Hacker News new | ask | show | jobs
by masklinn 1670 days ago
> Actually, `sudo -e` forces VIM onto innocent users

No, it does not. It runs whatever EDITOR is set to (technically the first set of SUDO_EDITOR, VISUAL, and EDITOR).

> So presumably that means that it will have my environment, e.g. will run my .vimrc?

That is correct.

> Though that could be an attack vector too.

Only on the specific file, which would usually be a lot more noticeable unless the attack specifically manages to recognise and target sudoedited files while closing the buffer.
1 comments
dotancohen 1670 days ago 

  > Only on the specific file, which would usually be a lot more
  > noticeable unless the attack specifically manages to recognise
 > and target sudoedited files while closing the buffer.
I've seen far more sophisticated attacks than that. Though vimscript itself is kind of a barrier to entry ))
link