Open iconoclasthero opened 4 weeks ago
iconoclasthero
commented
4 weeks ago You would think, based on looking at man visudo that simply
sudo su
SUDO_EDITOR="nano --rcfile /etc/nanorc"
EDITOR="nano --rcfile /etc/nanorc"
VISUAL="nano --rcfile /etc/nanorc"
visudo
^Dwould be sufficient to force the standard keybindings on visudo.
millert
commented
4 weeks ago If you are running sudo visudo, you probably need to add:
Defaults env_keep += "SUDO_EDITOR EDITOR VISUAL"to your sudoers file to preserve those environment variables. If you only want to preserve them for visudo itself you can do something like
Defaults!/usr/sbin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"I have to say that experiencing the visual stimulus of a pine/pico cum nano screen with decades of muscle memory while my fingers no longer do what they are supposed to is a uniquely disturbing experience. Probably what a stroke feels like...
From your comments above,
I noted this line after I called $ echo $EDITOR; read -rp;sudo visudo
/usr/bin/nano
⋮
# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"Removing the # on defaults allows for the editor to be accepted. There's another setting somewhere because it isn't uncommented in Ubuntu 22.04, but the normal nano keybindings are respected.
As far as it goes, that solves my immediate problem. There are several additional topics here that might or might not be worth considering. 1) The snippet from sudoers says "This allows running arbitrary commands..." which I suppose might be an issue if someone else can run visudo on my system..at which point I doubt this will be my biggest concern. That said, is there some way to limit this by user as I do with individual commands? (Since I figured out that this exists, I just add single commands as I have to call them with sudo and no longer wish to do so, add alias, etc.) (How is this even possible? Using ^T from within nano doesn't e.g., change permissions on things root owns...)
2) In trying to get this to work, I assumed root with sudo su and then
set the environmental variables and ran visudo as root (i.e., not sudo visudo as a user in sudo group). This obviates the need for sudo -E <command> which failed:
$ sudo -E \visudo
sudo: sorry, you are not allowed to preserve the environmentAgain, my assumption was that all I needed to do was to set root's EDITOR, etc., and it would work. Also, I'm starting to get the feeling that the reason that sudo said "sorry" is because of the sudoers env_keep/env_reset settings.
3) Why did I make this assumption?
There are two sudoers settings that determine which editor visudo
will run.
editor A colon (‘:’) separated list of editors allowed to be
used with visudo. visudo will
choose the editor that matches the user's SUDO_EDITOR,
VISUAL, or EDITOR environment
variable if possible, or the first editor in the list
that exists and is executable.
sudo does not preserve the SUDO_EDITOR, VISUAL, or
EDITOR environment variables un‐
less they are present in the env_keep list or the
env_reset option is disabled in the
sudoers file. The default editor path is
/usr/bin/editor which can be set at compile
time via the --with-editor configure option.
env_editor If set, visudo will use the value of the SUDO_EDITOR,
VISUAL, or EDITOR environment
variables before falling back on the default editor
list. visudo is typically run as
root so this option may allow a user with visudo
privileges to run arbitrary commands
as root without logging. An alternative is to place a
colon-separated list of “safe”
editors in the editor variable. visudo will then
only use SUDO_EDITOR, VISUAL, or
EDITOR if they match a value specified in editor. If
the env_reset flag is enabled,
the SUDO_EDITOR, VISUAL, and/or EDITOR environment
variables must be present in the
env_keep list for the env_editor flag to function when
visudo is invoked via sudo.
The default value is on, which can be set at compile
time via the --with-env-editor
configure option.Honestly, I only now understand what the sentence "sudo does not preserve the SUDO_EDITOR, VISUAL, or EDITOR environment variables unless they are present in the env_keep list or the env_reset option is disabled in the sudoers file." means. Perhaps adding e.g., 'and thus command line options will not be respected without first using visudo to edit sudoers and then you'll be able to use the EDITOR you actually specified as described immediately above..." or not burying the lead that you can't use these options without first, circularly, fixing the file you're actually trying to edit.
