[sudo-users] sudoedit being fully qualified
Todd C. Miller
Todd.Miller at sudo.ws
Fri Jan 7 09:56:34 MST 2022
Have you tried actually doing this? If you try to add a line like:
testuser ALL = /usr/bin/sudoedit /bin/blah
visudo will flag it as an error. For example
linux-build [~/sudo/trunk] % sudo visudo
/etc/sudoers:104:16: sudoedit should not be specified with a path
testuser ALL = /usr/bin/sudoedit /bin/blah
^~~~~~~~~~~~~~~~~
What now?
If you edit sudoers without visudo, sudo will treat that /usr/bin/sudoedit
as plain sudoedit. For example:
$ sudo -l
User testuser may run the following commands on linux-build:
(root) sudoedit /bin/blah
Running "sudoedit /bin/blah" will run the editor as testuser, not root.
Now, if I try "sudo sudoedit /bin/blah", I get:
sudo: sudoedit doesn't need to be run via sudo
and the editor is still run as testuser, not root.
This was tested with sudo 1.9.8p2. Versions prior to 1.8.30 will
behave differently.
- todd
More information about the sudo-users
mailing list