Why is sudoedit writing to a temporary directory?
up vote
8
down vote
favorite
I used sudoedit
to create a file:
$ sudoedit /etc/systemd/system/apache2.service
but when I went to save the file, it wrote it in a temporary directory (/var/temp/blahblah). What is going on? Why is it not saving it to the system directory?
sudoedit
add a comment |
up vote
8
down vote
favorite
I used sudoedit
to create a file:
$ sudoedit /etc/systemd/system/apache2.service
but when I went to save the file, it wrote it in a temporary directory (/var/temp/blahblah). What is going on? Why is it not saving it to the system directory?
sudoedit
add a comment |
up vote
8
down vote
favorite
up vote
8
down vote
favorite
I used sudoedit
to create a file:
$ sudoedit /etc/systemd/system/apache2.service
but when I went to save the file, it wrote it in a temporary directory (/var/temp/blahblah). What is going on? Why is it not saving it to the system directory?
sudoedit
I used sudoedit
to create a file:
$ sudoedit /etc/systemd/system/apache2.service
but when I went to save the file, it wrote it in a temporary directory (/var/temp/blahblah). What is going on? Why is it not saving it to the system directory?
sudoedit
sudoedit
edited Nov 15 at 11:19
ctrl-alt-delor
10k41955
10k41955
asked Nov 15 at 9:18
Tyler Durden
1,50041849
1,50041849
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
20
down vote
accepted
The point of sudoedit
is to allow users to edit files they wouldn’t otherwise be allowed to, while running an unprivileged editor. To make this happen, sudoedit
copies the file to be edited to a temporary location, makes it writable by the requesting user, and opens it in the configured editor. That’s why the editor shows an unrelated filename in a temporary directory. When the editor exits, sudoedit
checks whether any changes were really made, and copies the changed temporary file back to its original location if necessary.
IIRC some editors will also do basic sanity checks to ensure that no computer-bricking changes were made, but I'm not sure how common that is,.
– Nic Hartley
Nov 15 at 22:56
1
@NicHartley: It's hard to do that in the general case, because there are so many varied ways to brick your computer. It tends to be application specific, e.g. withvisudo
for/etc/sudoers
.
– Kevin
Nov 16 at 0:34
@Kevin Oh, whoops, I think I confusedvisudo
forsudoedit
. I knewvisudo
did it for sure. Thanks for clearing that up!
– Nic Hartley
Nov 16 at 1:10
add a comment |
up vote
0
down vote
This is nicely explained in the sudo
manpage. The description of -e
(which sudoedit
is equivalent to) says:
-e
The
-e
(edit) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit
" is used when consulting the security policy. If the user is authorized by the policy, the following steps are taken:
- Temporary copies are made of the files to be edited with the owner set to the invoking user.
- The editor specified by the policy is run to edit the temporary files. The
sudoers
policy uses theSUDO_EDITOR
,VISUAL
andEDITOR
environment variables (in that order). If none ofSUDO_EDITOR
,VISUAL
orEDITOR
are set, the first program listed in the editorsudoers(5)
option is used.
- If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.
If the specified file does not exist, it will be created. Note that unlike most commands run by
sudo
, the editor is run with the invoking user's environment unmodified. If, for some reason,sudo
is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.
In particular, note the third step: only if the file has been modified at the end of editing is the original changed. So, if you have a program that watches a file, this can help avoid (a) intermediate writes being picked up, and (b) unnecessary actions if you decided to make no changes in the end.
New contributor
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
20
down vote
accepted
The point of sudoedit
is to allow users to edit files they wouldn’t otherwise be allowed to, while running an unprivileged editor. To make this happen, sudoedit
copies the file to be edited to a temporary location, makes it writable by the requesting user, and opens it in the configured editor. That’s why the editor shows an unrelated filename in a temporary directory. When the editor exits, sudoedit
checks whether any changes were really made, and copies the changed temporary file back to its original location if necessary.
IIRC some editors will also do basic sanity checks to ensure that no computer-bricking changes were made, but I'm not sure how common that is,.
– Nic Hartley
Nov 15 at 22:56
1
@NicHartley: It's hard to do that in the general case, because there are so many varied ways to brick your computer. It tends to be application specific, e.g. withvisudo
for/etc/sudoers
.
– Kevin
Nov 16 at 0:34
@Kevin Oh, whoops, I think I confusedvisudo
forsudoedit
. I knewvisudo
did it for sure. Thanks for clearing that up!
