Is Vim safe to use in combination with sudo?











up vote
23
down vote

favorite
1












It is not advisable to use sudo with a graphical application like gedit, as described at this link. Accordingly, I have tended to use vim with sudo.



Recently I noticed my ~/.viminfo was owned by root on a fairly fresh install of Ubuntu 16.04 (Xenial Xerus), so it had me wondering if even Vim is considered to be graphical or if there is some other problem with invoking sudo vim. After changing ownership to myself via:



sudo find $HOME -not -user $USER -exec chown $USER:$(id -g) {} +


and subsequently running sudo vim I was unable to have ~/.viminfo
owned by root. However, I am certain that it recently was owned by root.



Is it inadvisable to invoke sudo vim?










share|improve this question




















  • 1




    Some related questions: unix.stackexchange.com/q/134500/103151 - superuser.com/q/1221102/418736 - askubuntu.com/q/211346/367990
    – Byte Commander
    Nov 6 at 23:28






  • 1




    You can also use vim without sudo and when it comes to saving the file, you can use :w !sudo tee %
    – ChatterOne
    Nov 7 at 8:49















up vote
23
down vote

favorite
1












It is not advisable to use sudo with a graphical application like gedit, as described at this link. Accordingly, I have tended to use vim with sudo.



Recently I noticed my ~/.viminfo was owned by root on a fairly fresh install of Ubuntu 16.04 (Xenial Xerus), so it had me wondering if even Vim is considered to be graphical or if there is some other problem with invoking sudo vim. After changing ownership to myself via:



sudo find $HOME -not -user $USER -exec chown $USER:$(id -g) {} +


and subsequently running sudo vim I was unable to have ~/.viminfo
owned by root. However, I am certain that it recently was owned by root.



Is it inadvisable to invoke sudo vim?










share|improve this question




















  • 1




    Some related questions: unix.stackexchange.com/q/134500/103151 - superuser.com/q/1221102/418736 - askubuntu.com/q/211346/367990
    – Byte Commander
    Nov 6 at 23:28






  • 1




    You can also use vim without sudo and when it comes to saving the file, you can use :w !sudo tee %
    – ChatterOne
    Nov 7 at 8:49













up vote
23
down vote

favorite
1









up vote
23
down vote

favorite
1






1





It is not advisable to use sudo with a graphical application like gedit, as described at this link. Accordingly, I have tended to use vim with sudo.



Recently I noticed my ~/.viminfo was owned by root on a fairly fresh install of Ubuntu 16.04 (Xenial Xerus), so it had me wondering if even Vim is considered to be graphical or if there is some other problem with invoking sudo vim. After changing ownership to myself via:



sudo find $HOME -not -user $USER -exec chown $USER:$(id -g) {} +


and subsequently running sudo vim I was unable to have ~/.viminfo
owned by root. However, I am certain that it recently was owned by root.



Is it inadvisable to invoke sudo vim?










share|improve this question















It is not advisable to use sudo with a graphical application like gedit, as described at this link. Accordingly, I have tended to use vim with sudo.



Recently I noticed my ~/.viminfo was owned by root on a fairly fresh install of Ubuntu 16.04 (Xenial Xerus), so it had me wondering if even Vim is considered to be graphical or if there is some other problem with invoking sudo vim. After changing ownership to myself via:



sudo find $HOME -not -user $USER -exec chown $USER:$(id -g) {} +


and subsequently running sudo vim I was unable to have ~/.viminfo
owned by root. However, I am certain that it recently was owned by root.



Is it inadvisable to invoke sudo vim?







sudo vim






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 7 at 17:51









Martin Thornton

2,49951830




2,49951830










asked Nov 6 at 23:21









H2ONaCl

3,175204885




3,175204885








  • 1




    Some related questions: unix.stackexchange.com/q/134500/103151 - superuser.com/q/1221102/418736 - askubuntu.com/q/211346/367990
    – Byte Commander
    Nov 6 at 23:28






  • 1




    You can also use vim without sudo and when it comes to saving the file, you can use :w !sudo tee %
    – ChatterOne
    Nov 7 at 8:49














  • 1




    Some related questions: unix.stackexchange.com/q/134500/103151 - superuser.com/q/1221102/418736 - askubuntu.com/q/211346/367990
    – Byte Commander
    Nov 6 at 23:28






  • 1




    You can also use vim without sudo and when it comes to saving the file, you can use :w !sudo tee %
    – ChatterOne
    Nov 7 at 8:49








1




1




Some related questions: unix.stackexchange.com/q/134500/103151 - superuser.com/q/1221102/418736 - askubuntu.com/q/211346/367990
– Byte Commander
Nov 6 at 23:28




Some related questions: unix.stackexchange.com/q/134500/103151 - superuser.com/q/1221102/418736 - askubuntu.com/q/211346/367990
– Byte Commander
Nov 6 at 23:28




1




1




You can also use vim without sudo and when it comes to saving the file, you can use :w !sudo tee %
– ChatterOne
Nov 7 at 8:49




You can also use vim without sudo and when it comes to saving the file, you can use :w !sudo tee %
– ChatterOne
Nov 7 at 8:49










6 Answers
6






active

oldest

votes

















up vote
20
down vote



accepted










Yes, it is safe.



