Explaining the sudo crapfest

Some of you might have noticed that I’ve been attacked in the past few days over a feature change bug (now unrestricted so you all can judge it for what it was) with sudo.

Let’s try to explain what the problem seems to have been with that bug: the sudo ebuild, since a long time ago, when it was maintained by Tavis Ormandy (taviso, of, among other things, ocert fame), changed the default editor used to nano. The reasoning for this is that you have to have a valid default editor in sudo, and that, after all, is what we ship in the stage3 as default editor, and what OpenRC sets as default editor if the user sets nothing else. I kept the same setting because, well, I could see the point in it; and I’m not a nano user, I don’t have a single nano executable on my main running systems: I use GNU Emacs for all my “heavy” editing, and zile (of which I’m a minuscule contributor from time to time) for the smaller stuff.

This is just the default editor used by sudo, but by no definition the only one. Indeed it’s mostly used in two places: visudo and sudoedit. The former, respects the EDITOR variable, with the usual rules, so if your root user has the EDITOR variable set to anything it’ll be used (this is also not a default, we pass explicitly the --with-env-editor option at ./configure); the only place where it’s not used, by default that is, is if you invoke sudo visudo, but not because we set the default to nano, but rather because sudo by default resets the environment. For what concerns sudoedit, it honours the EDITOR variable by default without us doing anything about it.

Why did we ask sudo to explicitly honour the EDITOR variable? Isn’t that unsafe? Well, not really. First of all, sudoedit is a special command that takes care of allowing an user to edit a file without running anything as root user, so the EDITOR will always be fired up with the same permission as the user running it (pretty cool stuff); and for what concerns visudo… if you allow an user to run visudo, they can easily set up their user to do anything at all, so the permission under which EDITOR runs is pretty much moot.

So why did I refuse to use the EDITOR variable in the ebuild? Well the reason is that I hate that particular dirty hack (because a dirty hack it is). Other ebuilds, like fcron, have been doing it, and I don’t like its use there either. The reason is that it makes package building relying on a variable that is not by default saved anywhere, and that might not really be the same between the build and host machines (just as a further example, I have different EDITOR settings between root and my user… if I were to build sudo right now, with solar’s changes, with my usual method – sudo emerge with env_keep – I would get a build error: EDITOR="emacsclient -c"). If this is really a big concern, the proper solution is to have a proper virtual implementation of the editor: a /usr/libexec/gentoo-editor script that accepts just one parameter (a filename) and relies the call to the currently-selected editor via the EDITOR environment variable. Something like this:


if [ $# != 1 ]; then
    echo "$0 accepts exactly one parameter." >/dev/stderr
    return 1

if [ "x$EDITOR" = "x" ]; then
    echo "The EDITOR variable must be set." >/dev/stderr
    return 1

exec "$EDITOR" "$1"

Note: I wrote this snippet right at my blog, I haven’t tested, checked, re-read it at all.

This would allow ebuilds to properly set a default (or even a forced default!) in their configuration stages, without getting in the way of users’ choices.

Now, this is going to require a bit of work; the reason for that is that you have to make sure that it works standalone, that it works with the packages that would like to use it, and most likely you want to make available a “safe-editor” script as well, to enable eventual safe modes where shell-escape (as well as opening random files) is disabled, for those applications that do open the editor as a different user. Since I have never seen much point in pushing this further (I have a long TODO list of stuff much more important for QA, Gentoo and users as a whole), I haven’t done anything about it before, and I didn’t want to start that. But hey if somebody wanted to contribute it, I would have been the first one making use of it.

Now, how much in the way of users I have been by passing --with-editor=/bin/nano in the ebuild? I would sincerely say very little. Do you want to change the default at build time? Take your “How Gentoo Works” handbook out and look up in the index the topic EXTRA_ECONF. It’s a variable. It allows you to pass further options to econf. Options to ./configure (which is what econf wraps around) are positional: the last one passed is the one that “wins”.

Too much work to use EXTRA_ECONF each time you merge sudo?

# mkdir -p /etc/portage/env/app-admin
# echo 'EXTRA_ECONF='$EXTRA_ECONF --with-editor="${EDITOR}"'' >> /etc/portage/env/app-admin/sudo

It really isn’t that dificult, is it?

And what really ticked me off is users, which, as precious as they are, are still just users (in this case not even a well-known power user) telling me what the “Gentoo way” is… I think I know pretty well the Gentoo way, given I’ve been a major developer for the most part of the past five years, I’m one of those trying his best to keep everything up to date and maintained, I’m the one who’s running his own workstation to make sure that Gentoo packages do build out of the box.