--with-editor=PATH
Specify the default editor path for use by visudo. This may be a
single path name or a colon-separated list of editors. In the latter
- case, visudo will choose the editor that matches the user's VISUAL
- or EDITOR environment variables or the first editor in the list that
- exists. The default is the path to vi on your system.
+ case, visudo will choose the editor that matches the user's SUDO_EDITOR,
+ VISUAL or EDITOR environment variable, or the first editor in the list
+ that exists. The default is the path to vi on your system.
Sudoers option: editor
--with-env-editor
- Makes visudo consult the VISUAL and EDITOR environment variables before
- falling back on the default editor list (as specified by --with-editor).
- Note that this may create a security hole as it allows the user to
- run any arbitrary command as root without logging. A safer alternative
- is to use a colon-separated list of editors with the --with-editor
- option. visudo will then only use the VISUAL or EDITOR variables
+ Makes visudo consult the SUDO_EDITOR, VISUAL and EDITOR environment
+ variables before falling back on the default editor list (as specified
+ by --with-editor). Note that visudo is typically run as root so this
+ option may allow a user with visudo privileges to run arbitrary
+ commands as root without logging. An alternative is to use a
+ colon-separated list of "safe" editors with the --with-editor option.
+ visudo will then only use the SUDO_EDITOR, VISUAL or EDITOR variables
if they match a value specified via --with-editor.
Sudoers option: env_editor
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the SUDO_EDITOR,
VISUAL or EDITOR environment variables before falling
- back on the default editor list. Note that this may
- create a security hole as it allows the user to run any
- arbitrary command as root without logging. A safer
- alternative is to place a colon-separated list of
- editors in the _\be_\bd_\bi_\bt_\bo_\br variable. v\bvi\bis\bsu\bud\bdo\bo will then only
- use SUDO_EDITOR, VISUAL or EDITOR if they match a value
- specified in _\be_\bd_\bi_\bt_\bo_\br. If the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt flag is enabled,
- the SUDO_EDITOR, VISUAL and/or EDITOR environment
- variables must be present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list for the
- _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br flag to function when v\bvi\bis\bsu\bud\bdo\bo is invoked via
- s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
+ back on the default editor list. Note that v\bvi\bis\bsu\bud\bdo\bo is
+ typically run as root so this option may allow a user
+ with v\bvi\bis\bsu\bud\bdo\bo privileges to run arbitrary commands as
+ root without logging. An alternative is to place a
+ colon-separated list of "safe" editors int the _\be_\bd_\bi_\bt_\bo_\br
+ variable. v\bvi\bis\bsu\bud\bdo\bo will then only use SUDO_EDITOR,
+ VISUAL or EDITOR if they match a value specified in
+ _\be_\bd_\bi_\bt_\bo_\br. If the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt flag is enabled, the
+ SUDO_EDITOR, VISUAL and/or EDITOR environment variables
+ must be present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list for the _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br
+ flag to function when v\bvi\bis\bsu\bud\bdo\bo is invoked via s\bsu\bud\bdo\bo. This
+ flag is _\bo_\bf_\bf by default.
env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
environment containing the TERM, PATH, HOME, MAIL,
or
\fREDITOR\fR
environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging.
-A safer alternative is to place a colon-separated list of editors
-in the
+Note that
+\fBvisudo\fR
+is typically run as root so this option may allow a user with
+\fBvisudo\fR
+privileges to run arbitrary commands as root without logging.
+An alternative is to place a colon-separated list of
+\(lqsafe\(rq
+editors int the
\fIeditor\fR
variable.
\fBvisudo\fR
or
.Ev EDITOR
environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging.
-A safer alternative is to place a colon-separated list of editors
-in the
+Note that
+.Nm visudo
+is typically run as root so this option may allow a user with
+.Nm visudo
+privileges to run arbitrary commands as root without logging.
+An alternative is to place a colon-separated list of
+.Dq safe
+editors int the
.Em editor
variable.
.Nm visudo
env_editor
If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the SUDO_EDITOR, VISUAL or
EDITOR environment variables before falling back on the default
- editor list. Note that this may create a security hole as it
- allows the user to run any arbitrary command as root without
- logging. A safer alternative is to place a colon-separated
- list of editors in the _\be_\bd_\bi_\bt_\bo_\br variable. v\bvi\bis\bsu\bud\bdo\bo will then only
- use SUDO_EDITOR, VISUAL or EDITOR if they match a value
- specified in _\be_\bd_\bi_\bt_\bo_\br. If the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt flag is enabled, the
- SUDO_EDITOR, VISUAL and/or EDITOR environment variables must be
- present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list for the _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br flag to
- function when v\bvi\bis\bsu\bud\bdo\bo is invoked via s\bsu\bud\bdo\bo. The default value is
- _\bo_\bf_\bf, which can be set at compile time via the --with-env-editor
- configure option.
+ editor list. Note that v\bvi\bis\bsu\bud\bdo\bo is typically run as root so this
+ option may allow a user with v\bvi\bis\bsu\bud\bdo\bo privileges to run arbitrary
+ commands as root without logging. An alternative is to place a
+ colon-separated list of "safe" editors int the _\be_\bd_\bi_\bt_\bo_\br variable.
+ v\bvi\bis\bsu\bud\bdo\bo will then only use SUDO_EDITOR, VISUAL or EDITOR if they
+ match a value specified in _\be_\bd_\bi_\bt_\bo_\br. If the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt flag is
+ enabled, the SUDO_EDITOR, VISUAL and/or EDITOR environment
+ variables must be present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list for the
+ _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br flag to function when v\bvi\bis\bsu\bud\bdo\bo is invoked via s\bsu\bud\bdo\bo.
+ The default value is _\bo_\bf_\bf, which can be set at compile time via
+ the --with-env-editor configure option.
The options are as follows:
or
\fREDITOR\fR
environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging.
-A safer alternative is to place a colon-separated list of editors
-in the
+Note that
+\fBvisudo\fR
+is typically run as root so this option may allow a user with
+\fBvisudo\fR
+privileges to run arbitrary commands as root without logging.
+An alternative is to place a colon-separated list of
+\(lqsafe\(rq
+editors int the
\fIeditor\fR
variable.
\fBvisudo\fR
or
.Ev EDITOR
environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging.
-A safer alternative is to place a colon-separated list of editors
-in the
+Note that
+.Nm visudo
+is typically run as root so this option may allow a user with
+.Nm visudo
+privileges to run arbitrary commands as root without logging.
+An alternative is to place a colon-separated list of
+.Dq safe
+editors int the
.Em editor
variable.
.Nm