946
Just a PSA (lemmy.zip)
you are viewing a single comment's thread
view the rest of the comments
[-] doctorn@r.nf 25 points 11 months ago
[-] hemko@lemmy.dbzer0.com 23 points 11 months ago

You shouldn't really use editor with sudo, but instead use sudoedit to edit files restricted to root user

SUDO_EDITOR=nano sudoedit /etc/fstab

This accomplishes the same function while running the text editor as unprivileged user

[-] doctorn@r.nf 10 points 11 months ago* (last edited 11 months ago)

Why?

Files from user: nano

Files from root: sudo nano

Files from another user: sudo nano (and if new sudo chown after)... ๐Ÿ˜‚

Never had any problems with this in over 10 years... ๐Ÿ˜…๐Ÿ˜‚

[-] Hawk@lemmy.dbzer0.com 14 points 11 months ago

Doing sudo nano will not load your user configuration, sudoedit will. I had plenty of problems with this, but I assume you don't have any custom configuration.

[-] samuelc@lemmy.world 9 points 11 months ago* (last edited 11 months ago)

One reason why sometime I don't do sudoedit is that I make a lot of changes to the config/restart service/see it works/edit etc.. sudoedit only write to the file when exiting, so that flow won't work...

for example when having adding a new host on nginx and some configuration and see if everything work (sudo vim/systemc nginx restart/curl https:// domain loop)

but yeah in general i'll just use sudoedit (which alias to se for me) for my root editing

[-] doctorn@r.nf 3 points 11 months ago* (last edited 11 months ago)

I just have a root custom config too. ๐Ÿคทโ€โ™‚๏ธ This even allows me to easily use different configs for root than for the user.

Made with 'sudo nano', fyi. ๐Ÿ˜‚

[-] hemko@lemmy.dbzer0.com 3 points 11 months ago

As mentioned, to prevent running your text editor with root permissions. It's just security optimization

[-] doctorn@r.nf 4 points 11 months ago

Let me rephrase my question:

Why would I not want to open nano as root?

No offense, but that sounds like more OCD behavior. ๐Ÿ˜… I don't need or want protection against myself, and I even loath the whole "that's not how you're supposed to do it"-mentality of linux (where when commands know very well what you want, instead of doing it, just tell you you forgot something). ๐Ÿ˜…

[-] hemko@lemmy.dbzer0.com 1 points 11 months ago* (last edited 11 months ago)

It's not any OCD behavior, but simply the best practices. You've probably at least minimally familiar with the principal of least privilege? The idea is to minimize scope of a potential problem , was it malicious attack or user error, by restricting access to minimum required to perform a task. It may feel like fighting pedantically (and I've been fighting this more than I'd care to) but it will save your ass one day.

[-] scinde@discuss.tchncs.de 1 points 11 months ago

It's probably to protect against any potential security vulnerabilities in the text editor program itself, not to protect you from yourself.

[-] doctorn@r.nf 3 points 11 months ago

Wouldn't that logic count for anything, including sudo itself?

[-] scinde@discuss.tchncs.de 2 points 11 months ago

Sure, but sudo is specifically designed with security in mind as a security program, whereas text editors are not (although I am more likely to trust vim than vscode). Running a malicious program as the user and not as root can help mitigate the impact it could do, even though it will still be able to do a lot as a user.

[-] doctorn@r.nf 1 points 11 months ago

You assume this malicious code is lame enough not to gain root itself with a modified su.

[-] scinde@discuss.tchncs.de 1 points 11 months ago

What do you mean get root itself with a modified su? A program that has been run as a user cannot just get root permissions, that's called a privilege escalation attack and is a serious vulnerability in the kernel which gets fixed quickly when found.

[-] doctorn@r.nf -1 points 11 months ago* (last edited 11 months ago)

Any attack is usually non-intended vulnarabilities. Same argument applies to any software, like nano, if it can open doors to your system.

