I’ve seen this configuration in /etc/sudoers before, but I wanted to explain a little more about why it is not a good idea to do this. First of all, you are editing your sudoers file with visudo, right? (RIGHT?!) If not, you should be. The reason being is that when you use visudo, it does a syntax check on the /etc/sudoers file before comitting. If you have it bunked up, it will let you know, and will allow you to fix the problem before you commit (you always want to fix before you commit). If you simply edit /etc/sudoers file, bunk up the syntax, and commit it anyway, there’s a good chance that NONE of your sudo config will work.

Now, lets get on with putting /usr/bin/vim in the sudoers file. I can see why one would do this, perhaps you have web admins that don’t use a code repository and simply make backups on the dev box and edit the configs on the machine. Probably not the best idea, but it happens everyday. You likely have a group in /etc/groups called something like “webdevs” populated with the names of your web developer accounts:

webdevs:x:599:jsmith,plawrence,ljames,mpayne

Thus, your sudoers file might have a line in it that is similar to (this assumes you have a host alias for the development web servers set to DEVWEB):

%webdevs DEVWEB = /usr/bin/vim /docroot/index.html

This seems like an innocent thing right? I mean, how much damage can they do? You’ve locked them down to just being able to edit the index.html file in /docroot, right?

WRONG!

The funny thing about vim is that you can press the escape key, then type:

:shell

And it will drop you to a shell, and when run in sudo, it’s not just any shell, it’s a root shell. Now everyone in your webdevs group can get a root shell!

So, how do we fix this? Well, we use the program “/usr/bin/sudoedit” in place of /usr/bin/vim. Now, if the user tries the same :shell trick, it drops them to a non-elevated shell.

tl;dr: