[PATCH] system: Add sudoedit to %setuid-programs.

Done

Details

3 participants

Efraim Flashner
Ludovic Courtès
Meiyo Peng

Owner: unassigned

Submitted by: Meiyo Peng

Severity: normal

Debbugs page

Meiyo Peng wrote 6 years ago

Recipients:(address . guix-patches@gnu.org)

Message-ID:87zhsdqbxv.fsf@gmail.com

Hi,

This patch adds sudoedit to %setuid-programs.  Although sudoedit is
equivalent to "sudo -e" and sudo is already in %setuid-programs, I
prefer to type sudoedit in terminal.  sudoedit is a common command in
Linux distros.  I use it frequently.  It would be great if guix users
are not forced to fallback on "sudo -e".

From 822f58171d10e92106878e1c9687401743ca372c Mon Sep 17 00:00:00 2001

* gnu/system.scm (%setuid-programs): Add sudoedit.

---

gnu/system.scm | 2 ++

1 file changed, 2 insertions(+)

Toggle diff (22 lines)diff --git a/gnu/system.scm b/gnu/system.scm
index ee48f4826..09ee88d43 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2015, 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2016 Chris Marusich <cmmarusich@gmail.com>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2019 Meiyo Peng <meiyo.peng@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -792,6 +793,7 @@ use 'plain-file' instead~%")
           (file-append inetutils "/bin/ping")
           (file-append inetutils "/bin/ping6")
           (file-append sudo "/bin/sudo")
+          (file-append sudo "/bin/sudoedit")
           (file-append fuse "/bin/fusermount"))))
 
 (define %sudoers-specification
-- 
2.20.1

--
Meiyo Peng
https://www.pengmeiyu.com/

Ludovic Courtès wrote 6 years ago

Recipients:(name . Meiyo Peng)(address . meiyo.peng@gmail.com)(address . 34005@debbugs.gnu.org)

Message-ID:87h8ee6tv3.fsf@gnu.org

Hi Meiyo,

Meiyo Peng <meiyo.peng@gmail.com> skribis:

Toggle quote (6 lines)

> This patch adds sudoedit to %setuid-programs. Although sudoedit is

> equivalent to "sudo -e" and sudo is already in %setuid-programs, I

> prefer to type sudoedit in terminal. sudoedit is a common command in

> Linux distros. I use it frequently. It would be great if guix users

> are not forced to fallback on "sudo -e".

The problem I see is that on GuixSD /etc/sudoers is not supposed to be

edited directly. Instead, users are expected to specify ‘sudoers-file’

in their OS config, which generates a read-only /etc/sudoers.

Whatever changes you make manually to that file are lost upon reboot or

reconfiguration.

Thus I feel like we should discourage ‘sudo -e’, ’sudoedit’, and

‘visudo’ altogether.

WDYT?

Thanks,

Ludo’.

Meiyo Peng wrote 6 years ago

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 34005@debbugs.gnu.org)

Message-ID:87va2uulks.fsf@gmail.com

Hi Ludovic,

Ludovic Courtès writes:

Toggle quote (22 lines)> Hi Meiyo,
>
> Meiyo Peng <meiyo.peng@gmail.com> skribis:
>
>> This patch adds sudoedit to %setuid-programs.  Although sudoedit is
>> equivalent to "sudo -e" and sudo is already in %setuid-programs, I
>> prefer to type sudoedit in terminal.  sudoedit is a common command in
>> Linux distros.  I use it frequently.  It would be great if guix users
>> are not forced to fallback on "sudo -e".
>
> The problem I see is that on GuixSD /etc/sudoers is not supposed to be
> edited directly.  Instead, users are expected to specify ‘sudoers-file’
> in their OS config, which generates a read-only /etc/sudoers.
>
> Whatever changes you make manually to that file are lost upon reboot or
> reconfiguration.
>
> Thus I feel like we should discourage ‘sudo -e’, ’sudoedit’, and
> ‘visudo’ altogether.
>
> WDYT?