– Nic Hartley
Nov 16 at 1:10
add a comment |
up vote
20
down vote
accepted
The point of sudoedit
is to allow users to edit files they wouldn’t otherwise be allowed to, while running an unprivileged editor. To make this happen, sudoedit
copies the file to be edited to a temporary location, makes it writable by the requesting user, and opens it in the configured editor. That’s why the editor shows an unrelated filename in a temporary directory. When the editor exits, sudoedit
checks whether any changes were really made, and copies the changed temporary file back to its original location if necessary.
IIRC some editors will also do basic sanity checks to ensure that no computer-bricking changes were made, but I'm not sure how common that is,.
– Nic Hartley
Nov 15 at 22:56
1
@NicHartley: It's hard to do that in the general case, because there are so many varied ways to brick your computer. It tends to be application specific, e.g. withvisudo
for/etc/sudoers
.
– Kevin
Nov 16 at 0:34
@Kevin Oh, whoops, I think I confusedvisudo
forsudoedit
. I knewvisudo
did it for sure. Thanks for clearing that up!
– Nic Hartley
Nov 16 at 1:10
add a comment |
up vote
20
down vote
accepted
up vote
20
down vote
accepted
The point of sudoedit
is to allow users to edit files they wouldn’t otherwise be allowed to, while running an unprivileged editor. To make this happen, sudoedit
copies the file to be edited to a temporary location, makes it writable by the requesting user, and opens it in the configured editor. That’s why the editor shows an unrelated filename in a temporary directory. When the editor exits, sudoedit
checks whether any changes were really made, and copies the changed temporary file back to its original location if necessary.
The point of sudoedit
is to allow users to edit files they wouldn’t otherwise be allowed to, while running an unprivileged editor. To make this happen, sudoedit
copies the file to be edited to a temporary location, makes it writable by the requesting user, and opens it in the configured editor. That’s why the editor shows an unrelated filename in a temporary directory. When the editor exits, sudoedit
checks whether any changes were really made, and copies the changed temporary file back to its original location if necessary.
answered Nov 15 at 9:22
Stephen Kitt
157k23343418
157k23343418
IIRC some editors will also do basic sanity checks to ensure that no computer-bricking changes were made, but I'm not sure how common that is,.
– Nic Hartley
Nov 15 at 22:56
1
@NicHartley: It's hard to do that in the general case, because there are so many varied ways to brick your computer. It tends to be application specific, e.g. withvisudo
for/etc/sudoers
.
– Kevin
Nov 16 at 0:34
@Kevin Oh, whoops, I think I confusedvisudo
forsudoedit
. I knewvisudo
did it for sure. Thanks for clearing that up!
– Nic Hartley
Nov 16 at 1:10
add a comment |
IIRC some editors will also do basic sanity checks to ensure that no computer-bricking changes were made, but I'm not sure how common that is,.
– Nic Hartley
Nov 15 at 22:56
1
@NicHartley: It's hard to do that in the general case, because there are so many varied ways to brick your computer. It tends to be application specific, e.g. withvisudo
for/etc/sudoers
.
– Kevin
Nov 16 at 0:34
@Kevin Oh, whoops, I think I confusedvisudo
forsudoedit
. I knewvisudo
did it for sure. Thanks for clearing that up!
– Nic Hartley
Nov 16 at 1:10
IIRC some editors will also do basic sanity checks to ensure that no computer-bricking changes were made, but I'm not sure how common that is,.
– Nic Hartley
Nov 15 at 22:56
IIRC some editors will also do basic sanity checks to ensure that no computer-bricking changes were made, but I'm not sure how common that is,.
– Nic Hartley
Nov 15 at 22:56
1
1
@NicHartley: It's hard to do that in the general case, because there are so many varied ways to brick your computer. It tends to be application specific, e.g. with
visudo
for /etc/sudoers
.– Kevin
Nov 16 at 0:34
@NicHartley: It's hard to do that in the general case, because there are so many varied ways to brick your computer. It tends to be application specific, e.g. with
visudo
for /etc/sudoers
.– Kevin
Nov 16 at 0:34
@Kevin Oh, whoops, I think I confused
visudo
for sudoedit
. I knew visudo
did it for sure. Thanks for clearing that up!– Nic Hartley
Nov 16 at 1:10
@Kevin Oh, whoops, I think I confused
visudo
for sudoedit
. I knew visudo
did it for sure. Thanks for clearing that up!– Nic Hartley
Nov 16 at 1:10
add a comment |
up vote
0
down vote
This is nicely explained in the sudo
manpage. The description of -e
(which sudoedit
is equivalent to) says:
-e
The
-e
(edit) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit
" is used when consulting the security policy. If the user is authorized by the policy, the following steps are taken:
- Temporary copies are made of the files to be edited with the owner set to the invoking user.