The problem with sudo gedit is because GUI applications use certain files, such as ~/.cache/dconf, and after elevated gedit that file becomes root-owned. Well, that particular file contains user-specific settings for GUI applications, including desktop, so if the system can't read those settings - it's bad. IIRC a user can't start a particular desktop. The user's recent files data recently-used.xbel also gets affected.



On the other hand, Vim doesn't have that problem. It uses no GUI-related database and doesn't put anything into recently-used.xbel. It was created for a console-only purpose, although gVim also exists. In fact, on some systems Vim is your only choice of editor. So it is safer than gedit by virtue of not causing the same problems. You're still editing as root in both cases, so you could cause problems with improper editing.



According to this blog post:




The first time you use vim, the file ~/.viminfo is created, and if you use sudo vim the first time you use vim after installing it on a fresh system, the permissions on ~/.viminfo will have the owner set to root instead of the default user.




While the author points out it can lead to issues, there's nothing complex - just chown the file back to yourself.



See also:




  • What specific bad things happen when gedit is used with sudo?






share|improve this answer



















  • 6




    Note that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can use sudo vim to get a copy of vim running as root, then :!/bin/sh to get a root shell.
    – Mark
    Nov 7 at 6:05






  • 2




    @Mark and what prevents user from just doing sudo /bin/sh ? Practically speaking, if user has root access already they don't need to use elaborate tricks.
    – Sergiy Kolodyazhnyy
    Nov 7 at 6:10






  • 7




    The /etc/sudoers file. You don't need to do %wheel ALL=(ALL) ALL -- sudo configuration permits far more nuance than that.
    – Mark
    Nov 7 at 6:36






  • 1




    @Mark OK, good point there - not every system has same settings.
    – Sergiy Kolodyazhnyy
    Nov 7 at 8:14










  • Uhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy /bin/bash to ~/.viminfo, put a setuid on it and wait for the user to run sudo vim to have it chowned to root?
    – ChatterOne
    Nov 7 at 8:46


















up vote
13
down vote













It's also possible to use sudoedit to achieve this; it opens a temporary copy of the file in your editor, with your editor running as you. From the man page:





  1. Temporary copies are made of the files to be edited with the owner set to the invoking user.


  2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.


  3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.





This works fine with vim (it's what I generally do) and I imagine it would let you use gedit too. There are some security restrictions.






share|improve this answer



















  • 3




    This is much better if you'd rather use your own vim configuration instead of root's.
    – NieDzejkob
    Nov 7 at 15:20






  • 1




    This is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
    – Kevin
    Nov 8 at 3:20


















up vote
2
down vote













The link is very old (2013). It recommends using gksudo or gksu for graphical applications but both of those are becoming obsolete. Later on the accepted answer also suggests sudo -H though.



The general consensus in the Ask Ubuntu community recently is to use:



sudo -H gedit /path/to/filename


The only problem remains that sudo doesn't have a profile for tab settings, extensions, word wrap, font name, font size, etc. You can inherit these from your user profile though with a wrapper script like this: How can I sync my root gedit with my user gedit's preferences?






share|improve this answer




























    up vote
    2
    down vote













    Yes, it is safe to use sudo vim. The problems I come across are




    • Having to quit the file and re-open with sudo vim to be able to edit.


    • Having the root vimrc being the default one, not my customized useful stuff.



    Here's a function you can put in your bashrc to allow vim to automatically sudo if you can't edit the file normally.



    vim() {
    #only good for auto-sudo. delete if no sudo privileges.
    #If you're not just opening a single file, let's not use this.
    if [[ "$#" -ne 1 ]]; then
    command vim "$@"
    #cases: if we can write to the file, or the file doesn't exist and we can make new files in that directory
    elif [[ -w "$1" || ( -w $(dirname "$1") && ! -f "$1" ) ]]; then
    # vim or 'vim' only escape aliases, not functions
    command vim "$1"
    else
    sudo env HOME="$HOME" vim -u $HOME/.vimrc "$1"
    fi
    }





    share|improve this answer





















    • On Ubuntu sudo by default preserves the $HOME environment variable, which means that sudo vim will use your customized .vimrc, and it also means that sudo vim will change the ownership of ~/.viminfo to root:root and cause you some inconvenience.
      – Marius Gedminas
      Nov 8 at 12:22










    • The accepted answer disagrees with you about viminfo.
      – jeremysprofile
      Nov 8 at 15:18


















    up vote
    1
    down vote













    It's fine to use vi as root. There's going to be times when you need to edit a file that requires sudo or root privileges, like changing your network interfaces file, or maybe editing your sshd config file. Using root for graphical stuff is bad because people would connect to IRC or browse the web as root. If they got a virus while doing so, it would have full root access.






    share|improve this answer

















    • 2




      There is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
      – user628388
      Nov 7 at 2:31




















    up vote
    0
    down vote













    Something that hasn't been mentioned in the other answers is that running vim with root will give root priviledges to whatever plugins you have installed. So, the question of whether or not it is safe to run as root depends on whether you trust those plugin developers (or contributors to their project) to not own your system to its core.



