I am using Ubuntu 10.04 Server and trying to set up sudoers to respect a user's EDITOR choice (within limits)
In my sudoers I have:
Defaults editor=/usr/bin/nano:/usr/bin/vim
Defaults env_reset
And in the user .bashrc:
export EDITOR=/usr/bin/vim
$EDITOR is set:
$ echo $EDITOR
/usr/bin/vim
According to man sudoers
this should be enough for $EDITOR to be set to vim:
editor A colon (':') separated list of editors allowed to be used with visudo.
visudo will choose the editor that matches the user's EDITOR environment
variable if possible, or the first editor in the list that exists and is
executable. The default is the path to vi on your system.
However nano
is still being used for this user. A quick check of env:
$ sudo -- env | grep EDITOR
Returns nothing.
$ sudo -E -- env | grep EDITOR
Returns EDITOR=/usr/bin/vim
I am aware that I could do the following things to make EDITOR work:
- Set
env_editor
,env_keep+=EDITOR
or any other option that keeps the EDITOR variable in sudoers: I don't want to do this as it could allow arbitrary execution of anything (e.g.export EDITOR=~/bad_program_to_run_as_root
) - Use
sudo -E
or evenalias sudo='sudo -E'
: Defeats the point of havingenv_reset
and users without SETENV (not something I want to give out: see previous point) getsudo: sorry, you are not allowed to preserve the environment
- Set
editor=/usr/bin/vim
: But there are other users who don't know vim - Use
sudo select-editor
: Close, butsudo visudo
still opens innano
- Just use sudoedit or vim directly: But then you lose the safety of tools like
visudo
,vipw
,crontab -e
. - Just deal with it: Probably, but if I'm missing some insight I would love to know
I've also tried setting the VISUAL
and SUDO_EDITOR
variables (in desperation)
Is there something I have missed that will make sudo visudo
open in the users editor of choice, without making the compromises above?
EDIT:
I think I understand why this isn't working as I expect. I'm putting it down here in case anyone else has the same misconception.
In the sudoers file
Defaults editor=/usr/bin/nano:/usr/bin/vim
- Only refers to the list of editors that are allowed when running
visudo
(not any other program) editor
checks $EDITOR, but if runningsudo visudo
,sudo
does not set $EDITOR, so whenvisudo
runs it will be empty- Therefore the first editor is used, in this case
nano
Can anyone confirm that this is correct?
I expected therefore that a safe solution would be to add:
Defaults!/usr/sbin/visudo env_keep+=EDITOR
i.e. keep EDITOR if and only if running visudo. This would then be checked against
Defaults editor=/usr/bin/nano:/usr/bin/vim
And if it didn't match either would use nano
Weirdly though, this doesn't seem to be the case:
$ sudo su - root
# export EDITOR=/bin/echo
# visudo
/etc/sudoers.tmp
visudo: /etc/sudoers.tmp unchanged
/bin/echo
is used as the editor. Bug? Or another misconception?
Thanks
Best Answer
You are right that setting the
EDITOR
variable should change the editor used forsudo
. However, there are two other variables with precedence over theEDITOR
:SUDO_EDITOR
andVISUAL
. Make sure none of them point to some other editor likenano
.