- The editor specified by the policy is run to edit the temporary files. The
sudoers
policy uses theSUDO_EDITOR
,VISUAL
andEDITOR
environment variables (in that order). If none ofSUDO_EDITOR
,VISUAL
orEDITOR
are set, the first program listed in the editorsudoers(5)
option is used.
- If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.
If the specified file does not exist, it will be created. Note that unlike most commands run by
sudo
, the editor is run with the invoking user's environment unmodified. If, for some reason,sudo
is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.
In particular, note the third step: only if the file has been modified at the end of editing is the original changed. So, if you have a program that watches a file, this can help avoid (a) intermediate writes being picked up, and (b) unnecessary actions if you decided to make no changes in the end.
New contributor
add a comment |
up vote
0
down vote
This is nicely explained in the sudo
manpage. The description of -e
(which sudoedit
is equivalent to) says:
-e
The
-e
(edit) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit
" is used when consulting the security policy. If the user is authorized by the policy, the following steps are taken:
- Temporary copies are made of the files to be edited with the owner set to the invoking user.
- The editor specified by the policy is run to edit the temporary files. The
sudoers
policy uses theSUDO_EDITOR
,VISUAL
andEDITOR
environment variables (in that order). If none ofSUDO_EDITOR
,VISUAL
orEDITOR
are set, the first program listed in the editorsudoers(5)
option is used.
- If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.
If the specified file does not exist, it will be created. Note that unlike most commands run by
sudo
, the editor is run with the invoking user's environment unmodified. If, for some reason,sudo
is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.
In particular, note the third step: only if the file has been modified at the end of editing is the original changed. So, if you have a program that watches a file, this can help avoid (a) intermediate writes being picked up, and (b) unnecessary actions if you decided to make no changes in the end.
New contributor
add a comment |
up vote
0
down vote
up vote
0
down vote
This is nicely explained in the sudo
manpage. The description of -e
(which sudoedit
is equivalent to) says:
-e
The
-e
(edit) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit
" is used when consulting the security policy. If the user is authorized by the policy, the following steps are taken:
- Temporary copies are made of the files to be edited with the owner set to the invoking user.
- The editor specified by the policy is run to edit the temporary files. The
sudoers
policy uses theSUDO_EDITOR
,VISUAL
andEDITOR
environment variables (in that order). If none ofSUDO_EDITOR
,VISUAL
orEDITOR
are set, the first program listed in the editorsudoers(5)
option is used.
- If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.
If the specified file does not exist, it will be created. Note that unlike most commands run by
sudo
, the editor is run with the invoking user's environment unmodified. If, for some reason,sudo
is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.
In particular, note the third step: only if the file has been modified at the end of editing is the original changed. So, if you have a program that watches a file, this can help avoid (a) intermediate writes being picked up, and (b) unnecessary actions if you decided to make no changes in the end.
New contributor
This is nicely explained in the sudo
manpage. The description of -e
(which sudoedit
is equivalent to) says:
-e
The
-e
(edit) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit
" is used when consulting the security policy. If the user is authorized by the policy, the following steps are taken:
- Temporary copies are made of the files to be edited with the owner set to the invoking user.
- The editor specified by the policy is run to edit the temporary files. The
sudoers
policy uses theSUDO_EDITOR
,VISUAL
andEDITOR
environment variables (in that order). If none ofSUDO_EDITOR
,VISUAL
orEDITOR
are set, the first program listed in the editorsudoers(5)
option is used.
- If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.
If the specified file does not exist, it will be created. Note that unlike most commands run by
sudo
, the editor is run with the invoking user's environment unmodified. If, for some reason,sudo
is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.
In particular, note the third step: only if the file has been modified at the end of editing is the original changed. So, if you have a program that watches a file, this can help avoid (a) intermediate writes being picked up, and (b) unnecessary actions if you decided to make no changes in the end.
New contributor
New contributor
answered Nov 16 at 6:58
JohnDoea
273
273
New contributor
New contributor
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f481884%2fwhy-is-sudoedit-writing-to-a-temporary-directory%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown