I'm working on a longer post about editing sudoers with visudo or editing /etc/sudoers directly (you should avoid this if possible), but for now here's just a quick note on a visudo command functionality that I find really useful.
IMPORTANT: if possible, edit sudoers files from interactive root shell – meaning you are root already, so there's a chance to troubleshoot if something went wrong.
Two Main Ways of Using visudo
Primary usage of visudo is interactive: you run the command and it helps you edit the /etc/sudoers file.
Secondary usage is syntax check of all the sudoers config – that's what I'm going to show today.
Use visudo to Check Config Syntax
Run visudo with the -c option to have it check all the SUDO config files – the /etc/sudoers file and any includes from /etc/sudoers.d directory:
[email protected]:~ # visudo -c /etc/sudoers: parsed OK /etc/sudoers.d/010_at-export: parsed OK /etc/sudoers.d/010_pi-nopasswd: parsed OK /etc/sudoers.d/README: parsed OK
How Broken Syntax is Reported by visudo
[email protected]:~ # visudo -c /etc/sudoers: syntax error near line 10 <<< parse error in /etc/sudoers near line 10
As noted above, I'm running visudo from interactive shell – so even though in this example sudoers is broken, I can still fix it by editing the file directly (because I'm still root).
In this example above, I need to vi /etc/sudoers and check line 10 in the file.
IMPORTANT: Once changes are made, re-run visudo -c to make sure configs are correct now. Do NOT leave your root session – log into the same server separately and try sudo commands to check.