VIM: "sudo vim bad_idea"?
Solution 1
I fall under the first category: sudo vim /var/www/html/some_file
is a bad idea; it allows shell escapes that aren't logged. Instead, use sudoedit /var/www/html/some_file
; that has the same effect.
Solution 2
Refer: https://stackoverflow.com/questions/1005/getting-root-permissions-on-a-file-inside-of-vi:
% is replaced with the current file name, thus you can use:
:w !sudo tee %
Solution 3
vim allows users to execute arbitrary shell commands, therefore many system admins do not allow vim to be used with sudo.
rvim is included with vim. It is a restricted vim, that does not allow shell commands. (Or allow you to suspend vim, for the same reasons.)
Whether you need to go to those extremes on your own box is debatable.
Solution 4
When editing system-wide configuration files, it's totally okay---just always remember you're root and thus have all the power, and drop those privileges as soon as you don't need them anymore.
In the special case /var/www/
, i.e. web server pages, you might want to think about changing some ownerships / groups / permissions---but if and how largely depends on your particular setup (single / multi user, real web server / just localhost, dynamic / static, etc.)
Solution 5
A question like this makes me smack my forehead. I am on the other side of security, "security should not interfere with the user experience, unless it is expected or required to prevent the average person doing malicious activity."
Preventing sudo use of vim is just a band aid. As stated earlier, someone can just use:
sudo su -
Or
sudo /bin/bash
Or
sudo nano file
Or
sudo my_exectuable_text_editor file
ect
If you are really worried about someone doing something malicious on the box, do not give them sudo (or root password obviously) privileges, period. There is no sliver bullet to prevent malicious activity using sudo and you will only drive yourself crazy by "applying" all the "fixes" to make sure a person can't do anything malicious.
Someone mentioned changing ownership/groups. This is a sticky problem as if the web server is ran as another user, and you change permissions on the file, now all of a sudden your site doesn't work. Well, obviously that wont help you. You can add yourself to the group the web server runs as, however, if the group doesn't have write access to the files, you would need to perform chmod -R g+w * (or chmod individual files) which may not be what you want and can be a hassle if you have to chmod every file.
Some people even suggested using rvim. Sure, one could just add a line in /etc/sudoers to only allow certain users to sudo rvim, however, it would logically stand that if you had to go that route, it may just be better to implement a web based file manager. This way it is running as the user the web server is running as, thus no file permission issues and you can still have granular control over who edits what files.
My two cents anyways.
Related videos on Youtube
Comments
-
indi over 1 year
An irc-user in #Vim urged me not to use Sudo with Vim like:
sudo vim bad_idea
When I am doing things in locations such as /var/www/, I cannot write without it. So not-using sudo becomes a problem. Of course, I could make changes in different locations such as /tmp/ and then copy dirs to /var/www. However, I sense an easier way.
- If you do not "sudo Vim", why?
- If yes to 1st question, how do you circumvent problems not to use sudo?
-
bedwyr over 14 years+1 indeed -- this is the best way of handling web-server pages. Make sure you have access to them rather than elevating your privileges.
-
dbr over 14 years+1. Completely agree.
sudo vim
then enter:!bash
and you have a shell as root - exactly whyrvim
exists -
hasen over 14 yearsWhat are "shell escapes that aren't logged"? and why doesn't only matter in /var/www?
-
dlamblin over 14 yearsActually if you can sudo vim, you can probably
sudo bash
orsudo su -
right? -
Richard Hoskins over 14 years@diamblin Privileges can be mustered out with finer detail than that, so not necessarily. That is why rvim is needed. "sudo vim" is the same as "sudo su -" for all intents and purposes. On a Debian bitty-box where the one user is the system administrator though, this is all academic.
-
Kevin M over 14 yearsvim has the power to run other commands on a command line. However, because vim was started via sudo, and is therefore running as root, any of those commands will run with root privileges. These commands are known as "shell escapes" and aren't logged the way other invocations of sudo are. And it's not restricted to just /var/www; it's everywhere that I'd use it. I've even aliased "sudo vi" to "sudoedit" in my bashrc file.
-
summers over 14 yearsIf you're going to use tee, I'd suggest ':w !sudo tee % >/dev/null' so you don't see the entire file echoed back at you. I typically use ':w !dd of=%' instead since it's quicker to type and achieves the same thing. Of course, this is only when I've forgotten to use sudoedit/sudo -e.
-
pbr over 14 yearsI see what you're getting at and want to agree but clarify. We have no idea whether his normal su and sudo root activities are being logged or not. "sudo vim" allows running a subshell as root - that much is accurate; within that shell, "sudo" won't be controlling what root can and can't do.
-
pbr over 14 yearsKevin, how did you manage to alias "sudo vi" to "sudoedit"? From the bash manual... "The characters /, $, `, and = and any of the shell metacharacters or quoting characters listed above may not appear in an alias name." ...space is one of those metacharacters it's talking about.
-
Kevin M over 14 yearsOK, so it's not an alias per se, but it has the same effect: 'function sudo () { [[ $1 == vi ]] && shift && sudoedit "$@" || command sudo "$@"; }'
-
sml over 13 years-1 there's no reason to run vim with elevated privileges when sudoedit will do the same job.
-
cwd over 12 yearsHow does ubuntu deal with this issue? On CentOS
vi
launchesvim
but as rootvi
launchesvi
. On Ubuntuvim
is used in both cases andsudo vi
also launchesvim
... -
Fernando Rezk almost 11 yearsDepends on the sudo. On my laptop
sudo vim -c '!echo $HOME' -c q
does give my home folder, but on my server it gives/root
. I might have to take a look at why that is, could be because one's OS X while the other's Gentoo, or could be something to do with how/etc/sudoers
is setup. -
Nico about 8 yearsaha! you are right -- i ended here wondering why my
.viminfo
was root-accessible only.