A question like this makes me smack my forehead. I am on the other side of security, "security should not interfere with the user experience, unless it is expected or required to prevent the average person doing malicious activity."
Preventing sudo use of vim is just a band aid. As stated earlier, someone can just use:
sudo su -
Or
sudo /bin/bash
Or
sudo nano file
Or
sudo my_exectuable_text_editor file
ect
If you are really worried about someone doing something malicious on the box, do not give them sudo (or root password obviously) privileges, period. There is no sliver bullet to prevent malicious activity using sudo and you will only drive yourself crazy by "applying" all the "fixes" to make sure a person can't do anything malicious.
Someone mentioned changing ownership/groups. This is a sticky problem as if the web server is ran as another user, and you change permissions on the file, now all of a sudden your site doesn't work. Well, obviously that wont help you.
You can add yourself to the group the web server runs as, however, if the group doesn't have write access to the files, you would need to perform chmod -R g+w * (or chmod individual files) which may not be what you want and can be a hassle if you have to chmod every file.
Some people even suggested using rvim. Sure, one could just add a line in /etc/sudoers to only allow certain users to sudo rvim, however, it would logically stand that if you had to go that route, it may just be better to implement a web based file manager. This way it is running as the user the web server is running as, thus no file permission issues and you can still have granular control over who edits what files.
My two cents anyways.
5What are "shell escapes that aren't logged"? and why doesn't only matter in /var/www? – hasen – 2009-09-11T02:58:13.413
6vim has the power to run other commands on a command line. However, because vim was started via sudo, and is therefore running as root, any of those commands will run with root privileges. These commands are known as "shell escapes" and aren't logged the way other invocations of sudo are. And it's not restricted to just /var/www; it's everywhere that I'd use it. I've even aliased "sudo vi" to "sudoedit" in my bashrc file. – Kevin M – 2009-10-21T15:32:56.760
I see what you're getting at and want to agree but clarify. We have no idea whether his normal su and sudo root activities are being logged or not. "sudo vim" allows running a subshell as root - that much is accurate; within that shell, "sudo" won't be controlling what root can and can't do. – pbr – 2009-11-25T16:57:10.150
3Kevin, how did you manage to alias "sudo vi" to "sudoedit"? From the bash manual... "The characters /, $, `, and = and any of the shell metacharacters or quoting characters listed above may not appear in an alias name." ...space is one of those metacharacters it's talking about. – pbr – 2009-11-25T16:58:27.933
9OK, so it's not an alias per se, but it has the same effect: 'function sudo () { [[ $1 == vi ]] && shift && sudoedit "$@" || command sudo "$@"; }' – Kevin M – 2009-12-18T20:21:07.300