this post was submitted on 25 Apr 2025

627 points (98.0% liked)

linuxmemes

24652 readers

2077 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

Instance-wide TOS: https://legal.lemmy.world/tos/
Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html

2. Be civil

Understand the difference between a joke and an insult.

Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".

Don't get baited into back-and-forth insults. We are not animals.

Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.

Bigotry will not be tolerated.

3. Post Linux-related content

Including Unix and BSD.

Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.

No porn, no politics, no trolling or ragebaiting.

4. No recent reposts

Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.

5. 🇬🇧 Language/язык/Sprache

This is primarily an English-speaking community. 🇬🇧🇦🇺🇺🇸

Comments written in other languages are allowed.

The substance of a post should be comprehensible for people who only speak English.

Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.

6. (NEW!) Regarding public figures

We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.

Keep discussions polite and free of disparagement.

We are never in possession of all of the facts. Defamatory comments will not be tolerated.

Discussions that get too heated will be locked and offending comments removed.

Please report posts and comments that break these rules!

Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

founded 2 years ago

MODERATORS

[email protected]

627

I never had problems with permission again after I know the real power of sudo (lemmy.ca)

submitted 2 days ago by [email protected] to c/[email protected]

109 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 30 points 2 days ago* (last edited 2 days ago) (1 children)

You mean sudoedit right? Right?

edit: While there's a little bit of attention on this I also want to beg you to stop doing sudo su - and start doing sudo -i you know who you are <3

[–] [email protected] 11 points 2 days ago (6 children)

Why memorize a different command? I assume sudoedit just looks up the system's EDITOR environment variable and uses that. Is there any other benefit?

[–] [email protected] 31 points 2 days ago (1 children)

Why memorize a different command? I assume sudoedit just looks up the system’s EDITOR environment variable and uses that. Is there any other benefit?

I don't use it, but, sudoedit is a little more complicated than that.

details

from man sudo:

When invoked as sudoedit, the -e option (described below), is implied.

       -e, --edit
               Edit one or more files instead of running a command.   In  lieu
               of  a  path name, the string "sudoedit" is used when consulting
               the security policy.  If the user is authorized by the  policy,
               the following steps are taken:

               1.   Temporary  copies  are made of the files to be edited with
                    the owner set to the invoking user.

               2.   The editor specified by the policy is run to edit the tem‐
                    porary files.  The sudoers policy  uses  the  SUDO_EDITOR,
                    VISUAL  and  EDITOR environment variables (in that order).
                    If none of SUDO_EDITOR, VISUAL  or  EDITOR  are  set,  the
                    first  program  listed  in the editor sudoers(5) option is
                    used.

               3.   If they have been modified, the temporary files are copied
                    back to their original location and the temporary versions
                    are removed.

               To help prevent the editing of unauthorized files, the  follow‐
               ing  restrictions are enforced unless explicitly allowed by the
               security policy:

                •  Symbolic links  may  not  be  edited  (version  1.8.15  and
                   higher).

                •  Symbolic links along the path to be edited are not followed
                   when  the parent directory is writable by the invoking user
                   unless that user is root (version 1.8.16 and higher).

                •  Files located in a directory that is writable by the invok‐
                   ing user may not be edited unless that user is  root  (ver‐
                   sion 1.8.16 and higher).

               Users are never allowed to edit device special files.

               If  the specified file does not exist, it will be created.  Un‐
               like most commands run by sudo, the editor is run with the  in‐
               voking  user's  environment  unmodified.  If the temporary file
               becomes empty after editing, the user will be  prompted  before
               it is installed.  If, for some reason, sudo is unable to update
               a file with its edited version, the user will receive a warning
               and the edited copy will remain in a temporary file.

tldr: it makes a copy of the file-to-be-edited in a temp directory, owned by you, and then runs your $EDITOR as your normal user (so, with your normal editor config)

note that sudo also includes a similar command which is specifically for editing /etc/sudoers, called visudo 🤪

[–] [email protected] 18 points 2 days ago

visudo is a life-saver since it adds some checks to prevent you from breaking your sudo configuration and locking you out of your system.

[–] [email protected] 12 points 2 days ago (1 children)

It doesn't edit the file directly, it creates a temp file that replaces the file when saving. It means that the editor is run as the user, not as root.

[–] [email protected] 3 points 2 days ago (2 children)

So it opens the file in your editor, since you have read access to it. Then saves your changes to a temp file. Then when you close the editor it does a sudo mv tmpfile readfile?

I checked this by checking the file ownership when running touch myself. The file is owned by root. sudo nano myself also creates a file owned by root. sudoedit myself bitches at me not to run it in a writable directory.

sudoedit: myself: editing files in a writable directory is not permitted

So I ran it in a non-writable directory and the resulting file is still owned by root.

So is the advantage of sudoedit preventing a possible escalation of privileges situation?

[–] [email protected] 7 points 2 days ago (2 children)

For me personally the advantage is that since the editor is opened by your user, it has all of the same config that I'm used to (such as my souped up Neovim config).

Whereas if you sudo nvim /path/to/file then the editor is opened as root and you don't have the same configuration.

[–] [email protected] 5 points 2 days ago

That's a pretty big advantage actually. Thanks!

[–] [email protected] 3 points 2 days ago

I just make /root/.config/nvim a symlink to ~/.config/nvim and running nvim as root gives me all the same settings I'm used to. (I'd rather not run nvim-qt as root though, so in that case sudoedit is useful.)

[–] [email protected] 2 points 2 days ago

Yes, and it also lets me use my neovim config.

[–] [email protected] 6 points 2 days ago

From the arch wiki

sudo -e {file}

Set SUDO_EDITOR in your profile to the editor of your choice, benefit is it retains your user profile for that editor, it's also less to type. For stuff like editing sudoers you're supposed to use visudo to edit that. Others can probably give better/more thorough reasons to consider it.

[–] [email protected] 6 points 2 days ago* (last edited 2 days ago) (1 children)

I know this is a meme community, but a modicum of effort IS warranted IMO. https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi is the top result of a search for "why use sudoedit" and a pretty good answer. "man sudoedit" also explains it pretty well, as shown by another commenter.

[–] [email protected] 4 points 2 days ago

Hey, even memes can lead to learning opportunities!

[–] [email protected] 1 points 1 day ago

I believe sudoedit disables being able to spawn commands from the editor. In vi, I think it was :!

[–] [email protected] 3 points 2 days ago

Correct but it uses the SUDO_EDITOR environment variable. The benefit is more security while editing system files, it creates a temporary file and when you finish it writes changes to the original. There is more to it but that is all I know, it prevents some exploits.