[sudo-users] prevent sudoedit from using $EDITOR

[Niklas Freeman]

hi

I use emacs but as you know one should not allow any user to start
emacs as root because any command can be executed from within emacs.
So I tried:

Defaults editor=/usr/bin/nano, !env_editor

Now when I run visudo it uses nano but what I wanted is that when a
user runs sudoedit /allowed-file that nano is used instead of emacs.

Two things I don't understand here:

(1) Why is there even an option !env_editor that forces use of
'editor' for visudo? I can't see how this improves security at all or
any other reason why anyone would want to use a different editor to
edit /etc/sudoers than for everything else. Once a user gains access
to /etc/sudores he can do whatever he wants anyway.

(2) But if !env_editor had an effect on sudoedit this would improve
security. Why isn't that done? Am I missing some other option that
does this? Just setting VISUAL/EDITOR does not seam to be enough, the
user could just change it before using sudoedit.

And one more thing, assuming that I am somehow able to prevent the
user from starting emacs and executing any command he wants:

(3) I did run a quick test and tried to write to a file that is only
writable by root after starting emacs like this.

user# sudoedit /the-only-allowed-file

This was not possible, which obviously is what I wanted. But I don't
understand how this is possible and as long as I don't know a little
more about it, I won't trust it enought to enable sudoedit at all.

- Nik