    Vim is typically vetted by package maintainers in all linux distributions, so it's easy to trust. However, vim plugins are typically installed directly from GitHub repos and typically have much less users auditing (maybe nil). In other words, there is not vetting process with them.



    If you don't load plugins while in root, then I guess running as root depends on whether you trust vim developers. You can skip having to trust them, however, by using sudoedit which is made by the same developers of sudo, people that we've already trusted with root access anyways. GKFX and NieDzejkob have already mentioned why sudoedit is ideal. Besides the point that you don't have to trust root access to anyone else besides the developers of sudo, you can load all the plugins you've already trusted with your normal user account.






    share|improve this answer





















    • This discussion on not trusting various developers seems a bit incomplete; if you sudoedit /etc/apt/sources.list with a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
      – GKFX
      Nov 9 at 8:45











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1090632%2fis-vim-safe-to-use-in-combination-with-sudo%23new-answer', 'question_page');
    }
    );

    Post as a guest
































    6 Answers
    6






    active

    oldest

    votes








    6 Answers
    6






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    20
    down vote



    accepted










    Yes, it is safe.



    The problem with sudo gedit is because GUI applications use certain files, such as ~/.cache/dconf, and after elevated gedit that file becomes root-owned. Well, that particular file contains user-specific settings for GUI applications, including desktop, so if the system can't read those settings - it's bad. IIRC a user can't start a particular desktop. The user's recent files data recently-used.xbel also gets affected.



    On the other hand, Vim doesn't have that problem. It uses no GUI-related database and doesn't put anything into recently-used.xbel. It was created for a console-only purpose, although gVim also exists. In fact, on some systems Vim is your only choice of editor. So it is safer than gedit by virtue of not causing the same problems. You're still editing as root in both cases, so you could cause problems with improper editing.



    According to this blog post:




    The first time you use vim, the file ~/.viminfo is created, and if you use sudo vim the first time you use vim after installing it on a fresh system, the permissions on ~/.viminfo will have the owner set to root instead of the default user.




    While the author points out it can lead to issues, there's nothing complex - just chown the file back to yourself.



    See also:




    • What specific bad things happen when gedit is used with sudo?






    share|improve this answer



















    • 6




      Note that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can use sudo vim to get a copy of vim running as root, then :!/bin/sh to get a root shell.
      – Mark
      Nov 7 at 6:05






    • 2




      @Mark and what prevents user from just doing sudo /bin/sh ? Practically speaking, if user has root access already they don't need to use elaborate tricks.
      – Sergiy Kolodyazhnyy
      Nov 7 at 6:10






    • 7




      The /etc/sudoers file. You don't need to do %wheel ALL=(ALL) ALL -- sudo configuration permits far more nuance than that.
      – Mark
      Nov 7 at 6:36






    • 1




      @Mark OK, good point there - not every system has same settings.
      – Sergiy Kolodyazhnyy
      Nov 7 at 8:14










    • Uhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy /bin/bash to ~/.viminfo, put a setuid on it and wait for the user to run sudo vim to have it chowned to root?
      – ChatterOne
      Nov 7 at 8:46















    up vote
    20
    down vote



    accepted










    Yes, it is safe.



    The problem with sudo gedit is because GUI applications use certain files, such as ~/.cache/dconf, and after elevated gedit that file becomes root-owned. Well, that particular file contains user-specific settings for GUI applications, including desktop, so if the system can't read those settings - it's bad. IIRC a user can't start a particular desktop. The user's recent files data recently-used.xbel also gets affected.



    On the other hand, Vim doesn't have that problem. It uses no GUI-related database and doesn't put anything into recently-used.xbel. It was created for a console-only purpose, although gVim also exists. In fact, on some systems Vim is your only choice of editor. So it is safer than gedit by virtue of not causing the same problems. You're still editing as root in both cases, so you could cause problems with improper editing.



    According to this blog post:




    The first time you use vim, the file ~/.viminfo is created, and if you use sudo vim the first time you use vim after installing it on a fresh system, the permissions on ~/.viminfo will have the owner set to root instead of the default user.




    While the author points out it can lead to issues, there's nothing complex - just chown the file back to yourself.



    See also:




    • What specific bad things happen when gedit is used with sudo?






    share|improve this answer



















    • 6




      Note that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can use sudo vim to get a copy of vim running as root, then :!/bin/sh to get a root shell.
      – Mark
      Nov 7 at 6:05






    • 2




      @Mark and what prevents user from just doing sudo /bin/sh ? Practically speaking, if user has root access already they don't need to use elaborate tricks.
      – Sergiy Kolodyazhnyy
      Nov 7 at 6:10






    • 7




      The /etc/sudoers file. You don't need to do %wheel ALL=(ALL) ALL -- sudo configuration permits far more nuance than that.
      – Mark
      Nov 7 at 6:36






    • 1




      @Mark OK, good point there - not every system has same settings.
      – Sergiy Kolodyazhnyy
      Nov 7 at 8:14










    • Uhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy /bin/bash to ~/.viminfo, put a setuid on it and wait for the user to run sudo vim to have it chowned to root?
      – ChatterOne
      Nov 7 at 8:46













    up vote
    20
    down vote



    accepted







    up vote
    20
    down vote



    accepted






    Yes, it is safe.



