[PLUG] visudo for ubuntu ... pico? nano? joe?

Jason Barbier jason at corrupted.io
Mon Oct 4 13:01:01 UTC 2021


On Mon, Oct 4, 2021, at 1:12 AM, Keith Lofstrom wrote:
> I am learning about Ubuntu sysadmin, and why I should use
> visudo instead of logging in as root user to use vi.
> This assumes that Eve hasn't inserted a malware version
> of visudo into my path ...
>
> Except - on Ubuntu 18.04 LTS, visudo calls the "nano"
> text editor, and on 20.04 LTS it calls the "joe" text
> editor.  So WHY still call it visudo?  
>
> Anyway, I will use vi (aka vim) until they pry my keyboard
> out of my cold dead fingers.  I change editors as often as
> I change lungs.
>
> Other helpful guest sysadmins may prefer this shifting
> editor nonsense, so I plan to leave /usr/bin/visudo as-is
> and create a /usr/local/sbin/vvisudo shell script
> containing "sudo EDITOR=vim visudo" ...
>
> ... and add Yet Another Postit with how to exit nano
> or joe, or whatever editor they eventually choose for
> 22.04 LTS, in case I forget the extra v for vvisudo.
>
> Keith
>
> P.S.  Ctl-x for nano, Ctl-k for joe.  I think ...
>
> P.P.S.  vi turns fifty in 2026.  I've used it since it
> was beta.  Others change editors more often than they
> change their underwear.
>
> -- 
> Keith Lofstrom          keithl at keithl.com

Why use visudo, because are you sure that the syntax was NOPASSWD=ALL or was it NOPASSWD:ALL. 
visudo is just a sudoers linter that uses you EDITORS settings to pick an editor. If you have your systems set right it could be nano, joe, vi, emacs, ed for all it cares it's job doesn't come till after you're done and save and exit, it's basically the last sanity check before you inadvertently lock yourself out of sudo in a way that if you're admining boxes as a team not everyone needs to have access to the root password which is orders of magnitude more dangerous than just making sure you didn't flub your sudoers up just on the off chance that eve got access to your system with elevated privileges and decided to replace visudo instead of just doing something easier that wouldn't get noticed by a system integrity monitor.
You can always just edit the sudoers file in like /tmp with vi and so visudo -c -f /tmp/sudoers then when it checks out move it to where it belongs, that's sorta how it does its thing anyway, it's also the easiest way to manage a split sudoers file using like /etc/sudoers.d which is how I generally manage sudoers across my fleet so I can have it in my config management systems and easily identify why parts of the sudoers file was added using like $ticket.conf



More information about the PLUG mailing list