Wingtip Labs Blog

What's So Great About Sudoedit?

Yesterday I learned about a tool that’s going to change my daily behavior working on servers.

I was setting up replication on a new MySQL server, which starts with turning on binary logging by editing /etc/my.cnf. Of course, I was logged in as a low-privilege user, and /etc/my.cnf is owned by root, and I don’t have write privilege to it.

1
2
lurkdata ~ $ ls -l /etc/my.cnf
-rw-r--r-- 1 root root 480 Jan  3 19:19 /etc/my.cnf

Typically, I’d run sudo vi /etc/my.conf That works, but it wasn’t a good long term fit here. I’m writing a hands-on MySQL course and I want to give students all the access they need to administer the MySQL database, but not access to, say, turn the lab server into a BitTorrent seed at my expense.

Why is sudoedit good for administrators?

As an administrator, I need to control which files my users can edit with elevated privileges.

In the old sudo vi /etc/my.cnf world, I would need an entry in /etc/sudoers like:

1
student ALL = vi /etc/my.cnf

There are a series of problems for administrators here. The most serious is that you can use vi to launch other commands (with ! in command mode):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mysqld according to the
# instructions in http://fedoraproject.org/wiki/Systemd

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
~
~
:! whoami

root

Press ENTER or type command to continue

There’s a fix for that, I can change my /etc/sudoers entry to:

1
student ALL = NOEXEC:vi /etc/my.cnf

Now I have a new problem: some people don’t love vi. I don’t want to be in the business of telling you which editor you can run, I want to be in the business of telling you which files you can modify.

And heaven forbid I end up with a (# of editors) x (# of files) matrix I have to keep current in sudoers. Blerg.

Instead, I can authorize students to edit specific files using whatever editor they want (more on that below) with this entry in /etc/sudoers:

1
student ALL = sudoedit /etc/my.cnf

Why is sudoedit good for users?

Most importantly to me as a user, I get to use whatever editor I want. There’s a system-wide default, but I can override it for myself with

1
export EDITOR=/usr/bin/vim

or

1
export EDITOR=/usr/bin/emacs

or even

1
export EDITOR=/bin/nano

I can run that every time I log in, but I’d rather append it to my ~/.bashrc

The other bonus is that my editor is running as me. That means that all the effort I put into my kickin’ ~/.vimrc, my favorite syntax highlighters, my favorite plugins, all follow me even when I escalate privilege. You don’t get that with sudo vi, you get root’s crappy preferences.

How does sudoedit work?

sudoedit actually doesn’t let you edit the file directly. Instead, it creates a copy, in /tmp, that only you have access to.

You can see more about the special copy with :! ls -l % in vi (the % expands to the file currently being edited.)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mysqld according to the
# instructions in http://fedoraproject.org/wiki/Systemd

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
~
~
:! ls -l %

-rw------- 1 student student 480 Jan  3 19:19 /var/tmp/myXXhUm0Rw.cnf

Press ENTER or type command to continue

You can see (at the bottom) that there’s a new file in /tmp whose name is based on my.cnf but with some extra characters in the middle to prevent collisions. It’s owned by the low-privilege user, and only that user can read/write it.

When you exit, sudoedit overwrites the original. (Protip: sudoedit does not update the real file every time you write changes to the temp file. It waits until you exit your editor.)

Why wouldn’t I just use sudo $FAVORITE_EDITOR ?

  • sudoedit lets the admin tighten sudoers with a “least privilege” model, while still letting the user choose which editor to use.
  • sudoedit preserves all your editor customizations, sudo $EDITOR doesn’t.

If you’re not using a least privilege model for your users, or if you don’t customize your editor, sudoedit is probably not right for you. But if you’re like me, this is gonna make your day.