I agree we should discourage users to edit files in /etc that are

managed by guix. These files will be overridden upon `guix system

reconfigure`, so user's modification will be lost. They should change

these files in the guix way by using config.scm.

However, sudoedit can also be used to edit files in /media, /mnt, /opt,

/srv and /var. These files require root priviledge to edit and they are

not managed by guix. This is the main reason we need sudoedit.

Oh, I also use sudoedit to edit /etc/config.scm.

So, WDYT?

Meiyo Peng

https://www.pengmeiyu.com

Meiyo Peng wrote 6 years ago

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 34005@debbugs.gnu.org)

Message-ID:87tvieukku.fsf@gmail.com

Meiyo Peng writes:

Toggle quote (39 lines)> Hi Ludovic,
>
> Ludovic Courtès writes:
>
>> Hi Meiyo,
>>
>> Meiyo Peng <meiyo.peng@gmail.com> skribis:
>>
>>> This patch adds sudoedit to %setuid-programs.  Although sudoedit is
>>> equivalent to "sudo -e" and sudo is already in %setuid-programs, I
>>> prefer to type sudoedit in terminal.  sudoedit is a common command in
>>> Linux distros.  I use it frequently.  It would be great if guix users
>>> are not forced to fallback on "sudo -e".
>>
>> The problem I see is that on GuixSD /etc/sudoers is not supposed to be
>> edited directly.  Instead, users are expected to specify ‘sudoers-file’
>> in their OS config, which generates a read-only /etc/sudoers.
>>
>> Whatever changes you make manually to that file are lost upon reboot or
>> reconfiguration.
>>
>> Thus I feel like we should discourage ‘sudo -e’, ’sudoedit’, and
>> ‘visudo’ altogether.
>>
>> WDYT?
>
> I agree we should discourage users to edit files in /etc that are
> managed by guix.  These files will be overridden upon `guix system
> reconfigure`, so user's modification will be lost.  They should change
> these files in the guix way by using config.scm.
>
> However, sudoedit can also be used to edit files in /media, /mnt, /opt,
> /srv and /var.  These files require root priviledge to edit and they are
> not managed by guix.  This is the main reason we need sudoedit.
>
> Oh, I also use sudoedit to edit /etc/config.scm.
>
> So, WDYT?

I think you have confused sudoedit with visudo.  visudo is used to edit
/etc/sudoers and it can only edit that file.  But sudoedit is use to
edit any file that requires root priviledge.

It's a good habit for sysadmins to edit files with `sudoedit
/path/to/file` rather than `sudo editor /path/to/file`.  sudoedit can
respect my $EDITOR, which is emacsclient, and connect to my Emacs
server.  So I can edit files in my familiar Emacs environment.  This is
much better than `sudo emacs /path/to/file`, which starts a vanilla
emacs.

--
Meiyo Peng
https://www.pengmeiyu.com

Efraim Flashner wrote 6 years ago

Recipients:(name . Meiyo Peng)(address . meiyo.peng@gmail.com)(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 34005@debbugs.gnu.org)

Message-ID:20190112200335.GA2050@macbook41

On Sat, Jan 12, 2019 at 08:28:01PM +0800, Meiyo Peng wrote:

