safe editing with sudo

Todd C. Miller Todd.Miller at courtesan.com
Wed Jan 28 18:10:26 EST 2004


The next revision of sudo will include a safe editing facilty via
the new "-e" flag or when sudo is invoked as "sudoedit" (this is
already in the sudo cvs tree, http://www.sudo.ws/anoncvs.html).

When invoked this way, sudo will make a temporary copy of the files
passed on the command line, set the user to that of the invoking
user, run the user's preferred editor, copy the temp files back to
the originals, and finally unlink the temp copies (unless sudo was
unable to update the originals, in which case the temp versions are
retained).

The way it works is you specify "sudoedit" as the command that
may be run in the sudoers file instead of a command pathname.  E.g.

    millert	server=sudoedit /etc/motd

would allow millert to run

    % sudoedit /etc/motd

and the editor would run as millert on a temp file, after which
sudo would update /etc/motd based on that temp file.  Of course,
you can also use the -u flag in conjunction with sudoedit.

So far so good.

Now, my question is, what should the behavior be when sudoedit is run
as part of a sudo-run script?  In this case, we can use the SUDO_USER
environment variable to determine who the real user is, but should
we restrict what the user can run based on sudoers?  The problems
with restricting via sudoers are:

 o the user is already root and so is capable of doing anything anyway

 o in the case of a script it means you cannot just give the user
   sudo access for the script, you need to specify in sudoers any
   files that script might call sudoedit on

So my feeling is that in this case the thing to do is just do the
sudoers lookup for root but for the logs, use the name specified
by SUDO_USER.

 - todd



More information about the sudo-users mailing list