[sudo-users] sudoedit being fully qualified

Todd C. Miller Todd.Miller at sudo.ws
Fri Jan 7 09:56:34 MST 2022

Have you tried actually doing this?  If you try to add a line like:

    testuser ALL = /usr/bin/sudoedit /bin/blah

visudo will flag it as an error.  For example

linux-build [~/sudo/trunk] % sudo visudo
/etc/sudoers:104:16: sudoedit should not be specified with a path
testuser ALL = /usr/bin/sudoedit /bin/blah
What now?

If you edit sudoers without visudo, sudo will treat that /usr/bin/sudoedit
as plain sudoedit.  For example:

$ sudo -l

User testuser may run the following commands on linux-build:
    (root) sudoedit /bin/blah

Running "sudoedit /bin/blah" will run the editor as testuser, not root.

Now, if I try "sudo sudoedit /bin/blah", I get:

sudo: sudoedit doesn't need to be run via sudo

and the editor is still run as testuser, not root.

This was tested with sudo 1.9.8p2.  Versions prior to 1.8.30 will
behave differently.

 - todd

More information about the sudo-users mailing list