Toggle quote (54 lines)> 
> Meiyo Peng writes:
> 
> > Hi Ludovic,
> >
> > Ludovic Courtès writes:
> >
> >> Hi Meiyo,
> >>
> >> Meiyo Peng <meiyo.peng@gmail.com> skribis:
> >>
> >>> This patch adds sudoedit to %setuid-programs.  Although sudoedit is
> >>> equivalent to "sudo -e" and sudo is already in %setuid-programs, I
> >>> prefer to type sudoedit in terminal.  sudoedit is a common command in
> >>> Linux distros.  I use it frequently.  It would be great if guix users
> >>> are not forced to fallback on "sudo -e".
> >>
> >> The problem I see is that on GuixSD /etc/sudoers is not supposed to be
> >> edited directly.  Instead, users are expected to specify ‘sudoers-file’
> >> in their OS config, which generates a read-only /etc/sudoers.
> >>
> >> Whatever changes you make manually to that file are lost upon reboot or
> >> reconfiguration.
> >>
> >> Thus I feel like we should discourage ‘sudo -e’, ’sudoedit’, and
> >> ‘visudo’ altogether.
> >>
> >> WDYT?
> >
> > I agree we should discourage users to edit files in /etc that are
> > managed by guix.  These files will be overridden upon `guix system
> > reconfigure`, so user's modification will be lost.  They should change
> > these files in the guix way by using config.scm.
> >
> > However, sudoedit can also be used to edit files in /media, /mnt, /opt,
> > /srv and /var.  These files require root priviledge to edit and they are
> > not managed by guix.  This is the main reason we need sudoedit.
> >
> > Oh, I also use sudoedit to edit /etc/config.scm.
> >
> > So, WDYT?
> 
> I think you have confused sudoedit with visudo.  visudo is used to edit
> /etc/sudoers and it can only edit that file.  But sudoedit is use to
> edit any file that requires root priviledge.
> 
> It's a good habit for sysadmins to edit files with `sudoedit
> /path/to/file` rather than `sudo editor /path/to/file`.  sudoedit can
> respect my $EDITOR, which is emacsclient, and connect to my Emacs
> server.  So I can edit files in my familiar Emacs environment.  This is
> much better than `sudo emacs /path/to/file`, which starts a vanilla
> emacs.
> 

I hadn't known about sudoedit before this thread. I think it'd be nice
to add to the %setuid-programs list and I'd definately try to remember
to use it.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

Ludovic Courtès wrote 6 years ago

Recipients:(name . Meiyo Peng)(address . meiyo.peng@gmail.com)(address . 34005-done@debbugs.gnu.org)

Message-ID:87ef9g47bw.fsf@gnu.org

Hello,

Meiyo Peng <meiyo.peng@gmail.com> skribis:

Toggle quote (2 lines)

>> Ludovic Courtès writes:

[...]

Toggle quote (29 lines)>>> The problem I see is that on GuixSD /etc/sudoers is not supposed to be
>>> edited directly.  Instead, users are expected to specify ‘sudoers-file’
>>> in their OS config, which generates a read-only /etc/sudoers.
>>>
>>> Whatever changes you make manually to that file are lost upon reboot or
>>> reconfiguration.
>>>
>>> Thus I feel like we should discourage ‘sudo -e’, ’sudoedit’, and
>>> ‘visudo’ altogether.
>>>
>>> WDYT?
>>
>> I agree we should discourage users to edit files in /etc that are
>> managed by guix.  These files will be overridden upon `guix system
>> reconfigure`, so user's modification will be lost.  They should change
>> these files in the guix way by using config.scm.
>>
>> However, sudoedit can also be used to edit files in /media, /mnt, /opt,
>> /srv and /var.  These files require root priviledge to edit and they are
>> not managed by guix.  This is the main reason we need sudoedit.
>>
>> Oh, I also use sudoedit to edit /etc/config.scm.
>>
>> So, WDYT?
>
> I think you have confused sudoedit with visudo.  visudo is used to edit
> /etc/sudoers and it can only edit that file.  But sudoedit is use to
> edit any file that requires root priviledge.

Oh indeed, I wrongfully assumed that ‘sudoedit’ is synonymous with

‘visudo’—thanks for explaining!

Toggle quote (7 lines)

> It's a good habit for sysadmins to edit files with `sudoedit

> /path/to/file` rather than `sudo editor /path/to/file`. sudoedit can

> respect my $EDITOR, which is emacsclient, and connect to my Emacs

> server. So I can edit files in my familiar Emacs environment. This is

> much better than `sudo emacs /path/to/file`, which starts a vanilla

> emacs.

OK, got it. Applied, thanks, and sorry for the confusion!

Ludo’.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 34005@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 34005

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date