[arch-general] Question about visudo and info in the Wiki
Being new to Arch and finally getting a working system minus the ability to always be able to cleanly reboot and shutdown every time. I started reading about securing my install and ran across the Security wiki on archlinux.org and it states that you can not use the EDITOR envvar. But in reality you can use this and it allows you the ability to run nano like it says visudo does not allow you to do. Is it just a bug in the current release of visudo, am I not understanding the information in the Wiki properly or? Wouldn't this open up a way larger issue? Quote: "By default, visudo doesn’t follow EDITOR envvar. Also it’s regarded as severe security risk since everything can be used as EDITOR (hello, rootkits!). The best practice is to add the following line to //etc/sudoers/ (remember to put full path to your favourite editor): " I have not added anything to my file other than allowing the wheel group sudo rights. Not trying to start any conspiracy here or anything just curious, could it be a fubared install on my end? I can do it from the root user and by issuing sudo EDITOR=nano visudo. Thank you My Source: https://wiki.archlinux.org/index.php/Security
On Fri, Dec 30, 2011 at 10:02 PM, Don Juan <donjuansjiz@gmail.com> wrote:
I have not added anything to my file other than allowing the wheel group sudo rights. Not trying to start any conspiracy here or anything just curious, could it be a fubared install on my end? I can do it from the root user and by issuing sudo EDITOR=nano visudo.
Arch builds sudo with '--with-env-editor' so you can use the EDITOR var like you did, it's not a bug. http://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=pa...
On 12/30/2011 01:09 PM, Karol Blazewicz wrote:
On Fri, Dec 30, 2011 at 10:02 PM, Don Juan<donjuansjiz@gmail.com> wrote:
I have not added anything to my file other than allowing the wheel group sudo rights. Not trying to start any conspiracy here or anything just curious, could it be a fubared install on my end? I can do it from the root user and by issuing sudo EDITOR=nano visudo. Arch builds sudo with '--with-env-editor' so you can use the EDITOR var like you did, it's not a bug. http://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=pa... but even as root user I can do it, so wouldn't it not do it under root since sudo is not involved? Thank you for the link though, still trying to learn my way around.
On Fri, Dec 30, 2011 at 10:13 PM, Don Juan <donjuansjiz@gmail.com> wrote:
but even as root user I can do it, so wouldn't it not do it under root since sudo is not involved?
Not sure what you mean here. Have you tried restricting the use of EDITOR w/o recompiling sudo: https://wiki.archlinux.org/index.php/Sudo#Using_visudo # Defaults specification # Reset environment by default Defaults env_reset # Set default EDITOR to vim, and do not allow visudo to use EDITOR/VISUAL. Defaults editor=/usr/bin/vim, !env_editor
On 12/30/2011 01:18 PM, Karol Blazewicz wrote:
On Fri, Dec 30, 2011 at 10:13 PM, Don Juan<donjuansjiz@gmail.com> wrote:
but even as root user I can do it, so wouldn't it not do it under root since sudo is not involved? Not sure what you mean here.
Have you tried restricting the use of EDITOR w/o recompiling sudo: https://wiki.archlinux.org/index.php/Sudo#Using_visudo
# Defaults specification # Reset environment by default Defaults env_reset # Set default EDITOR to vim, and do not allow visudo to use EDITOR/VISUAL. Defaults editor=/usr/bin/vim, !env_editor I just meant if I log in as root I can run the envvar. Its not issue to me I am just the type to try what things say its not able to do. So I first tried as a normal user, hence the need for sudo, I understand why sudo and running the command works (thanks to your link). But if you are USER root you don't need to run sudo, so hence wouldn't running EDITOR=nano visudo not work if you are a root user, since sudo is not involved?
On Fri, Dec 30, 2011 at 10:23 PM, Don Juan <donjuansjiz@gmail.com> wrote:
But if you are USER root you don't need to run sudo, so hence wouldn't running EDITOR=nano visudo not work if you are a root user, since sudo is not involved?
visudo uses the EDITOR / VISUAL vars, see the man page: ENVIRONMENT The following environment variables may be consulted depending on the value of the editor and env_editor sudoers variables: VISUAL Invoked by visudo as the editor to use EDITOR Used by visudo if VISUAL is not set See, these variables are used *by visudo*. As you said, sudo is needed only for the user, otherwise I get 'visudo: /etc/sudoers: Permission denied'.
On 12/30/2011 01:49 PM, Karol Blazewicz wrote:
On Fri, Dec 30, 2011 at 10:23 PM, Don Juan<donjuansjiz@gmail.com> wrote:
But if you are USER root you don't need to run sudo, so hence wouldn't running EDITOR=nano visudo not work if you are a root user, since sudo is not involved? visudo uses the EDITOR / VISUAL vars, see the man page:
ENVIRONMENT The following environment variables may be consulted depending on the value of the editor and env_editor sudoers variables: VISUAL Invoked by visudo as the editor to use EDITOR Used by visudo if VISUAL is not set
See, these variables are used *by visudo*. As you said, sudo is needed only for the user, otherwise I get 'visudo: /etc/sudoers: Permission denied'. Thanks I get it now. Sorry for the noise, appreciate your time and effort. :)
On Fri, Dec 30, 2011 at 10:55 PM, Don Juan <donjuansjiz@gmail.com> wrote:
Thanks I get it now. Sorry for the noise, appreciate your time and effort. :)
No problem, glad I could help. Your question does not qualify as noise :-)
participants (2)
-
Don Juan
-
Karol Blazewicz