I’ve seen this configuration in /etc/sudoers before, but I wanted to explain a little more about why it is not a good idea to do this. First of all, you are editing your sudoers file with visudo, right? (RIGHT?!) If not, you should be. The reason being is that when you use visudo, it does a syntax check on the /etc/sudoers file before comitting. If you have it bunked up, it will let you know, and will allow you to fix the problem before you commit (you always want to fix before you commit). If you simply edit /etc/sudoers file, bunk up the syntax, and commit it anyway, there’s a good chance that NONE of your sudo config will work.
Now, lets get on with putting /usr/bin/vim in the sudoers file. I can see why one would do this, perhaps you have web admins that don’t use a code repository and simply make backups on the dev box and edit the configs on the machine. Probably not the best idea, but it happens everyday. You likely have a group in /etc/groups called something like “webdevs” populated with the names of your web developer accounts:
webdevs:x:599:jsmith,plawrence,ljames,mpayne
Thus, your sudoers file might have a line in it that is similar to (this assumes you have a host alias for the development web servers set to DEVWEB):
%webdevs DEVWEB = /usr/bin/vim /docroot/index.html
This seems like an innocent thing right? I mean, how much damage can they do? You’ve locked them down to just being able to edit the index.html file in /docroot, right?
WRONG!
The funny thing about vim is that you can press the escape key, then type:
:shell
And it will drop you to a shell, and when run in sudo, it’s not just any shell, it’s a root shell. Now everyone in your webdevs group can get a root shell!
So, how do we fix this? Well, we use the program “/usr/bin/sudoedit” in place of /usr/bin/vim. Now, if the user tries the same :shell trick, it drops them to a non-elevated shell.
tl;dr:
- Use visudo when editing /etc/sudoers
- If users are allowed to utilize /usr/bin/vim with sudo privs, you’ve just given them a root shell
- Use /usr/bin/sudoedit in place of /usr/bin/vim when attempting to allow users to edit privileged files
Seriously, why would you allow anyone to become root to edit a file in the first place. If they need permission to edit the file, solve that problem with groups or ACLs; going uid 0 just to write to a file is totally insane.
You are very right. This is not a post to tell someone “best practice”, it is a post to say to those who do happen to do this (and believe me, they are out there) and, for some reason, need sudo, to at least do it in a better way.