According to the man page:
sudoedit /etc/file
creates a copy of the file, opens it as the current user, and when saved overwrites the existing file with the copy.
whereas
sudo vi /etc/file
opens the file as root
The man page states that sudoedit is different from sudo because:
the editor is run with the invoking user's environment unmodified
Is the first method safer, if so why? Are there other reasons for using sudoedit instead of sudo vi?
Answer
I stumbled upon this question while searching for something completely unrelated, but I thought I would add the following important distinction, which has not been mentioned at all so far: sudoedit doesn't run your editor as root.
$ sudo vim /etc/farts.conf
Will simply run vim as root, allowing it to read the file. The downside is that the editor now also runs as root and can do anything. If you just wanted to allow a user to edit a config file and nothing else, too bad, you just gave them root on the whole system. Nothing prevents me from spawning a shell from vim with :sh or :!command, and since they're sub processes, they will also run as root.
On the other hand:
$ sudoedit /etc/farts.conf
will actually operate differently. It will create a copy with a unique name in /tmp with permissions locked down to only your user, and then spawn your editor normally, without root privileges, on that copy.
Once you exit your editor, it will compare the temporary file and original file, and safely replace the original with your edit if it changed.
In this scenario, it becomes possible to allow a user to edit a system file, but not allow them to run random binaries as root or poke everywhere on the file system.
That is mainly the actual distinction, the rest that has been mentioned is just neat side effects.
No comments:
Post a Comment