[sudo-users] sudoedit being fully qualified

Paul Cantle Paul at cantle.me
Fri Jan 7 10:05:44 MST 2022

Hi Todd,

This is on RHEL 8.5 with a bundled version of sudo running at version 1.8.29 – the latest available. (Apologies, I should’ve mentioned that on my original email) so I’m guessing those features that you describe below are not available in this version.



From: Todd C. Miller <Todd.Miller at sudo.ws>
Date: Friday, 7 January 2022 at 16:56
To: Paul Cantle <Paul at cantle.me>
Cc: sudo-users at sudo.ws <sudo-users at sudo.ws>
Subject: Re: [sudo-users] sudoedit being fully qualified
Have you tried actually doing this?  If you try to add a line like:

    testuser ALL = /usr/bin/sudoedit /bin/blah

visudo will flag it as an error.  For example

linux-build [~/sudo/trunk] % sudo visudo
/etc/sudoers:104:16: sudoedit should not be specified with a path
testuser ALL = /usr/bin/sudoedit /bin/blah
What now?

If you edit sudoers without visudo, sudo will treat that /usr/bin/sudoedit
as plain sudoedit.  For example:

$ sudo -l

User testuser may run the following commands on linux-build:
    (root) sudoedit /bin/blah

Running "sudoedit /bin/blah" will run the editor as testuser, not root.

Now, if I try "sudo sudoedit /bin/blah", I get:

sudo: sudoedit doesn't need to be run via sudo

and the editor is still run as testuser, not root.

This was tested with sudo 1.9.8p2.  Versions prior to 1.8.30 will
behave differently.

 - todd

More information about the sudo-users mailing list