12

Why it is recommended to edit /etc/sudoers file with the visudo command? Here is a sample of the file:

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

Are there any special reasons for it?

Ben Jackson
  • 103
Ankit
  • 1,385

3 Answers3

18

Because visudo checks the syntax and make sure it is valid configuration file; otherwise you may edit the file, make an error and sudo won't be useable anymore just because of your syntax error.

Ulrich Dangel
  • 25,369
  • 1
    +1, got your point; I edited the file with vi command made the error purportedly saved the file. I was not able to open the file afterwards. – Ankit Mar 14 '13 at 16:08
  • @Ankit - You are aware, you can reboot into single-user mode and fix up /etc/sudoers and then reboot, right? – dr jimbob Mar 14 '13 at 20:59
  • Hmm. I was unable to get visudo to complain on OS X 10.7.5, even when entering outlandish syntax and saving. Feature disabled? – Konrad Rudolph Mar 14 '13 at 22:49
  • @drjimbob, i was not aware of this, thanks. But i kept a backup of the default for safety. – Ankit Mar 15 '13 at 16:49
18

In addition to the syntax checks previously mentioned, visudo also locks /etc/sudoers so that it can't be edited by two users simultaneously. A concurrent attempt to edit will give

visudo: /etc/sudoers busy, try again later
Flup
  • 8,145
  • +1, i encountered this situation yesterday but was not sure of what could have caused it. Thanks :) – Ankit Mar 14 '13 at 16:10
  • 1
    The commands vipw and vigr also exist for the same reason. – MikeyB Mar 14 '13 at 22:48
  • nitpicking: It can't be edited by two users using visudo (or vipw or vigr for /etc/passwd//etc/shadow and /etc/group//etc/gshadow), but it does not prevent another user to edit the file directly using any editor, as file locking in linux is just advisory. – Carlos Campderrós Mar 15 '13 at 08:49
  • @CarlosCampderrós: File locking may be advisory, but the files do not have the write bit set, and that is not advisory. – Dietrich Epp Mar 15 '13 at 12:16
  • @DietrichEpp the sudoers file does not have write permission, but that won't prevent an unknowledgeable user to force-write it if he/she doesn't know about sudo – Carlos Campderrós Mar 15 '13 at 12:28
  • @CarlosCampderrós: If you have such a reckless user on your system with sudo access, all hope is lost. – Dietrich Epp Mar 15 '13 at 12:33
8

The reason for this is that visudo will verify the file does not have syntax errors prior to overwriting the current sudoers. This prevents you from accidently locking yourself out of root.

jordanm
  • 42,678