[-] scinde@discuss.tchncs.de 1 points 11 months ago

Of course it applies to any software, but some programs are more vulnerable than others. For example, when you want to have cryptography in your program, you use an established library, not write the algorithms yourself, because those libraries were written with security in mind (i.e. have protections against different kinds of attacks, for example, side channel attacks, in addition to being implemented properly). The whole point is to minimize the surface of attack, so that your system is more secure. And one way of doing so is to not give root permissions to programs that don't need it (such as text editors like nano).

[-] doctorn@r.nf -1 points 11 months ago

Yeah, well, as you said: it's probably fixed by now, but I used to have a universal su that would work on any armv7 linux (so basically every phone back then, but also on my armv7 little laptop I had at the time...) with which I was able to easily root any phone by putting it in /data/local and making it bootable, then using full path to move any Android root files in place (though I did also just copy that su itself to /system/bin for root on cheaper phones sometimes, which is just playing with fire as it basically makes any root action unseen and allowed. ๐Ÿ˜‚). That did work for years though, but that's probably cause Android minimizes the linux and never actually updated the kernel so much, and the laptop's flashed OS was something altered with also very little updates. And ARM was still quite new to the public too. ๐Ÿคทโ€โ™‚๏ธ

I remember I came across it in the rooting package for my Kindle Fire and only found out it could do that by accident,... ๐Ÿ˜… It couldn't change user, though, it had only 1 use without parameters, which resulted as if you do a 'sudo su' if you remove the sudo password-requirement.

Hence why I used the example. I wasn't being limitative to it, though. There's so many things that could screw you if it has a vulnerability, if it happens I very much doubt it'll be through nano, though.

[-] veniasilente@lemm.ee 2 points 11 months ago

You can say that just about anything.

sudo grub sudo boot sudo root=/dev/disk/linux sudo kernel-6.1.image sudo init sudo elogind sudo xterm sudo bash sudo nano

[-] scinde@discuss.tchncs.de 3 points 11 months ago* (last edited 11 months ago)

Again, like I replied to the other comment, most of the programs you need root for are designed with security in mind and are inherently more secure and have less vulnerabilities than a non security focused program (that is not to say that it is impossible for a security program to have vulnerabilities -it certainly occurred before and keeps occurring- they just have a lot fewer). But even if you need root permissions for a non security focused program, you still shouldn't let any program have it, the whole point is to minimize the surface of attack.

[-] Huschke@lemmy.world 7 points 11 months ago

Alternatively you could use my favorite approach, Visual Studio Code. Just open the file with it, edit it and upon saving you will be promoted if the file needs admin rights to save.

[-] LaSaucisseMasquee@jlai.lu 7 points 11 months ago* (last edited 11 months ago)

Okay but how can I show how good I am with shortcuts to edit legacy software ?

[-] Huschke@lemmy.world 2 points 11 months ago

Vscode does have a lot of shortcuts, so you could always study them in detail and impress others that way. ๐Ÿ˜…

[-] MalReynolds@slrpnk.net 3 points 11 months ago

Yup, s/vsc/kwrite/ personally, it's lighter, but why shouldn't I have a pretty for my config editing needs...

[-] hemko@lemmy.dbzer0.com 2 points 11 months ago

I love vsc but it's not always available.

[-] doctorn@r.nf 1 points 11 months ago

So for any supposedly malicious activity (infected) it wants to do, it just has to hold until you save and give admin access? ๐Ÿ˜…

[-] Huschke@lemmy.world 2 points 11 months ago

Yes, but if you want to argue along those lines, you could also have an infected version of vim on your system just waiting to do malicious stuff until you give it sudo access.

[-] doctorn@r.nf 0 points 11 months ago

Indeed... Hence why I use 'sudo nano'. ๐Ÿ˜œ

this post was submitted on 05 Dec 2023
946 points (98.1% liked)

linuxmemes

21255 readers
17 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.

  • Please report posts and comments that break these rules!

    founded 1 year ago
    MODERATORS