Exaforge

Cloud, DevOps, Evangelism

Why visudo for the vMA or Unix systems.

On Twitter recently, Maish Saidel-Keesing posed an interesting question: "Why bother with visudo at all?".  The implication/suggestion here is that visudo is nothing more than alias to 'vi /etc/sudoers'. Fortunately, its not.

visudo actually creates a copy of the sudoers file, edits that using vi (or whatever editor you have set for $VISUAL in your shell), checks the syntax and then, on success, copies it into place.

What if you didn't use visudo and just edited the file directly, but made a mistake?  Well, here's an example

[vi-admin@vma ~]$ sudo -l
>>> sudoers file: syntax error, line 101 <<<
sudo: parse error in /etc/sudoers near line 101

As you can see, once you have a syntax error, you dont get to use sudo at all.  You;ll have to login as root directly (might be hard if you've disabled the root account like in the vMA) or wait for someone with the root password to fix it for you.  However, if I make a mistake  using visudo, its very clear about telling me:

[vi-admin@vma ~]$ sudo visudo
Password:
Warning: undeclared User_Alias `CRAP' referenced near line 101
>>> sudoers file: syntax error, line 101 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

visudo very clearly saves me from a major mistake (well, at least warns me about it).

So what do you do if you want to edit the file for pushing out to a large number of machines and dont want to load it on the current system.  Well, visudo has you covered there too.  Use it in 'check' mode:

[vi-admin@vma ~]$ visudo -c -f sudoers.testing
sudoers.testing file parsed OK

Life is good!  Thanks to Maish for the idea.