FAIL: Why you should ALWAYS use visudo

July 6th, 2009 | Categories: Technology | Tags: , , ,

It’s time for a short rant about proper Linux administration. Someone, who shall not be named, manually edited the /etc/sudoers file and broke it on a critical server. In case you don’t know, on Linux sudo allows you to run commands as the root (Administrator) user, and the sudoers file determines who can use sudo and what they can do with it.

When editing the sudoers file you have to be careful, if you make a change that breaks the file you can potentially lock yourself out of being able to fix the file. That’s what happened today, after the change to the sudoers file any attempt to use sudo returned this error:

>>> sudoers file: syntax error, line 6 <<<
>>> sudoers file: syntax error, line 8 <<<
sudo: parse error in /etc/sudoers near line 6

On this particular system users can only gain root access by using sudo, there is a root password but for some unfathomable reason no one knows the password. So I was tasked with rebooting the server, breaking into it and then fixing the sudoers file. Normally on Debian there’s a helpful boot option that takes you right into a command prompt as root, unless of course you have a password set and don’t know the password. So I resorted to the less elegant method of specifying init=/bin/bash as a boot option.

Once I had root access I used visudo to fix the sudoers file. Why visudo? Because that’s the program YOU ARE SUPPOSED TO USE. Yes I am a bit angry, because the person that broke this server should have known better. Visudo is a lovely little program that checks the syntax of the sudoers file before you save it so that if you do something monumentally stupid you’ll know about it before it becomes a problem and prevents you from getting back into the system as root.

Later this week I’ll be posting an article with my list of good Linux administration habbits you’ll want to ingrain into your skull.

So far the week is off to a great start.

  1. July 6th, 2009 at 14:49
    Reply | Quote | #1

    At least in the grand scheme of things it is an easy fix. I bet you’re looking forward to what else this person is capable of or, depending on how you look at it, is NOT capable of.

  2. July 21st, 2009 at 19:13
    Reply | Quote | #2

    BryanM :

    At least in the grand scheme of things it is an easy fix. I bet you’re looking forward to what else this person is capable of or, depending on how you look at it, is NOT capable of.

    They probably just rushed through a change without thinking, which is exactly why I use visudo. Luckily, since “The UNIX God” left we haven’t really had issues of gross stupidity like we use to.

  3. September 17th, 2011 at 16:48
    Reply | Quote | #3

    A more subtle problem that can show up even when using visudo is “sudo visudo”. Should be safe enough shouldn’t it ? I mean, visudo checks the syntax before it saves the file… what could go wrong ?

    It’s quite easy to change a single line into one that has valid syntax but no longer allows your user to run programs as root. If you have used “sudo visudo” as yourself, as soon as you save the file and quit you will no longer be able to edit the sudoers file to fix the problem.

    Always use visudo as root.

    Along similar lines, there is another program called “vipw” that is used for editing the passwd and shadow files. I wish some of the previous sysadmins at my current job had heard of it.

  4. August 8th, 2012 at 07:46
    Reply | Quote | #4

    I ran into this by trying to figure out why “sudo visudo” was slow. I tried the “strace” command, like so: “sudo strace visudo”.

    After saving the file (in nano, not vim, which seemed odd to me), strace dropped me out to a strange non-readline prompt mode. I didn’t realize this was visudo’s prompt and typed “Q” to quit. Oops!

    Your article and this one got me out of the mess: http://www.psychocats.net/ubuntu/fixsudo

    Thanks!