Yesterday I learned about a tool that’s going to change my daily behavior working on servers.
I was setting up replication on a new MySQL server, which starts with turning on binary logging by editing /etc/my.cnf
. Of course, I was logged in as a low-privilege user, and /etc/my.cnf
is owned by root, and I don’t have write privilege to it.
1 2 |
|
Typically, I’d run sudo vi /etc/my.conf
That works, but it wasn’t a good long term fit here. I’m writing a hands-on MySQL course and I want to give students all the access they need to administer the MySQL database, but not access to, say, turn the lab server into a BitTorrent seed at my expense.
Why is sudoedit good for administrators?
As an administrator, I need to control which files my users can edit with elevated privileges.
In the old sudo vi /etc/my.cnf
world, I would need an entry in /etc/sudoers
like:
1
|
|
There are a series of problems for administrators here. The most serious is that you can use vi to launch other commands (with ! in command mode):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
There’s a fix for that, I can change my /etc/sudoers
entry to:
1
|
|
Now I have a new problem: some people don’t love vi. I don’t want to be in the business of telling you which editor you can run, I want to be in the business of telling you which files you can modify.
And heaven forbid I end up with a (# of editors) x (# of files) matrix I have to keep current in sudoers. Blerg.
Instead, I can authorize students to edit specific files using whatever editor they want (more on that below) with this entry in /etc/sudoers
:
1
|
|
Why is sudoedit good for users?
Most importantly to me as a user, I get to use whatever editor I want. There’s a system-wide default, but I can override it for myself with
1
|
|
or
1
|
|
or even
1
|
|
I can run that every time I log in, but I’d rather append it to my ~/.bashrc
The other bonus is that my editor is running as me. That means that all the effort I put into my kickin’ ~/.vimrc
, my favorite syntax highlighters, my favorite plugins, all follow me even when I escalate privilege. You don’t get that with sudo vi
, you get root’s crappy preferences.
How does sudoedit work?
sudoedit
actually doesn’t let you edit the file directly. Instead, it creates a copy, in /tmp
, that only you have access to.
You can see more about the special copy with :! ls -l %
in vi (the % expands to the file currently being edited.)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
You can see (at the bottom) that there’s a new file in /tmp whose name is based on my.cnf
but with some extra characters in the middle to prevent collisions. It’s owned by the low-privilege user, and only that user can read/write it.
When you exit, sudoedit
overwrites the original. (Protip: sudoedit does not update the real file every time you write changes to the temp file. It waits until you exit your editor.)
Why wouldn’t I just use sudo $FAVORITE_EDITOR
?
sudoedit
lets the admin tighten sudoers with a “least privilege” model, while still letting the user choose which editor to use.sudoedit
preserves all your editor customizations,sudo $EDITOR
doesn’t.
If you’re not using a least privilege model for your users, or if you don’t customize your editor, sudoedit
is probably not right for you. But if you’re like me, this is gonna make your day.