    The problem with sudo gedit is because GUI applications use certain files, such as ~/.cache/dconf, and after elevated gedit that file becomes root-owned. Well, that particular file contains user-specific settings for GUI applications, including desktop, so if the system can't read those settings - it's bad. IIRC a user can't start a particular desktop. The user's recent files data recently-used.xbel also gets affected.



    On the other hand, Vim doesn't have that problem. It uses no GUI-related database and doesn't put anything into recently-used.xbel. It was created for a console-only purpose, although gVim also exists. In fact, on some systems Vim is your only choice of editor. So it is safer than gedit by virtue of not causing the same problems. You're still editing as root in both cases, so you could cause problems with improper editing.



    According to this blog post:




    The first time you use vim, the file ~/.viminfo is created, and if you use sudo vim the first time you use vim after installing it on a fresh system, the permissions on ~/.viminfo will have the owner set to root instead of the default user.




    While the author points out it can lead to issues, there's nothing complex - just chown the file back to yourself.



    See also:




    • What specific bad things happen when gedit is used with sudo?






    share|improve this answer














    Yes, it is safe.



    The problem with sudo gedit is because GUI applications use certain files, such as ~/.cache/dconf, and after elevated gedit that file becomes root-owned. Well, that particular file contains user-specific settings for GUI applications, including desktop, so if the system can't read those settings - it's bad. IIRC a user can't start a particular desktop. The user's recent files data recently-used.xbel also gets affected.



    On the other hand, Vim doesn't have that problem. It uses no GUI-related database and doesn't put anything into recently-used.xbel. It was created for a console-only purpose, although gVim also exists. In fact, on some systems Vim is your only choice of editor. So it is safer than gedit by virtue of not causing the same problems. You're still editing as root in both cases, so you could cause problems with improper editing.



    According to this blog post:




    The first time you use vim, the file ~/.viminfo is created, and if you use sudo vim the first time you use vim after installing it on a fresh system, the permissions on ~/.viminfo will have the owner set to root instead of the default user.




    While the author points out it can lead to issues, there's nothing complex - just chown the file back to yourself.



    See also:




    • What specific bad things happen when gedit is used with sudo?







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Nov 7 at 18:18









    Peter Mortensen

    1,03821016




    1,03821016










    answered Nov 7 at 0:04









    Sergiy Kolodyazhnyy

    67.6k9139301




    67.6k9139301








    • 6




      Note that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can use sudo vim to get a copy of vim running as root, then :!/bin/sh to get a root shell.
      – Mark
      Nov 7 at 6:05






    • 2




      @Mark and what prevents user from just doing sudo /bin/sh ? Practically speaking, if user has root access already they don't need to use elaborate tricks.
      – Sergiy Kolodyazhnyy
      Nov 7 at 6:10






    • 7




      The /etc/sudoers file. You don't need to do %wheel ALL=(ALL) ALL -- sudo configuration permits far more nuance than that.
      – Mark
      Nov 7 at 6:36






    • 1




      @Mark OK, good point there - not every system has same settings.
      – Sergiy Kolodyazhnyy
      Nov 7 at 8:14










    • Uhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy /bin/bash to ~/.viminfo, put a setuid on it and wait for the user to run sudo vim to have it chowned to root?
      – ChatterOne
      Nov 7 at 8:46














    • 6




      Note that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can use sudo vim to get a copy of vim running as root, then :!/bin/sh to get a root shell.
      – Mark
      Nov 7 at 6:05






    • 2




      @Mark and what prevents user from just doing sudo /bin/sh ? Practically speaking, if user has root access already they don't need to use elaborate tricks.
      – Sergiy Kolodyazhnyy
      Nov 7 at 6:10






    • 7




      The /etc/sudoers file. You don't need to do %wheel ALL=(ALL) ALL -- sudo configuration permits far more nuance than that.
      – Mark
      Nov 7 at 6:36






    • 1




      @Mark OK, good point there - not every system has same settings.
      – Sergiy Kolodyazhnyy
      Nov 7 at 8:14










    • Uhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy /bin/bash to ~/.viminfo, put a setuid on it and wait for the user to run sudo vim to have it chowned to root?
      – ChatterOne
      Nov 7 at 8:46








    6




    6




    Note that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can use sudo vim to get a copy of vim running as root, then :!/bin/sh to get a root shell.
    – Mark
    Nov 7 at 6:05




    Note that vim is not safe on a multi-user system where you're trying to limit other users' administrative permissions. A user can use sudo vim to get a copy of vim running as root, then :!/bin/sh to get a root shell.
    – Mark
    Nov 7 at 6:05




