edit the sudoers file

visudo [ -c ] [ -f sudoers ] [ -q ] [ -s ] [ -V ]

Locks and edits sudoers, providing sanity checks and parses for errors.

-c check sudoers for syntax
> sudo visudo -c
/private/etc/sudoers file parsed OK
-f sudoers File to be used, default: /private/etc/sudoers.
-q quiet. In a script combine with -c then check return code $?.
-s strict, some warnings are considered errors.
If an alias is used before it is defined, is consided an error.
(It is not possible to differentiate between an alias and a hostname or username that consists solely of uppercase letters, digits, and underscore ('_') .
-V version

visudo will use vi as the editor*

Upon finding an error, visudo prints a message stating the line number(s) of the error and "What now?" may enter "e" to re-edit the sudoers file, "x" to exit without saving the changes, or "Q" to quit and save changes. The "Q" option should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again until the error is fixed. If "e" is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature).


These environment variables are used only if visudo was configured with the --with-env-editor option:
  • VISUAL Invoked by visudo as the editor to use
  • EDITOR Used by visudo if VISUAL is not set


    /private/etc/sudoers.tmp Lock file
    /private/etc/sudoers List of who can run what
    #no Host alias specification 
    #no User alias specification 
    #no Cmnd alias specification
    # Defaults specification
    Defaults    env_reset
    Defaults    env_keep += "BLOCKSIZE"
    Defaults    env_keep += "COLORFGBG COLORTERM"
    Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
    Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
    Defaults    env_keep += "LINES COLUMNS"
    Defaults    env_keep += "LSCOLORS"
    Defaults    env_keep += "SSH_AUTH_SOCK"
    Defaults    env_keep += "TZ"
    Defaults    env_keep += "EDITOR VISUAL"
    #no Runas alias specification
    # User privilege specification
    root    ALL=(ALL) ALL
    %admin  ALL=(ALL) ALL
    # Uncomment to allow people in group wheel to run all commands
    # %wheel    ALL=(ALL)   ALL
    # Same thing without a password
    # %wheel    ALL=(ALL)   NOPASSWD: ALL
    # Samples
    # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
    # %users  localhost=/sbin/shutdown -h now

    The lock file is sudoers with .tmp appended.


    A syntax error in sudoers sets return code to 1 .

    Warning: undeclared Alias referenced near ...
    Either a {User,Runas,Host,Cmnd}_Alias is used before it's definition or
    there is a user or hostname listed that consists solely of uppercase letters, digits, and the underscore ('_') character. This can be ignored
    With -s (strict) these considered are errors.

    Warning: runas_default set after old value is in use ...
    Entries prior to runas_default will match based on the default value root
    Entries afterward will match based on the new value.
    This is usually unintentional
    The runas_default should be before Runas_Alias or User .
    With -s (strict) this is an error.

    See: vi(1), sudoers, sudo(8), vipw(8)


    Using another editor: a list defined at compile time and will not honor the $VISUAL or $EDITOR unless in that list.
    This may be overridden via the editor sudoers Default variable. If visudo is configured with the --with-enveditor flag or the enveditor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR. A user can gain a root shell if the editor used allows shell escapes for example :!vi

    . from OS X man Sudo 1.7.10p9 July 12, 2012