Safely editing as root

Certain files on a UNIX-like system, such as /etc/passwd and /etc/sudoers, are integral for managing login and authentication, and it’s thus necessary to be very careful while editing them using sudo not to accidentally leave them in a corrupted state, or to allow others to edit them at the same time as you. In the worst case scenario it’s possible to lock yourself out of a system or out of root privileges in doing this, and things can only be fixed via physical access to the server or someone who knows the actual root password, which you may not necessarily know as a sudo user.

You should therefore never edit /etc/passwd, /etc/group, or /etc/sudoers by simply invoking them in your editor of choice. A set of simple utilities exist to help you make these edits safely.

vipw and vigr

If you want to safely edit the /etc/passwd file, for which you’ll need to have root privileges, you should use the vipw tool. It doesn’t require an argument.

# vipw

This will load a temporary copy of the file into your $EDITOR, and allow you to make changes. If all is well after you save and quit, you’ll see a message like:

You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.

If you’ve made changes which might require changing something in the /etc/shadow file, you should follow these instructions too.

The command to edit groups, vigr, works in much the same way:

# vigr

visudo

The analogous tool for editing the /etc/sudoers file is visudo. This file not only does the necessary lock and file corruption checking as vipw does, it also does some basic checking of the syntax of the file after you save it.

# visudo

If the changes you make to this file work correctly, you’ll simply be returned to your prompt. However, if you’ve made some sort of edit that means sudo won’t be able to correctly parse the file, you’ll get warned and prompted for an appropriate action:

visudo: >>> /etc/sudoers: syntax error near line 28 <<<
visudo: >>> /etc/sudoers: syntax error near line 29 <<<
visudo: >>> /etc/sudoers: syntax error near line 29 <<<
What now?

If you press ? here and then Enter, you’ll get a list of the actions you can take:

Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

You’ll probably want the first one, to edit your changes again and make them work properly, but you may want to hose them and start again via the second option. You should only choose the third if you absolutely know what you’re doing.

sudoedit

In general, you can edit root-owned files using sudoedit, or sudo -e, which will operate on temporary copies of the file and overwrite the original if changes are detected:

$ sudo -e /etc/network/interfaces

This has the added bonus of preserving all of your environment variables for the editing session, which may not be the case when invoking an editor and file via sudo. This turns out to be handy for newer versions of sudo which do not preserve the user’s $HOME directory by default, meaning that configuration files for your editor, such as .vimrc, might not be read.

2 thoughts on “Safely editing as root

  1. Hi Tom, Great tip re: vipr, vigr and visudo.

    visudo has saved my bacon a couple of times (or more) by picking up upon unsafe syntax – and I’ve certainly missed visudo on one occasion when I did accidentally save a malformed /etc/sudoers file.

    The consequences were horrendous – the only way that I was able to resolve the situation was with the root login details, as sudo itself no longer worked.

    Had I not had these details, I’d have had to login via a live distro and correct the /etc/sudoers file that way. (naturally disk encryption would have added another layer of complexity).

    I knocked up a shell wrapper to nano that I call “snano” as in “Safe Nano” that provides a gazipped, date-stamped backup of the original file in a ~/.snano/ dir and allows you to work upon a tmp file.

    This gives some additional safety to working upon the raw file, admittedly without the context sensitive safety blanket.

    Nice post, thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use Markdown if you want.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>