    2




    2




    @Mark and what prevents user from just doing sudo /bin/sh ? Practically speaking, if user has root access already they don't need to use elaborate tricks.
    – Sergiy Kolodyazhnyy
    Nov 7 at 6:10




    @Mark and what prevents user from just doing sudo /bin/sh ? Practically speaking, if user has root access already they don't need to use elaborate tricks.
    – Sergiy Kolodyazhnyy
    Nov 7 at 6:10




    7




    7




    The /etc/sudoers file. You don't need to do %wheel ALL=(ALL) ALL -- sudo configuration permits far more nuance than that.
    – Mark
    Nov 7 at 6:36




    The /etc/sudoers file. You don't need to do %wheel ALL=(ALL) ALL -- sudo configuration permits far more nuance than that.
    – Mark
    Nov 7 at 6:36




    1




    1




    @Mark OK, good point there - not every system has same settings.
    – Sergiy Kolodyazhnyy
    Nov 7 at 8:14




    @Mark OK, good point there - not every system has same settings.
    – Sergiy Kolodyazhnyy
    Nov 7 at 8:14












    Uhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy /bin/bash to ~/.viminfo, put a setuid on it and wait for the user to run sudo vim to have it chowned to root?
    – ChatterOne
    Nov 7 at 8:46




    Uhm... Will the permission change even if the file exists? Suppose that I hack into a non-admin user account, but I don't know its password (maybe I managed to open a shell). Does this mean that I can copy /bin/bash to ~/.viminfo, put a setuid on it and wait for the user to run sudo vim to have it chowned to root?
    – ChatterOne
    Nov 7 at 8:46












    up vote
    13
    down vote













    It's also possible to use sudoedit to achieve this; it opens a temporary copy of the file in your editor, with your editor running as you. From the man page:





    1. Temporary copies are made of the files to be edited with the owner set to the invoking user.


    2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.


    3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.





    This works fine with vim (it's what I generally do) and I imagine it would let you use gedit too. There are some security restrictions.






    share|improve this answer



















    • 3




      This is much better if you'd rather use your own vim configuration instead of root's.
      – NieDzejkob
      Nov 7 at 15:20






    • 1




      This is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
      – Kevin
      Nov 8 at 3:20















    up vote
    13
    down vote













    It's also possible to use sudoedit to achieve this; it opens a temporary copy of the file in your editor, with your editor running as you. From the man page:





    1. Temporary copies are made of the files to be edited with the owner set to the invoking user.


    2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.


    3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.





    This works fine with vim (it's what I generally do) and I imagine it would let you use gedit too. There are some security restrictions.






    share|improve this answer



















    • 3




      This is much better if you'd rather use your own vim configuration instead of root's.
      – NieDzejkob
      Nov 7 at 15:20






    • 1




      This is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
      – Kevin
      Nov 8 at 3:20













    up vote
    13
    down vote










    up vote
    13
    down vote









    It's also possible to use sudoedit to achieve this; it opens a temporary copy of the file in your editor, with your editor running as you. From the man page:





    1. Temporary copies are made of the files to be edited with the owner set to the invoking user.


    2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.


    3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.





    This works fine with vim (it's what I generally do) and I imagine it would let you use gedit too. There are some security restrictions.






    share|improve this answer














    It's also possible to use sudoedit to achieve this; it opens a temporary copy of the file in your editor, with your editor running as you. From the man page:





    1. Temporary copies are made of the files to be edited with the owner set to the invoking user.


    2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.


    3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.





    This works fine with vim (it's what I generally do) and I imagine it would let you use gedit too. There are some security restrictions.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Nov 7 at 21:27

























    answered Nov 7 at 10:44









    GKFX

    28319




    28319








    • 3




      This is much better if you'd rather use your own vim configuration instead of root's.
      – NieDzejkob
      Nov 7 at 15:20






    • 1




      This is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
      – Kevin
      Nov 8 at 3:20














    • 3




      This is much better if you'd rather use your own vim configuration instead of root's.
      – NieDzejkob
      Nov 7 at 15:20






    • 1




      This is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
      – Kevin
      Nov 8 at 3:20








    3




    3




    This is much better if you'd rather use your own vim configuration instead of root's.
    – NieDzejkob
    Nov 7 at 15:20




    This is much better if you'd rather use your own vim configuration instead of root's.
    – NieDzejkob
    Nov 7 at 15:20




    1




    1




    This is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
    – Kevin
    Nov 8 at 3:20




    This is also safer if you don't want to run random plugin code as root (however, plugins running as you can also do a lot of damage if they're malicious, so don't use plugins you don't trust in the first place).
    – Kevin
    Nov 8 at 3:20










    up vote
    2
    down vote













    The link is very old (2013). It recommends using gksudo or gksu for graphical applications but both of those are becoming obsolete. Later on the accepted answer also suggests sudo -H though.



