Is Vim safe to use in combination with sudo?
Solution 1
Yes, it is safe.
The problem with sudo gedit is because GUI applications use certain files, such as ~/.cache/dconf, and after elevated gedit that file becomes root-owned. Well, that particular file contains user-specific settings for GUI applications, including desktop, so if the system can't read those settings - it's bad. IIRC a user can't start a particular desktop. The user's recent files data recently-used.xbel also gets affected.
On the other hand, Vim doesn't have that problem. It uses no GUI-related database and doesn't put anything into recently-used.xbel. It was created for a console-only purpose, although gVim also exists. In fact, on some systems Vim is your only choice of editor. So it is safer than gedit by virtue of not causing the same problems. You're still editing as root in both cases, so you could cause problems with improper editing.
According to this blog post:
The first time you use vim, the file
~/.viminfois created, and if you usesudo vimthe first time you use vim after installing it on a fresh system, the permissions on~/.viminfowill have the owner set to root instead of the default user.
While the author points out it can lead to issues, there's nothing complex - just chown the file back to yourself.
See also:
Solution 2
It's also possible to use sudoedit to achieve this; it opens a temporary copy of the file in your editor, with your editor running as you. From the man page:
Temporary copies are made of the files to be edited with the owner set to the invoking user.
The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the
SUDO_EDITOR,VISUALandEDITORenvironment variables (in that order). If none ofSUDO_EDITOR,VISUALorEDITORare set, the first program listed in the editorsudoers(5)option is used.If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.
This works fine with vim (it's what I generally do) and I imagine it would let you use gedit too. There are some security restrictions.
Solution 3
The link is very old (2013). It recommends using gksudo or gksu for graphical applications but both of those are becoming obsolete. Later on the accepted answer also suggests sudo -H though.
The general consensus in the Ask Ubuntu community recently is to use:
sudo -H gedit /path/to/filename
The only problem remains that sudo doesn't have a profile for tab settings, extensions, word wrap, font name, font size, etc. You can inherit these from your user profile though with a wrapper script like this: How can I sync my root gedit with my user gedit's preferences?
Solution 4
Yes, it is safe to use sudo vim. The problems I come across are
Having to quit the file and re-open with
sudo vimto be able to edit.Having the root
vimrcbeing the default one, not my customized useful stuff.
Here's a function you can put in your bashrc to allow vim to automatically sudo if you can't edit the file normally.
vim() {
#only good for auto-sudo. delete if no sudo privileges.
#If you're not just opening a single file, let's not use this.
if [[ "$#" -ne 1 ]]; then
command vim "$@"
#cases: if we can write to the file, or the file doesn't exist and we can make new files in that directory
elif [[ -w "$1" || ( -w $(dirname "$1") && ! -f "$1" ) ]]; then
# \vim or 'vim' only escape aliases, not functions
command vim "$1"
else
sudo env HOME="$HOME" vim -u $HOME/.vimrc "$1"
fi
}
Solution 5
It's fine to use vi as root. There's going to be times when you need to edit a file that requires sudo or root privileges, like changing your network interfaces file, or maybe editing your sshd config file. Using root for graphical stuff is bad because people would connect to IRC or browse the web as root. If they got a virus while doing so, it would have full root access.
Related videos on Youtube
07 : 34
00 : 50
05 : 07
03 : 36
15 : 29
H2ONaCl
Updated on September 18, 2022Comments
-
H2ONaCl over 1 year
It is not advisable to use
sudowith a graphical application likegedit, as described at this link. Accordingly, I have tended to usevimwithsudo.Recently I noticed my
~/.viminfowas owned by root on a fairly fresh install of Ubuntu 16.04 (Xenial Xerus), so it had me wondering if even Vim is considered to be graphical or if there is some other problem with invokingsudo vim. After changing ownership to myself via:sudo find $HOME -not -user $USER -exec chown $USER:$(id -g) {} +and subsequently running
sudo vimI was unable to have~/.viminfoowned by root. However, I am certain that it recently was owned by root.Is it inadvisable to invoke
sudo vim? -
user628388 over 5 yearsThere is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
-
Mark over 5 yearsNote that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can usesudo vimto get a copy of vim running as root, then:!/bin/shto get a root shell. -
Sergiy Kolodyazhnyy over 5 years@Mark and what prevents user from just doingsudo /bin/sh? Practically speaking, if user has root access already they don't need to use elaborate tricks. -
Mark over 5 yearsThe
/etc/sudoersfile. You don't need to do%wheel ALL=(ALL) ALL--sudoconfiguration permits far more nuance than that. -
Sergiy Kolodyazhnyy over 5 years@Mark OK, good point there - not every system has same settings.
-
ChatterOne over 5 yearsUhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy/bin/bashto~/.viminfo, put a setuid on it and wait for the user to runsudo vimto have it chowned to root? -
Sergiy Kolodyazhnyy over 5 years@ChatterOne I've reinstalled vim , tried first run with
sudo vimand existing~/.viminfo, so it didn't get owned by root. Probably vim opens the file withO_WRONLY|O_CREAT, but I'd have to look at the source. I may try this in virtual machine, but for now I'd say no - what you suggest probably wouldn't work -
Rinzwind over 5 yearsehm NOTHING is safe when using sudo. It is pretty easy to create a function named "vim" that does an "rm" :P
-
NieDzejkob over 5 yearsThis is much better if you'd rather use your own vim configuration instead of root's. -
doug over 5 yearsGenerally speaking .cache/dconf/user is a useless file, not sure that even in the absence of a .config/dconf/user file it would be used to rebuild it., easily tested I'd think. Doesn't take away from poor practice to run gui apps with sudo..
-
Wildcard over 5 years@Mark, or just the built-in Vim command:shell -
Kevin over 5 yearsThis is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
-
Marius Gedminas over 5 yearsOn Ubuntu
sudoby default preserves the$HOMEenvironment variable, which means thatsudo vimwill use your customized .vimrc, and it also means thatsudo vimwill change the ownership of~/.viminfoto root:root and cause you some inconvenience. -
doneal24 over 5 years@Rinzwind if sudoers lets you execute
/usr/bin/vim, then you can create all the functions or aliases you want but sudo will not execute them. Many, many things are safe enable with sudo on multi-user systems. -
jeremysprofile over 5 yearsThe accepted answer disagrees with you aboutviminfo. -
GKFX over 5 yearsThis discussion on not trusting various developers seems a bit incomplete; if you
sudoedit /etc/apt/sources.listwith a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
