sudoedit: why use it over sudo vi?

According to the man page:

sudoedit /etc/file

creates a copy of the file, opens it as the current user, and when saved overwrites the existing file with the copy.

whereas

sudo vi /etc/file

opens the file as root

The man page states that sudoedit is different from sudo because:

the editor is run with the invoking user's environment unmodified

Is the first method safer, if so why? Are there other reasons for using sudoedit instead of sudo vi?

jonatan

Posted 2014-07-19T12:37:50.607

Reputation: 303

It has some drawbacks. For example, sometimes syntax highlight is lost.

– Franklin Yu – 2018-11-12T15:43:00.587

Answers

I stumbled upon this question while searching for something completely unrelated, but I thought I would add the following important distinction, which has not been mentioned at all so far: sudoedit doesn't run your editor as root.

$ sudo vim /etc/farts.conf

Will simply run vim as root, allowing it to read the file. The downside is that the editor now also runs as root and can do anything. If you just wanted to allow a user to edit a config file and nothing else, too bad, you just gave them root on the whole system. Nothing prevents me from spawning a shell from vim with :sh or :!command, and since they're sub processes, they will also run as root.

On the other hand:

$ sudoedit /etc/farts.conf

will actually operate differently. It will create a copy with a unique name in /tmp with permissions locked down to only your user, and then spawn your editor normally, without root privileges, on that copy.

Once you exit your editor, it will compare the temporary file and original file, and safely replace the original with your edit if it changed.

In this scenario, it becomes possible to allow a user to edit a system file, but not allow them to run random binaries as root or poke everywhere on the file system.

That is mainly the actual distinction, the rest that has been mentioned is just neat side effects.

mr_daemon

Posted 2014-07-19T12:37:50.607

Reputation: 306

First of all, sudo vim already explicitly mentions your default editor, which is not necessary if you have it defined in $EDITOR. sudoedit spares you from defining the editor every time you want to edit something—and on a multiuser system it allows everyone to use the editor they personally like.

How so? Consider a system where normal users only get sudo privileges for editing certain files. They are restricted from running sudo with anything else though. You would have to allow them to sudo vi and sudo vim and sudo nano and sudo emacs and sudo pico (et cetera). Instead of having to do that, you could simply allow them to sudoedit the file, with their choice of setting $EDITOR to whatever they like. (Imagine you'd force an Emacs lover to use Vim…)

Another issue is that if your $EDITOR is set to vim, and you have customization settings for it in your user's .vimrc, those settings will not be used if you use sudo vim or sudo $EDITOR. sudoedit however preserves the calling user's environment, and therefore your settings.

slhck

Posted 2014-07-19T12:37:50.607

Reputation: 182 472

Also the user should be using visudo instead of sudoedit. – Evan Darwin – 2014-07-19T17:01:37.213

5@EvanDarwin No, that is unrelated. visudo is only used to edit the /etc/sudoers file in a safe manner (to prevent you from locking yourself out). sudoedit is a command to edit any file. – slhck – 2014-07-19T17:21:53.413

I'm aware, for some reason my brain saw a "/etc/sudoers" in his question somewhere. Maybe I need some more coffee. – Evan Darwin – 2014-07-19T19:17:39.193

-1 because this answer totally misses the point of sudoedit. The main reason for the existence of sudoedit are security reasons, as described in the answer of @mr_daemon. – vog – 2019-07-15T20:54:20.830

@vog You're right. The other answer came way later. I wasn't aware if it. – slhck – 2019-07-15T21:13:28.407