An irc-user in #Vim urged me not to use Sudo with Vim like:
sudo vim bad_ideaWhen I am doing things in locations such as /var/www/, I cannot write without it. So not-using sudo becomes a problem. Of course, I could make changes in different locations such as /tmp/ and then copy dirs to /var/www. However, I sense an easier way.
- If you do not "sudo Vim", why?
- If yes to 1st question, how do you circumvent problems not to use sudo?
8 Answers
I fall under the first category: sudo vim /var/www/html/some_file is a bad idea; it allows shell escapes that aren't logged. Instead, use sudoedit /var/www/html/some_file; that has the same effect.
Refer: :
1% is replaced with the current file name, thus you can use:
:w !sudo tee %
vim allows users to execute arbitrary shell commands, therefore many system admins do not allow vim to be used with sudo.
rvim is included with vim. It is a restricted vim, that does not allow shell commands. (Or allow you to suspend vim, for the same reasons.)
Whether you need to go to those extremes on your own box is debatable.
4When editing system-wide configuration files, it's totally okay---just always remember you're root and thus have all the power, and drop those privileges as soon as you don't need them anymore.
In the special case /var/www/, i.e. web server pages, you might want to think about changing some ownerships / groups / permissions---but if and how largely depends on your particular setup (single / multi user, real web server / just localhost, dynamic / static, etc.)
A question like this makes me smack my forehead. I am on the other side of security, "security should not interfere with the user experience, unless it is expected or required to prevent the average person doing malicious activity."
Preventing sudo use of vim is just a band aid. As stated earlier, someone can just use:
sudo su -Or
sudo /bin/bashOr
sudo nano fileOr
sudo my_exectuable_text_editor fileect
If you are really worried about someone doing something malicious on the box, do not give them sudo (or root password obviously) privileges, period. There is no sliver bullet to prevent malicious activity using sudo and you will only drive yourself crazy by "applying" all the "fixes" to make sure a person can't do anything malicious.
Someone mentioned changing ownership/groups. This is a sticky problem as if the web server is ran as another user, and you change permissions on the file, now all of a sudden your site doesn't work. Well, obviously that wont help you. You can add yourself to the group the web server runs as, however, if the group doesn't have write access to the files, you would need to perform chmod -R g+w * (or chmod individual files) which may not be what you want and can be a hassle if you have to chmod every file.
Some people even suggested using rvim. Sure, one could just add a line in /etc/sudoers to only allow certain users to sudo rvim, however, it would logically stand that if you had to go that route, it may just be better to implement a web based file manager. This way it is running as the user the web server is running as, thus no file permission issues and you can still have granular control over who edits what files.
My two cents anyways.
Running sudo vim won't change the $HOME directory, so you will be running Vim with root permissions, but $HOME is still pointing to your normal user.
If this is the first time you are running Vim, it may happen that ~/.viminfo file is created inside your normal user directory, but with root permissions.
IF THIS IS YOUR OWN COMPUTER... I see no reason why you can't use 'sudo vim', other than the edge case that Denilson noted - that it might create your ~/.viminfo owned by root.
If not - if a systems administrator is restricting what you can and can't do - per "man sudo": "on most systems it is possible to prevent shell escapes with sudo's noexec functionality. See the sudoers(5) manual for details."
So in this case, if your sysadmin is concerned about the potential of you running subshells as root from within vim, they can use the noexec capability. But... back to the initial case - if this is YOUR computer, I think you're pretty darn safe running 'sudo vim'.
A reference to balpha's reply about groups:
