Why do we need to use visudo instead of directly modifying the sudoers file?

I understand that if you want to modify who can use sudo and what they can do with it that you should use visudo. I know I’m not supposed to directly modify the /etc/sudoers file myself.

What is it that visudo does that directly modifying the file doesn’t do? What can go wrong?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

visudo checks the file syntax before actually overwriting the sudoers file.

If you use a plain editor, mess up the syntax, and save… sudo will (probably) stop working, and, since /etc/sudoers is only modifiable by root, you’re stuck (unless you have another way of gaining root).

Additionally it ensures that the edits will be one atomic operation. This locking is important if you need to ensure nobody else can mess up your carefully considered config changes. For editing other files as root besides /etc/sudoers there is the sudoedit command which also guard against such editing conflicts.

Method 2

From the visudo man page:

visudo locks the sudoers file against multiple simultaneous edits,
provides basic sanity checks, and checks for parse errors. If the
sudoers file is currently being edited you will receive a message to
try again later.

Also check this answer from serverfault.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments