visudo finds an error when you exit the editor, it will print out
the line number and ask you what you want to do.
# visudo >>> sudoers file: syntax error, line 44 <<< What now?
Here, we've made an error on line 44. You have three choices: edit
the file again, quit without saving any of the changes you made, or
visudo to write the
sudoers file you created.
If you press e,
visudo will send you back to the editor. You can go
to the line it complained about, and try to find your error.
If you enter x,
visudo will quit and revert the configuration file to
what it was before you started editing. Your changes will be lost,
but that may be all right. It's better to have the old, working
configuration, than have a new, non-functional configuration.
Entering Q forces
visudo to accept the file, syntax error and all. If
your configuration file has an error,
sudo will not run. Essentially,
visudo to break
sudo until such time as you log in as
root to fix the problem. This is almost certainly not what you want
sudoers file tells
sudo who may run which commands as which users.
OpenBSD stores the
sudoers file as
/etc/sudoers, FreeBSD stores it as
/usr/local/etc/sudoers. Never edit this file directly, even if you
think you know exactly what change you want to make; always use
sudo permissions syntax can be confusing until you understand it.
Getting everything correct can be difficult the first time. Once you
sudo sets things up, however, it's very quick and easy.
The various sample
sudoers files you'll find on the Internet
frequently look quite complicated and difficult to understand, as they
demonstrate all the nifty things you can do with
sudo. The basic
syntax is very simple. Each rule entry in
sudoers has the following
username host = command
username is the username of the user who may execute the command.
host is the hostname of the system where this rule applies.
designed so you can use one
sudoers file on all of your systems. This
space allows you to set per-host rules.
command field lists the commands this rule applies to. You must
have a full path to each command name, or
sudo will not recognize it!
(You wouldn't want people to be able to adjust their
$PATH variable to
access renamed versions of commands, now would you?)
sudo defaults to not allowing anything to happen. To let a user run a
command, you must create a rule that gives that user permission on
that host to run that command. If any of the three fields don't
match, the user cannot run the command.
You can use the
ALL keyword in any of these fields to match all possible
options. For example, suppose I trust user "chris" to run absolutely
any command as root, on any system.
chris ALL = ALL
Giving a junior system administrator total control of one of my systems isn't very
likely. As senior system administrator, I should know what commands Chris needs
to run to do his job. Suppose Chris is in charge of the nameserver
portion of this system. We control actual editing of the zone files
with group permissions, but that
won't help when the nameserver must be started, reloaded, or stopped.
Here, I'll give him permission to run just the name daemon controller
chris ALL = /usr/sbin/ndc
If I'm sharing this file across several machines, it's quite probable
that many of those machines are not even running a nameserver program.
Here, I'll restrict which machine Chris may run this program on to the
server called "
chris dns1 = /usr/sbin/ndc
On the other hand, Chris is the administrator of the email server
sudoers file on both
chris dns1 = /usr/sbin/ndc chris mail = ALL
You can specify multiple entries in a single field by separating them
with commas. Here, I'd like Chris to be able to mount floppy disks
mount(8), as well as control the nameserver.
chris dns1 = /usr/sbin/ndc, /bin/mount
You can tell
sudoers that a user can run commands as a particular
user, instead of root, by putting the username in parenthesis before a
command. For example, suppose we have our nameserver set to run as
the user "
named" and all commands to control the server must be run as
chris dns1 = (named) /usr/sbin/ndc
Every entry in
/etc/sudoers must be on a single line. This can make
the lines very long. If you have a long list of alias members or
rules, you can skip to another line by using the
\ character at the
end of each incomplete line.
chris server1 = /sbin/fdisk,/sbin/fsck,/sbin/kldload,\ /sbin/newfs,/sbin/newfs_msdos,/sbin/mount