Why memorize a different command? I assume sudoedit just looks up the system’s EDITOR environment variable and uses that. Is there any other benefit?
I don’t use it, but, sudoedit is a little more complicated than that.
details
from man sudo:
When invoked as sudoedit, the -e option (described below), is implied.
-e, --edit
Edit one or more files instead of running a command. In lieu
of a path name, the string"sudoedit"is used when consulting
the security policy. If the user is authorized by the policy,
the following steps are taken:
1. Temporary copies are made of the files to be edited with
the owner setto the invoking user.
2. The editor specified by the policy is run to edit the tem‐
porary files. The sudoers policy uses the SUDO_EDITOR,
VISUAL and EDITOR environment variables (in that order).
If none of SUDO_EDITOR, VISUAL or EDITOR are set, the
first program listed in the editor sudoers(5) optionis
used.
3. If they have been modified, the temporary files are copied
back to their original location and the temporary versions
are removed.
To help prevent the editing of unauthorized files, the follow‐
ing restrictions are enforced unless explicitly allowed by the
security policy:
• Symbolic links may not be edited (version 1.8.15and
higher).
• Symbolic links along the path to be edited are not followed
when the parent directory is writable by the invoking user
unless that user is root (version 1.8.16and higher).
• Files located in a directory that is writable by the invok‐
ing user may not be edited unless that user is root (ver‐
sion 1.8.16and higher).
Users are never allowed to edit device special files.
If the specified file does not exist, it will be created. Un‐
like most commands run by sudo, the editor is run with the in‐
voking user's environment unmodified. If the temporary file
becomes empty after editing, the user will be prompted before
it is installed. If, for some reason, sudo is unable to update
a file with its edited version, the user will receive a warning
and the edited copy will remain in a temporary file.
tldr: it makes a copy of the file-to-be-edited in a temp directory, owned by you, and then runs your $EDITOR as your normal user (so, with your normal editor config)
note that sudo also includes a similar command which is specifically for editing /etc/sudoers, called visudo 🤪
It doesn’t edit the file directly, it creates a temp file that replaces the file when saving. It means that the editor is run as the user, not as root.
So it opens the file in your editor, since you have read access to it. Then saves your changes to a temp file. Then when you close the editor it does a sudo mv tmpfile readfile?
I checked this by checking the file ownership when running touch myself. The file is owned by root. sudo nano myself also creates a file owned by root. sudoedit myself bitches at me not to run it in a writable directory.
sudoedit: myself: editing files in a writable directory is not permitted
So I ran it in a non-writable directory and the resulting file is still owned by root.
So is the advantage of sudoedit preventing a possible escalation of privileges situation?
For me personally the advantage is that since the editor is opened by your user, it has all of the same config that I’m used to (such as my souped up Neovim config).
Whereas if you sudo nvim /path/to/file then the editor is opened as root and you don’t have the same configuration.
I just make /root/.config/nvim a symlink to ~/.config/nvim and running nvim as root gives me all the same settings I’m used to. (I’d rather not run nvim-qt as root though, so in that case sudoedit is useful.)
Set SUDO_EDITOR in your profile to the editor of your choice, benefit is it retains your user profile for that editor, it’s also less to type. For stuff like editing sudoers you’re supposed to use visudo to edit that. Others can probably give better/more thorough reasons to consider it.
I know this is a meme community, but a modicum of effort IS warranted IMO. https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi is the top result of a search for “why use sudoedit” and a pretty good answer. “man sudoedit” also explains it pretty well, as shown by another commenter.
Correct but it uses the SUDO_EDITOR environment variable. The benefit is more security while editing system files, it creates a temporary file and when you finish it writes changes to the original. There is more to it but that is all I know, it prevents some exploits.
Why memorize a different command? I assume
sudoeditjust looks up the system’s EDITOR environment variable and uses that. Is there any other benefit?I believe sudoedit disables being able to spawn commands from the editor. In vi, I think it was :!<command>
I don’t use it, but,
sudoeditis a little more complicated than that.details
from
man sudo:When invoked as sudoedit, the -e option (described below), is implied.-e, --edit Edit one or more files instead of running a command. In lieu of a path name, the string "sudoedit" is used when consulting the security policy. If the user is authorized by the policy, the following steps are taken: 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. 2. The editor specified by the policy is run to edit the tem‐ porary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used. 3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. To help prevent the editing of unauthorized files, the follow‐ ing restrictions are enforced unless explicitly allowed by the security policy: • Symbolic links may not be edited (version 1.8.15 and higher). • Symbolic links along the path to be edited are not followed when the parent directory is writable by the invoking user unless that user is root (version 1.8.16 and higher). • Files located in a directory that is writable by the invok‐ ing user may not be edited unless that user is root (ver‐ sion 1.8.16 and higher). Users are never allowed to edit device special files. If the specified file does not exist, it will be created. Un‐ like most commands run by sudo, the editor is run with the in‐ voking user's environment unmodified. If the temporary file becomes empty after editing, the user will be prompted before it is installed. If, for some reason, sudo is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.tldr: it makes a copy of the file-to-be-edited in a temp directory, owned by you, and then runs your
$EDITORas your normal user (so, with your normal editor config)note that sudo also includes a similar command which is specifically for editing
/etc/sudoers, calledvisudo🤪visudo is a life-saver since it adds some checks to prevent you from breaking your sudo configuration and locking you out of your system.
It doesn’t edit the file directly, it creates a temp file that replaces the file when saving. It means that the editor is run as the user, not as root.
So it opens the file in your editor, since you have read access to it. Then saves your changes to a temp file. Then when you close the editor it does a sudo mv tmpfile readfile?
I checked this by checking the file ownership when running
touch myself. The file is owned by root.sudo nano myselfalso creates a file owned by root.sudoedit myselfbitches at me not to run it in a writable directory.So I ran it in a non-writable directory and the resulting file is still owned by root.
So is the advantage of
sudoeditpreventing a possible escalation of privileges situation?For me personally the advantage is that since the editor is opened by your user, it has all of the same config that I’m used to (such as my souped up Neovim config).
Whereas if you
sudo nvim /path/to/filethen the editor is opened as root and you don’t have the same configuration.That’s a pretty big advantage actually. Thanks!
I just make
/root/.config/nvima symlink to~/.config/nvimand runningnvimas root gives me all the same settings I’m used to. (I’d rather not runnvim-qtas root though, so in that casesudoeditis useful.)Yes, and it also lets me use my neovim config.
From the arch wiki
sudo -e {file}Set SUDO_EDITOR in your profile to the editor of your choice, benefit is it retains your user profile for that editor, it’s also less to type. For stuff like editing sudoers you’re supposed to use visudo to edit that. Others can probably give better/more thorough reasons to consider it.
I know this is a meme community, but a modicum of effort IS warranted IMO. https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi is the top result of a search for “why use sudoedit” and a pretty good answer. “man sudoedit” also explains it pretty well, as shown by another commenter.
Hey, even memes can lead to learning opportunities!
Correct but it uses the SUDO_EDITOR environment variable. The benefit is more security while editing system files, it creates a temporary file and when you finish it writes changes to the original. There is more to it but that is all I know, it prevents some exploits.