I'm not sure how it actually interacts with root since it is not working as I expect when I'm root.
$ sudo su
# EDITOR="$(which nano|tail -1) --rcfile /etc/nanorc"; VISUAL="$EDITOR";
SUDO_EDITOR="$EDITOR"; visudoIn this case there's no sudo being called so no environmental variables to
preserve or ignore so it should use the nanorc file specified, but the
alien* key bindings are present.
(by the way, my user nano is aliased: 'alias nano='nano --rcfile /etc/nano'
so I expect that root using the same nanorc file will result in the same
keybindings, i.e., what happens with # nano --rcfile /etc/nanorc)
Defaults:%sudo env_keep += "EDITOR" and when I run $ visudo (aliased alias visudo='sudo visudo')
I get the keybindings I expect. Oddly, and of little consequence since I
will rarely, if ever, be running visudo as root, if I:
$ sudo su
# EDITOR="$(which nano|tail -1) --rcfile /etc/nanorc"; VISUAL="$EDITOR";
SUDO_EDITOR="$EDITOR"; visudoI end up with the alien keybindings which I now see are probably this list from /etc/nanorc:
## If you would like nano to have keybindings that are more "usual",
## such as ^O for Open, ^F for Find, ^H for Help, and ^Q for Quit,
## then uncomment these:
#bind ^X cut main
#bind ^C copy main
#bind ^V paste all
#bind ^Q exit all
#bind ^S savefile main
#bind ^W writeout main
#bind ^O insert main
#set multibuffer
#bind ^H help all
#bind ^H exit help
#bind ^F whereis all
#bind ^G findnext all
#bind ^B wherewas all
#bind ^D findprevious all
#bind ^R replace main
#bind ^Z undo main
#bind ^Y redo main
#unbind ^K ain
#unbind ^U all
#unbind ^N main
#unbind ^Y all
#unbind M-J main
#unbind M-T main
#bind ^A mark main
#bind ^P location main
#bind ^T gotoline main
#bind ^T gotodir browser
#bind ^T cutrestoffile execute
#bind ^L linter execute
#bind ^E execute mainBut I can't find anywhere where there's a nanorc file with those
uncommented. There's no *nanorc in ~, # find /root -iname "*nanorc"
turned up /root/.nanorc, but, e.g.,
# \grep -E '\^X|\^O' /root/.nanorc ; \grep -E '\^X|\^O' /etc/nanorc
## such as ^O for Open, ^F for Find, ^H for Help, and ^Q for Quit,
#bind ^X cut main
#bind ^O insert main
## such as ^O for Open, ^F for Find, ^H for Help, and ^Q for Quit,
#bind ^X cut main
#bind ^O insert mainSo, there's no reason that when I run # EDITOR="nano --rcfile /etc/nanorc" visudo I think I should get the alien keybindings, but that's the result.
On Mon, Jun 10, 2024 at 9:30 AM Todd C. Miller @.***> wrote:
If you are running sudo visudo, you probably need to add:
Defaults env_keep += "SUDO_EDITOR EDITOR VISUAL"
to your sudoers file to preserve those environment variables. If you only want to preserve them for visudo itself you can do something like
Defaults!/usr/sbin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
— Reply to this email directly, view it on GitHub https://github.com/sudo-project/sudo/issues/382#issuecomment-2158388976, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEC3GV5GSN2D4QICR7MFZDZGWTALAVCNFSM6AAAAABJCCI7LSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJYGM4DQOJXGY . You are receiving this because you authored the thread.Message ID: @.***>
visudo on my ubuntu 22.04 uses default nano keybindings. on rhino linux it uses some alien keybindings I am unable to find... so instead of exiting ^X now deletes lines. Instead of page down, I have no idea wtf ^V does.
I really need to get to the bottom of this.