[eklitzke]

Sudo basically has an ACL-like system where you can specify exactly which users/groups can execute which commands as root. So you can say user foo can execute commands X, Y, and Z as root and user bar can execute commands W, Y, and Z as root, and neither user can use sudo to execute any other command as root. The ACL system isn't for sudoedit specifically, it's a general feature of sudo.

As to why you can't just update access privileges of the file, for most use cases you probably could do that. If you need something more complicated though you'll have to use some terrible ACL implementation like the one in sudo or Posix file ACLs.

[mananaysiempre]

I recently got to reading the POSIX.1e (MAC & DAC) draft, and the DAC = ACL part is... surprisingly non-terrible. Still awkward and hampered by its existence as barely-visible metadata smeared over the whole system, as all ACLs are, but not at all the hopeless mess I expected coming from NT. (Even that might’ve been salvageable had Microsoft been willing to publish full documentation of all NT object permissions and mechanisms. Except SDDL, there is no world in which SDDL is salvageable.) Couldn’t make heads or tails of the MAC part, though.

The /etc/sudoers solution does have a usability advantage precisely in not being smeared all over the system. Even if “/etc/sudoers” and “usability” are words not often seen inside a single sentence.

[Zurrrrr]

> smeared all over the system

I mean, ACL data is normally stored in filesysem metadata, nothing is 'smeared'.

[mananaysiempre]

If you as an administrator want to see where you have granted additional funny permissions, with ACLs your only recourse is to getfacl everything on the filesystem, whereas with sudo everything is listed in /etc/sudoers and classically the group membership in /etc/passwd gives you a pretty good idea. I don’t know if that’s a reasonable thing to want, actually, but it is one that makes me mildly unconfortable with ACL systems in general.