Yesterday I learned about a tool that’s going to change my daily behavior working on servers.
I was setting up replication on a new MySQL server, which starts with turning on binary logging by editing /etc/my.cnf . Of course, I was logged in as a low-privilege user, and /etc/my.cnf is owned by root, and I don’t have write privilege to it.
1 2 lurkdata ~ $ ls -l /etc/my.cnf -rw-r--r-- 1 root root 480 Jan 3 19:19 /etc/my.cnf
Typically, I’d run sudo vi /etc/my.conf That works, but it wasn’t a good long term fit here. I’m writing a hands-on MySQL course and I want to give students all the access they need to administer the MySQL database, but not access to, say, turn the lab server into a BitTorrent seed at my expense.
Why is sudoedit good for administrators?
As an administrator, I need to control which files my users can edit with elevated privileges.
In the old sudo vi /etc/my.cnf world, I would need an entry in /etc/sudoers like:
1 student ALL = vi /etc/my.cnf
There are a series of problems for administrators here. The most serious is that you can use vi to launch other commands (with ! in command mode):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [ mysqld ] datadir = /var/lib/mysql socket = /var/lib/mysql/mysql.sock # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links = 0 # Settings user and group are ignored when systemd is used. # If you need to run mysqld under a different user or group, # customize your systemd unit file for mysqld according to the # instructions in http://fedoraproject.org/wiki/Systemd [ mysqld_safe ] log-error = /var/log/mysqld.log pid-file = /var/run/mysqld/mysqld.pid ~ ~ :! whoami root Press ENTER or type command to continue
There’s a fix for that, I can change my /etc/sudoers entry to:
1 student ALL = NOEXEC:vi /etc/my.cnf
Now I have a new problem: some people don’t love vi. I don’t want to be in the business of telling you which editor you can run, I want to be in the business of telling you which files you can modify.
And heaven forbid I end up with a (# of editors) x (# of files) matrix I have to keep current in sudoers. Blerg.
Instead, I can authorize students to edit specific files using whatever editor they want (more on that below) with this entry in /etc/sudoers :
1 student ALL = sudoedit /etc/my.cnf
Why is sudoedit good for users?
Most importantly to me as a user, I get to use whatever editor I want. There’s a system-wide default, but I can override it for myself with
1 export EDITOR = /usr/bin/vim
or
1 export EDITOR = /usr/bin/emacs
or even
1 export EDITOR = /bin/nano
I can run that every time I log in, but I’d rather append it to my ~/.bashrc
The other bonus is that my editor is running as me. That means that all the effort I put into my kickin’ ~/.vimrc , my favorite syntax highlighters, my favorite plugins, all follow me even when I escalate privilege. You don’t get that with sudo vi , you get root’s crappy preferences.
How does sudoedit work?
sudoedit actually doesn’t let you edit the file directly. Instead, it creates a copy, in /tmp , that only you have access to.
You can see more about the special copy with :! ls -l % in vi (the % expands to the file currently being edited.)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [ mysqld ] datadir = /var/lib/mysql socket = /var/lib/mysql/mysql.sock # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links = 0 # Settings user and group are ignored when systemd is used. # If you need to run mysqld under a different user or group, # customize your systemd unit file for mysqld according to the # instructions in http://fedoraproject.org/wiki/Systemd [ mysqld_safe ] log-error = /var/log/mysqld.log pid-file = /var/run/mysqld/mysqld.pid ~ ~ :! ls -l % -rw------- 1 student student 480 Jan 3 19:19 /var/tmp/myXXhUm0Rw.cnf Press ENTER or type command to continue
You can see (at the bottom) that there’s a new file in /tmp whose name is based on my.cnf but with some extra characters in the middle to prevent collisions. It’s owned by the low-privilege user, and only that user can read/write it.
When you exit, sudoedit overwrites the original. (Protip: sudoedit does not update the real file every time you write changes to the temp file. It waits until you exit your editor.)
Why wouldn’t I just use sudo $FAVORITE_EDITOR ?
sudoedit lets the admin tighten sudoers with a “least privilege” model, while still letting the user choose which editor to use.
lets the admin tighten sudoers with a “least privilege” model, while still letting the user choose which editor to use. sudoedit preserves all your editor customizations, sudo $EDITOR doesn’t.
