On Unix-like operating systems, the visudo command edits the sudoers file, which is used by the sudo command. To change what users and groups are allowed to run sudo, run visudo.

If the user running sudo does not meet the authentication configuration in sudoers, they are denied permission to run a command with escalated privileges.

You should not edit sudoers directly, by opening it in a text editor. Instead, edit it with visudo, which will verify its validity before saving the changes to disk.

Description

visudo edits the sudoers file, which defines the users and groups with administrator rights.

  • Syntax

  • Options

  • The sudoers file

  • Important files

  • Examples

  • Sudoer directives

  • Related commands

  • Linux commands help

  • Options

  • The sudoers file

  • Sudoer directives

Visudo edits the sudoers file in a safe fashion, similar to the way that vipw safely edits the passwd file. Visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited by someone else, or by you in another session, you will receive a message to try again later.

There is a hard-coded list of one or more editors that visudo uses, set at compile-time. The default is vi.

Visudo parses the sudoers file after the edit, and will not save the changes if there is a syntax error. Upon finding an error, visudo prints a message stating the line number(s) where the error occurred and the user will receive the “What now?” prompt. At the prompt, type e to re-edit the sudoers file, x to exit without saving the changes, or Q to quit and save changes. The “Q” option should be used with extreme care, because if visudo finds a parse error, so will sudo, and no one can run sudo again until the error is fixed. If “e” is typed to edit the sudoers file after a parse error is detected, the cursor will be placed on the line where the error occurred, if the editor supports this feature.

By default, visudo doesn’t honor the VISUAL or EDITOR environment variables, used by many programs to determine the default text editor. However, if visudo is configured with the –with-env-editor option or the env_editor Default variable is set in the sudoers file, visudo uses any of the editors defined by VISUAL or EDITOR. Doing so can make your system vulnerable to a security breech, however, because it allows the user to execute any program they want by setting VISUAL or EDITOR.

Syntax

visudo [-c] [-h] [-q] [-s] [-V] [-f sudoers]

Options

The sudoers file

A typical sudoers file looks like this:

This file MUST be edited with the ‘visudo’ command as root.

Please consider adding local content in /etc/sudoers.d/ instead of

directly modifying this file.

See the man page for details on how to write a sudoers file.

Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

Host alias specification

User alias specification

Cmnd alias specification

User privilege specification

root ALL=(ALL:ALL) ALL

Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

See sudoers(5) for more information on “#include” directives:

#includedir /etc/sudoers.d

Here, “root ALL=(ALL:ALL) ALL” states that the user root, logged in to any hostname, may run, as a user or group, any command. The general form of this directive is:

user hostname=(runas-user:runas-group) command

The special word ALL may be used for any of these values, and means that any are allowed.

If user begins with a %, it’s interpreted as the name of a group, and the directive applies to all users in that group. So the line “%admin ALL=(ALL) ALL” allows users belonging to the group admin to run any command as a user or group. The same permissions are defined for members of group sudo, three lines later.

So, with this configuration, if you want a user to have sudo rights, you can add them to the admin or sudo group, and don’t need to edit sudoers at all. In this case, the command:

usermod -aG sudo hope

Would grant sudo rights to the user hope next time they log in. For more information about how to use usermod to change a user’s group membership, see the usermod command.

If you don’t want to have a dedicated sudo group, you can define sudo rights for a user directly in sudoers, by adding a line anywhere in the file. To give user hope full sudo access, for instance, add:

hope ALL=(ALL:ALL) ALL

Then save the file and exit the text editor launched by visudo.

Important files

Examples

To edit the sudoers file, run visudo as root. Switch user to root with su (requires the root password, which is different than your user password):

su

Password:

Then run visudo:

visudo

Or if you already have sudo rights, run visudo with sudo:

sudo visudo

[sudo] password for user:

Sudoer directives

The following are examples of lines added to sudoers when you run visudo:

User hope can run all commands as any user or group, logged in to any host that this configuration applies.

%hope ALL=(ALL:ALL) ALL

Same as above, except the permission apply to any member of the group hope (which may or may not include user hope).

hope myhost=(mysqluser:mysqlusers) mysqldump

User hope, when logged in to host myhost, may run the command mysqldump as user mysqluser or a member of group mysqlusers. For example, this directive would allow user hope to run this command:

sudo -u mysqluser -g mysqlusers mysqldump

su — Become the superuser or another user.sudo — Execute a command as the superuser.vi — Text editor based on the visual mode of ex.vipw — Safely edit the password file.