I understand that if you want to modify who can use sudo and what they can do with it that you should use visudo. I know I'm not supposed to directly modify the /etc/sudoers file myself.
What is it that visudo does that directly modifying the file doesn't do? What can go wrong?
visudo checks the file syntax before actually overwriting the sudoers file.
If you use a plain editor, mess up the syntax, and save... sudo will (probably) stop working, and, since /etc/sudoers is only modifiable by root, you're stuck (unless you have another way of gaining root).
Additionally it ensures that the edits will be one atomic operation. This locking is important if you need to ensure nobody else can mess up your carefully considered config changes. For editing other files as root besides /etc/sudoers there is the sudoedit command which also guard against such editing conflicts.
sudo and OS X does have GNU tools. As sudo was first created as an open source application, there's probably no reason for their being many implementations. sudo and sudoedit are the same command, sudo behaves as sudo -e when called as sudoedit. I believe it's just that OS X forgot to add the sudoedit -> sudo link, but you should still be able to use sudo -e or call sudo with argv[0] set to sudoedit to get the same behavior.
Commented
Jan 23, 2013 at 22:41
sudo vim /etc/sudoers and botch the syntax, then I will not be able to sudo vim /etc/sudoers again to fix it. Effectively, all ability to elevate privileges via sudo will be lost since the system will not be able to parse the file.
Commented
Feb 10, 2018 at 14:43
From the visudo man page:
visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
Also check this answer from serverfault.
