – Max Koretskyi Mar 10 '17 at 10:33
  • @StéphaneChazelas macOS user here. I can confirm that ln -s /usr/bin/sudo /usr/local/bin/sudoedit (actually anywhere in $PATH) works. – Franklin Yu Jan 15 '18 at 04:49
  • 3
    @AngularInDepth.com, the consequences are pretty obvious. If you save an invalid sudoers file, then the system will not be able to parse it. So if I do a sudo vim /etc/sudoers and botch the syntax, then I will not be able to sudo vim /etc/sudoers again to fix it. Effectively, all ability to elevate privileges via sudo will be lost since the system will not be able to parse the file. – Spencer D Feb 10 '18 at 14:43
27

From the visudo man page:

visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

Also check this answer from serverfault.

Community
  • 1
amyassin
  • 1,361