Linux – How to properly set sudo/visudo’s editor

linuxsudosudoersUbuntuubuntu-10.04

I am using Ubuntu 10.04 Server and trying to set up sudoers to respect a user's EDITOR choice (within limits)

In my sudoers I have:

Defaults        editor=/usr/bin/nano:/usr/bin/vim
Defaults        env_reset

And in the user .bashrc:

export EDITOR=/usr/bin/vim

$EDITOR is set:

$ echo $EDITOR
/usr/bin/vim

According to man sudoers this should be enough for $EDITOR to be set to vim:

editor  A colon (':') separated list of editors allowed to be used with visudo.
        visudo will choose the editor that matches the user's EDITOR environment
        variable if possible, or the first editor in the list that exists and is
        executable. The default is the path to vi on your system.

However nano is still being used for this user. A quick check of env:

$ sudo -- env | grep EDITOR

Returns nothing.

$ sudo -E -- env | grep EDITOR

Returns EDITOR=/usr/bin/vim

I am aware that I could do the following things to make EDITOR work:

  • Set env_editor, env_keep+=EDITOR or any other option that keeps the EDITOR variable in sudoers: I don't want to do this as it could allow arbitrary execution of anything (e.g. export EDITOR=~/bad_program_to_run_as_root)
  • Use sudo -E or even alias sudo='sudo -E': Defeats the point of having env_reset and users without SETENV (not something I want to give out: see previous point) get sudo: sorry, you are not allowed to preserve the environment
  • Set editor=/usr/bin/vim: But there are other users who don't know vim
  • Use sudo select-editor: Close, but sudo visudo still opens in nano
  • Just use sudoedit or vim directly: But then you lose the safety of tools like visudo, vipw, crontab -e.
  • Just deal with it: Probably, but if I'm missing some insight I would love to know

I've also tried setting the VISUAL and SUDO_EDITOR variables (in desperation)

Is there something I have missed that will make sudo visudo open in the users editor of choice, without making the compromises above?

EDIT:

I think I understand why this isn't working as I expect. I'm putting it down here in case anyone else has the same misconception.

In the sudoers file

Defaults        editor=/usr/bin/nano:/usr/bin/vim
  • Only refers to the list of editors that are allowed when running visudo (not any other program)
  • editor checks $EDITOR, but if running sudo visudo, sudo does not set $EDITOR, so when visudo runs it will be empty
  • Therefore the first editor is used, in this case nano

Can anyone confirm that this is correct?

I expected therefore that a safe solution would be to add:

Defaults!/usr/sbin/visudo env_keep+=EDITOR

i.e. keep EDITOR if and only if running visudo. This would then be checked against

Defaults                  editor=/usr/bin/nano:/usr/bin/vim

And if it didn't match either would use nano

Weirdly though, this doesn't seem to be the case:

$ sudo su - root
# export EDITOR=/bin/echo
# visudo
/etc/sudoers.tmp
visudo: /etc/sudoers.tmp unchanged

/bin/echo is used as the editor. Bug? Or another misconception?

Thanks

Best Answer

You are right that setting the EDITOR variable should change the editor used for sudo. However, there are two other variables with precedence over the EDITOR: SUDO_EDITOR and VISUAL. Make sure none of them point to some other editor like nano.

Related Question