suedit [was: Re: visudo enhancement to edit-syntax-check arbitrary files ]

William R. Ward bill at
Fri Dec 14 17:53:12 EST 2001

Bob Proulx writes:
>> >Oh, you mean the "suedit" idea.  Sorry, yes, I was confused by
>> >the mail Subject here.  I don't object to the idea of "suedit",
>> >though I'm not sure whether or not it should really be part of
>> >visudo or a separate program/script.
>> >
>> >But it will have to wait until after sudo 1.6.4 is out.
>> It's a pretty major change, so I can appreciate that you would not
>> release it without some serious thought.
>I rather liked the idea of a "helper" program, which would give up
>superuser access to become a non-privileged user for spawning subtasks
>in general, and then resume root afterward.  I can't think of anything
>right now but if that was general purpose then other needs than just
>editing files would present themselves.  I would not limit it to just
>editing files.
>I would not modify sudo in any way.  IMNHO this should be a separate
>utility.  Keep the design modular and each program focused on what it
>does best.  Creeping features and code bloat lead to undiscovered bugs
>which in turn cause security issues when dealing with suid programs.

The reason why I would recommend modifying sudo is to allow the
sudoers file to more easily configure such actions.  This way you can
add "Edit_Alias" entries instead of some rather complex "Cmnd_Alias"
options; just list the filenames that the users are allowed to edit.

Maybe there is some value in making this functionality be a specific
instance of the "helper" program you describe, so that it can be used
for more general things.  However, the sudoers syntax could get even
more hairy in that case.


William R Ward            bill at
     If you're not part of the solution, you're part of the precipitate.

More information about the sudo-workers mailing list