    The general consensus in the Ask Ubuntu community recently is to use:



    sudo -H gedit /path/to/filename


    The only problem remains that sudo doesn't have a profile for tab settings, extensions, word wrap, font name, font size, etc. You can inherit these from your user profile though with a wrapper script like this: How can I sync my root gedit with my user gedit's preferences?






    share|improve this answer

























      up vote
      2
      down vote













      The link is very old (2013). It recommends using gksudo or gksu for graphical applications but both of those are becoming obsolete. Later on the accepted answer also suggests sudo -H though.



      The general consensus in the Ask Ubuntu community recently is to use:



      sudo -H gedit /path/to/filename


      The only problem remains that sudo doesn't have a profile for tab settings, extensions, word wrap, font name, font size, etc. You can inherit these from your user profile though with a wrapper script like this: How can I sync my root gedit with my user gedit's preferences?






      share|improve this answer























        up vote
        2
        down vote










        up vote
        2
        down vote









        The link is very old (2013). It recommends using gksudo or gksu for graphical applications but both of those are becoming obsolete. Later on the accepted answer also suggests sudo -H though.



        The general consensus in the Ask Ubuntu community recently is to use:



        sudo -H gedit /path/to/filename


        The only problem remains that sudo doesn't have a profile for tab settings, extensions, word wrap, font name, font size, etc. You can inherit these from your user profile though with a wrapper script like this: How can I sync my root gedit with my user gedit's preferences?






        share|improve this answer












        The link is very old (2013). It recommends using gksudo or gksu for graphical applications but both of those are becoming obsolete. Later on the accepted answer also suggests sudo -H though.



        The general consensus in the Ask Ubuntu community recently is to use:



        sudo -H gedit /path/to/filename


        The only problem remains that sudo doesn't have a profile for tab settings, extensions, word wrap, font name, font size, etc. You can inherit these from your user profile though with a wrapper script like this: How can I sync my root gedit with my user gedit's preferences?







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 7 at 0:46









        WinEunuuchs2Unix

        39.1k1062144




        39.1k1062144






















            up vote
            2
            down vote













            Yes, it is safe to use sudo vim. The problems I come across are




            • Having to quit the file and re-open with sudo vim to be able to edit.


            • Having the root vimrc being the default one, not my customized useful stuff.



            Here's a function you can put in your bashrc to allow vim to automatically sudo if you can't edit the file normally.



            vim() {
            #only good for auto-sudo. delete if no sudo privileges.
            #If you're not just opening a single file, let's not use this.
            if [[ "$#" -ne 1 ]]; then
            command vim "$@"
            #cases: if we can write to the file, or the file doesn't exist and we can make new files in that directory
            elif [[ -w "$1" || ( -w $(dirname "$1") && ! -f "$1" ) ]]; then
            # vim or 'vim' only escape aliases, not functions
            command vim "$1"
            else
            sudo env HOME="$HOME" vim -u $HOME/.vimrc "$1"
            fi
            }





            share|improve this answer





















            • On Ubuntu sudo by default preserves the $HOME environment variable, which means that sudo vim will use your customized .vimrc, and it also means that sudo vim will change the ownership of ~/.viminfo to root:root and cause you some inconvenience.
              – Marius Gedminas
              Nov 8 at 12:22










            • The accepted answer disagrees with you about viminfo.
              – jeremysprofile
              Nov 8 at 15:18















            up vote
            2
            down vote













            Yes, it is safe to use sudo vim. The problems I come across are




            • Having to quit the file and re-open with sudo vim to be able to edit.


            • Having the root vimrc being the default one, not my customized useful stuff.



            Here's a function you can put in your bashrc to allow vim to automatically sudo if you can't edit the file normally.



            vim() {
            #only good for auto-sudo. delete if no sudo privileges.
            #If you're not just opening a single file, let's not use this.
            if [[ "$#" -ne 1 ]]; then
            command vim "$@"
            #cases: if we can write to the file, or the file doesn't exist and we can make new files in that directory
            elif [[ -w "$1" || ( -w $(dirname "$1") && ! -f "$1" ) ]]; then
            # vim or 'vim' only escape aliases, not functions
            command vim "$1"
            else
            sudo env HOME="$HOME" vim -u $HOME/.vimrc "$1"
            fi
            }





            share|improve this answer





















            • On Ubuntu sudo by default preserves the $HOME environment variable, which means that sudo vim will use your customized .vimrc, and it also means that sudo vim will change the ownership of ~/.viminfo to root:root and cause you some inconvenience.
              – Marius Gedminas
              Nov 8 at 12:22










            • The accepted answer disagrees with you about viminfo.
              – jeremysprofile
              Nov 8 at 15:18













            up vote
            2
            down vote










            up vote
            2
            down vote









            Yes, it is safe to use sudo vim. The problems I come across are




            • Having to quit the file and re-open with sudo vim to be able to edit.


            • Having the root vimrc being the default one, not my customized useful stuff.



