man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2014

visudo (1m)


visudo - edit the sudoers file


visudo [-chqsV] [-f sudoers]


Maintenance Commands                                   VISUDO(1m)

     visudo - edit the sudoers file

     visudo [-chqsV] [-f sudoers]

     visudo edits the sudoers file in a safe fashion, analogous
     to vipw(1m).  visudo locks the sudoers file against multiple
     simultaneous edits, provides basic sanity checks, and checks
     for parse errors.  If the sudoers file is currently being
     edited you will receive a message to try again later.

     There is a hard-coded list of one or more editors that
     visudo will use set at compile-time that may be overridden
     via the editor sudoers Default variable.  This list defaults
     to /usr/bin/vi.  Normally, visudo does not honor the VISUAL
     or EDITOR environment variables unless they contain an
     editor in the aforementioned editors list.  However, if
     visudo is configured with the --with-env-editor option or
     the env_editor Default variable is set in sudoers, visudo
     will use any the editor defines by VISUAL or EDITOR.  Note
     that this can be a security hole since it allows the user to
     execute any program they wish simply by setting VISUAL or

     visudo parses the sudoers file after the edit and will not
     save the changes if there is a syntax error.  Upon finding
     an error, visudo will print a message stating the line
     number(s) where the error occurred and the user will receive
     the ``What now?''  prompt.  At this point the user may enter
     `e' to re-edit the sudoers file, `x' to exit without saving
     the changes, or `Q' to quit and save changes.  The `Q'
     option should be used with extreme care because if visudo
     believes there to be a parse error, so will sudo and no one
     will be able to sudo again until the error is fixed.  If `e'
     is typed to edit the sudoers file after a parse error has
     been detected, the cursor will be placed on the line where
     the error occurred (if the editor supports this feature).

     The options are as follows:

     -c          Enable check-only mode.  The existing sudoers
                 file will be checked for syntax errors, owner
                 and mode.  A message will be printed to the
                 standard output describing the status of sudoers
                 unless the -q option was specified.  If the
                 check completes successfully, visudo will exit
                 with a value of 0.  If an error is encountered,
                 visudo will exit with a value of 1.

     -f sudoers

Sudo 1.8.6p7        Last change: July 12, 2012                  1

Maintenance Commands                                   VISUDO(1m)

                 Specify and alternate sudoers file location.
                 With this option visudo will edit (or check) the
                 sudoers file of your choice, instead of the
                 default, /etc/sudoers.  The lock file used is
                 the specified sudoers file with ``.tmp''
                 appended to it.  In check-only mode only, the
                 argument to -f may be `-', indicating that
                 sudoers will be read from the standard input.

     -h          The -h (help) option causes visudo to print a
                 short help message to the standard output and

     -q          Enable quiet mode.  In this mode details about
                 syntax errors are not printed.  This option is
                 only useful when combined with the -c option.

     -s          Enable strict checking of the sudoers file.  If
                 an alias is used before it is defined, visudo
                 will consider this a parse error.  Note that it
                 is not possible to differentiate between an
                 alias and a host name or user name that consists
                 solely of uppercase letters, digits, and the
                 underscore (`_') character.

     -V          The -V (version) option causes visudo to print
                 its version number and exit.

     The following environment variables may be consulted
     depending on the value of the editor and env_editor sudoers

     VISUAL           Invoked by visudo as the editor to use

     EDITOR           Used by visudo if VISUAL is not set

     /etc/sudoers              List of who can run what

     /etc/sudoers.tmp          Lock file for visudo

     sudoers file busy, try again later.
           Someone else is currently editing the sudoers file.

     /etc/sudoers.tmp: Permission denied
           You didn't run visudo as root.

     Can't find you in the passwd database
           Your user ID does not appear in the system passwd

Sudo 1.8.6p7        Last change: July 12, 2012                  2

Maintenance Commands                                   VISUDO(1m)

     Warning: {User,Runas,Host,Cmnd}_Alias referenced but not
           Either you are trying to use an undeclared
           {User,Runas,Host,Cmnd}_Alias or you have a user or
           host name listed that consists solely of uppercase
           letters, digits, and the underscore (`_') character.
           In the latter case, you can ignore the warnings (sudo
           will not complain) .  In -s (strict) mode these are
           errors, not warnings.

     Warning: unused {User,Runas,Host,Cmnd}_Alias
           The specified {User,Runas,Host,Cmnd}_Alias was defined
           but never used.  You may wish to comment out or remove
           the unused alias.  In -s (strict) mode this is an
           error, not a warning.

     Warning: cycle in {User,Runas,Host,Cmnd}_Alias
           The specified {User,Runas,Host,Cmnd}_Alias includes a
           reference to itself, either directly or through an
           alias it includes.  This is only a warning by default
           as sudo will ignore cycles when parsing the sudoers

     See attributes(5) for descriptions of the following

     |Availability   | security/sudo    |
     |Stability      | Uncommitted      |
     vi(1), sudoers(4), sudo(1m), vipw(1m)

     Many people have worked on sudo over the years; this version
     consists of code written primarily by:

           Todd C. Miller

     See the CONTRIBUTORS file in the sudo distribution
     ( for an
     exhaustive list of people who have contributed to sudo.

     There is no easy way to prevent a user from gaining a root
     shell if the editor used by visudo allows shell escapes.

Sudo 1.8.6p7        Last change: July 12, 2012                  3

Maintenance Commands                                   VISUDO(1m)

     If you feel you have found a bug in visudo, please submit a
     bug report at

     Limited free support is available via the sudo-users mailing
     list, see to
     subscribe or search the archives.

     visudo is provided ``AS IS'' and any express or implied
     warranties, including, but not limited to, the implied
     warranties of merchantability and fitness for a particular
     purpose are disclaimed.  See the LICENSE file distributed
     with sudo or for
     complete details.

     This software was built from source available at  The original
     community source was downloaded from

     Further information about this software can be found on the
     open source community website at

Sudo 1.8.6p7        Last change: July 12, 2012                  4