[sudo-users] sudoedit being fully qualified
Paul Cantle
Paul at cantle.me
Fri Jan 7 10:05:44 MST 2022
Hi Todd,
This is on RHEL 8.5 with a bundled version of sudo running at version 1.8.29 – the latest available. (Apologies, I should’ve mentioned that on my original email) so I’m guessing those features that you describe below are not available in this version.
Thanks
Paul
From: Todd C. Miller <Todd.Miller at sudo.ws>
Date: Friday, 7 January 2022 at 16:56
To: Paul Cantle <Paul at cantle.me>
Cc: sudo-users at sudo.ws <sudo-users at sudo.ws>
Subject: Re: [sudo-users] sudoedit being fully qualified
Have you tried actually doing this? If you try to add a line like:
testuser ALL = /usr/bin/sudoedit /bin/blah
visudo will flag it as an error. For example
linux-build [~/sudo/trunk] % sudo visudo
/etc/sudoers:104:16: sudoedit should not be specified with a path
testuser ALL = /usr/bin/sudoedit /bin/blah
^~~~~~~~~~~~~~~~~
What now?
If you edit sudoers without visudo, sudo will treat that /usr/bin/sudoedit
as plain sudoedit. For example:
$ sudo -l
User testuser may run the following commands on linux-build:
(root) sudoedit /bin/blah
Running "sudoedit /bin/blah" will run the editor as testuser, not root.
Now, if I try "sudo sudoedit /bin/blah", I get:
sudo: sudoedit doesn't need to be run via sudo
and the editor is still run as testuser, not root.
This was tested with sudo 1.9.8p2. Versions prior to 1.8.30 will
behave differently.
- todd
More information about the sudo-users
mailing list