            Here's a function you can put in your bashrc to allow vim to automatically sudo if you can't edit the file normally.



            vim() {
            #only good for auto-sudo. delete if no sudo privileges.
            #If you're not just opening a single file, let's not use this.
            if [[ "$#" -ne 1 ]]; then
            command vim "$@"
            #cases: if we can write to the file, or the file doesn't exist and we can make new files in that directory
            elif [[ -w "$1" || ( -w $(dirname "$1") && ! -f "$1" ) ]]; then
            # vim or 'vim' only escape aliases, not functions
            command vim "$1"
            else
            sudo env HOME="$HOME" vim -u $HOME/.vimrc "$1"
            fi
            }





            share|improve this answer












            Yes, it is safe to use sudo vim. The problems I come across are




            • Having to quit the file and re-open with sudo vim to be able to edit.


            • Having the root vimrc being the default one, not my customized useful stuff.



            Here's a function you can put in your bashrc to allow vim to automatically sudo if you can't edit the file normally.



            vim() {
            #only good for auto-sudo. delete if no sudo privileges.
            #If you're not just opening a single file, let's not use this.
            if [[ "$#" -ne 1 ]]; then
            command vim "$@"
            #cases: if we can write to the file, or the file doesn't exist and we can make new files in that directory
            elif [[ -w "$1" || ( -w $(dirname "$1") && ! -f "$1" ) ]]; then
            # vim or 'vim' only escape aliases, not functions
            command vim "$1"
            else
            sudo env HOME="$HOME" vim -u $HOME/.vimrc "$1"
            fi
            }






            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 7 at 20:14









            jeremysprofile

            1213




            1213












            • On Ubuntu sudo by default preserves the $HOME environment variable, which means that sudo vim will use your customized .vimrc, and it also means that sudo vim will change the ownership of ~/.viminfo to root:root and cause you some inconvenience.
              – Marius Gedminas
              Nov 8 at 12:22










            • The accepted answer disagrees with you about viminfo.
              – jeremysprofile
              Nov 8 at 15:18


















            • On Ubuntu sudo by default preserves the $HOME environment variable, which means that sudo vim will use your customized .vimrc, and it also means that sudo vim will change the ownership of ~/.viminfo to root:root and cause you some inconvenience.
              – Marius Gedminas
              Nov 8 at 12:22










            • The accepted answer disagrees with you about viminfo.
              – jeremysprofile
              Nov 8 at 15:18
















            On Ubuntu sudo by default preserves the $HOME environment variable, which means that sudo vim will use your customized .vimrc, and it also means that sudo vim will change the ownership of ~/.viminfo to root:root and cause you some inconvenience.
            – Marius Gedminas
            Nov 8 at 12:22




            On Ubuntu sudo by default preserves the $HOME environment variable, which means that sudo vim will use your customized .vimrc, and it also means that sudo vim will change the ownership of ~/.viminfo to root:root and cause you some inconvenience.
            – Marius Gedminas
            Nov 8 at 12:22












            The accepted answer disagrees with you about viminfo.
            – jeremysprofile
            Nov 8 at 15:18




            The accepted answer disagrees with you about viminfo.
            – jeremysprofile
            Nov 8 at 15:18










            up vote
            1
            down vote













            It's fine to use vi as root. There's going to be times when you need to edit a file that requires sudo or root privileges, like changing your network interfaces file, or maybe editing your sshd config file. Using root for graphical stuff is bad because people would connect to IRC or browse the web as root. If they got a virus while doing so, it would have full root access.






            share|improve this answer

















            • 2




              There is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
              – user628388
              Nov 7 at 2:31

















            up vote
            1
            down vote













            It's fine to use vi as root. There's going to be times when you need to edit a file that requires sudo or root privileges, like changing your network interfaces file, or maybe editing your sshd config file. Using root for graphical stuff is bad because people would connect to IRC or browse the web as root. If they got a virus while doing so, it would have full root access.






            share|improve this answer

















            • 2




              There is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
              – user628388
              Nov 7 at 2:31















            up vote
            1
            down vote










            up vote
            1
            down vote









            It's fine to use vi as root. There's going to be times when you need to edit a file that requires sudo or root privileges, like changing your network interfaces file, or maybe editing your sshd config file. Using root for graphical stuff is bad because people would connect to IRC or browse the web as root. If they got a virus while doing so, it would have full root access.






            share|improve this answer












            It's fine to use vi as root. There's going to be times when you need to edit a file that requires sudo or root privileges, like changing your network interfaces file, or maybe editing your sshd config file. Using root for graphical stuff is bad because people would connect to IRC or browse the web as root. If they got a virus while doing so, it would have full root access.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 6 at 23:54









            The Letter M

            1314




            1314








            • 2




              There is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
              – user628388
              Nov 7 at 2:31
















            • 2




              There is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
              – user628388
              Nov 7 at 2:31










            2




            2




            There is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
            – user628388
            Nov 7 at 2:31






            There is atleast one specific exception for using vi as root. The file which controls the sudo path (/etc/sudoers) should never be edited with vi. For that file, the command visudo should be used. You don't even specify what file isbeing edited, it's just the special case.
            – user628388
            Nov 7 at 2:31












            up vote
            0
            down vote













            Something that hasn't been mentioned in the other answers is that running vim with root will give root priviledges to whatever plugins you have installed. So, the question of whether or not it is safe to run as root depends on whether you trust those plugin developers (or contributors to their project) to not own your system to its core.



