Hacker News new | ask | show | jobs
by dotancohen 1664 days ago 

  > Aside from forcing vim onto innocent users?
Actually, `sudo -e` forces VIM onto innocent users. You are free to `sudo nano` if that's your preference.

  > `sudo -e` runs a few file copies / move as root.
Interesting, thank you, I did not know that the editor is not run as root with -e. So presumably that means that it will have my environment, e.g. will run my .vimrc? Though that could be an attack vector too.
1 comments
masklinn 1664 days ago
> Actually, `sudo -e` forces VIM onto innocent users

No, it does not. It runs whatever EDITOR is set to (technically the first set of SUDO_EDITOR, VISUAL, and EDITOR).

> So presumably that means that it will have my environment, e.g. will run my .vimrc?

That is correct.

> Though that could be an attack vector too.

Only on the specific file, which would usually be a lot more noticeable unless the attack specifically manages to recognise and target sudoedited files while closing the buffer.

link
dotancohen 1664 days ago 

  > Only on the specific file, which would usually be a lot more
  > noticeable unless the attack specifically manages to recognise
 > and target sudoedited files while closing the buffer.
I've seen far more sophisticated attacks than that. Though vimscript itself is kind of a barrier to entry ))
link