            Vim is typically vetted by package maintainers in all linux distributions, so it's easy to trust. However, vim plugins are typically installed directly from GitHub repos and typically have much less users auditing (maybe nil). In other words, there is not vetting process with them.



            If you don't load plugins while in root, then I guess running as root depends on whether you trust vim developers. You can skip having to trust them, however, by using sudoedit which is made by the same developers of sudo, people that we've already trusted with root access anyways. GKFX and NieDzejkob have already mentioned why sudoedit is ideal. Besides the point that you don't have to trust root access to anyone else besides the developers of sudo, you can load all the plugins you've already trusted with your normal user account.






            share|improve this answer





















            • This discussion on not trusting various developers seems a bit incomplete; if you sudoedit /etc/apt/sources.list with a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
              – GKFX
              Nov 9 at 8:45















            up vote
            0
            down vote













            Something that hasn't been mentioned in the other answers is that running vim with root will give root priviledges to whatever plugins you have installed. So, the question of whether or not it is safe to run as root depends on whether you trust those plugin developers (or contributors to their project) to not own your system to its core.



            Vim is typically vetted by package maintainers in all linux distributions, so it's easy to trust. However, vim plugins are typically installed directly from GitHub repos and typically have much less users auditing (maybe nil). In other words, there is not vetting process with them.



            If you don't load plugins while in root, then I guess running as root depends on whether you trust vim developers. You can skip having to trust them, however, by using sudoedit which is made by the same developers of sudo, people that we've already trusted with root access anyways. GKFX and NieDzejkob have already mentioned why sudoedit is ideal. Besides the point that you don't have to trust root access to anyone else besides the developers of sudo, you can load all the plugins you've already trusted with your normal user account.






            share|improve this answer





















            • This discussion on not trusting various developers seems a bit incomplete; if you sudoedit /etc/apt/sources.list with a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
              – GKFX
              Nov 9 at 8:45













            up vote
            0
            down vote










            up vote
            0
            down vote









            Something that hasn't been mentioned in the other answers is that running vim with root will give root priviledges to whatever plugins you have installed. So, the question of whether or not it is safe to run as root depends on whether you trust those plugin developers (or contributors to their project) to not own your system to its core.



            Vim is typically vetted by package maintainers in all linux distributions, so it's easy to trust. However, vim plugins are typically installed directly from GitHub repos and typically have much less users auditing (maybe nil). In other words, there is not vetting process with them.



            If you don't load plugins while in root, then I guess running as root depends on whether you trust vim developers. You can skip having to trust them, however, by using sudoedit which is made by the same developers of sudo, people that we've already trusted with root access anyways. GKFX and NieDzejkob have already mentioned why sudoedit is ideal. Besides the point that you don't have to trust root access to anyone else besides the developers of sudo, you can load all the plugins you've already trusted with your normal user account.






            share|improve this answer












            Something that hasn't been mentioned in the other answers is that running vim with root will give root priviledges to whatever plugins you have installed. So, the question of whether or not it is safe to run as root depends on whether you trust those plugin developers (or contributors to their project) to not own your system to its core.



            Vim is typically vetted by package maintainers in all linux distributions, so it's easy to trust. However, vim plugins are typically installed directly from GitHub repos and typically have much less users auditing (maybe nil). In other words, there is not vetting process with them.



            If you don't load plugins while in root, then I guess running as root depends on whether you trust vim developers. You can skip having to trust them, however, by using sudoedit which is made by the same developers of sudo, people that we've already trusted with root access anyways. GKFX and NieDzejkob have already mentioned why sudoedit is ideal. Besides the point that you don't have to trust root access to anyone else besides the developers of sudo, you can load all the plugins you've already trusted with your normal user account.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 7 at 17:00









            JoL

            1,06437




            1,06437












            • This discussion on not trusting various developers seems a bit incomplete; if you sudoedit /etc/apt/sources.list with a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
              – GKFX
              Nov 9 at 8:45


















            • This discussion on not trusting various developers seems a bit incomplete; if you sudoedit /etc/apt/sources.list with a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
              – GKFX
              Nov 9 at 8:45
















            This discussion on not trusting various developers seems a bit incomplete; if you sudoedit /etc/apt/sources.list with a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
            – GKFX
            Nov 9 at 8:45




            This discussion on not trusting various developers seems a bit incomplete; if you sudoedit /etc/apt/sources.list with a compromised plugin installed, it can probably insert a malicious repository and gain root access next time you run updates anyway. I’m sure there’s a long list of root-protected files for which something similar applies. And of course, not every virus requires root; one could grab your bank details with no more than a browser extension.
            – GKFX
            Nov 9 at 8:45


















             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1090632%2fis-vim-safe-to-use-in-combination-with-sudo%23new-answer', 'question_page');
            }
            );

            Post as a guest




















































































            這個網誌中的熱門文章

            Xamarin.form Move up view when keyboard appear

            Post-Redirect-Get with Spring WebFlux and Thymeleaf

            Anylogic : not able to use stopDelay()