- Users can have specific, limited set of root privileges without having the entire set of root privileges.
- Users use their own password, so the root password doesn't have to be shared. If a user's sudo privileges are revoked, the root password doesn't have to be reset.
- Each use of sudo is audited per user, so that each time sudo privileges are invoked, there is an event in the system logs that identifies the specific user and the command they ran.
So, what if you want to make changes to a system file via a script, and the only access you have to the file is via sudoedit? It isn't useful to have the script call sudoedit and then bring up vi for you to manually make the changes.
Well, the way sudoedit works, is that sudo makes a temporary copy of the file you want to edit, then calls your default editor, giving it the name of the temp file as the first argument. So, say your default editor is "fooedit". You run "sudoedit /etc/systemfile" and sudo makes a copy of /etc/systemfile to /tmp then runs "fooedit /tmp/tempfile". Your changes are saved to the temp file. When your editor exits, sudo copies the temp file over the original, and then removes the temp file.
From your main script, stage the pre-edited version of the system file, then set your default editor to a custom script that will copy that staged file over the temp file. When it exits, sudo will copy the temp file into place as normal.
Your script would go like this:
#!/bin/sh
export EDITOR="/bin/sh ./editor.sh";
PRE_STAGE=/tmp/stage.tmp;
echo "my new config"> $PRE_STAGE;
sudoedit /etc/config;
/bin/rm $PRE_STAGE;
exit;
Your custom script would look like:
#!/bin/sh
CAT=/bin/cat
PRE_STAGE="/tmp/stage.tmp"
$CAT $PRE_STAGE > "$1";
exit;
This script just cats your pre-staged file over whatever sudo passed in as the first argument ($1).
The only interaction you'll have to do is type your password for sudo, if you haven't already done so in the last few minutes (sudo temporarily remembers your authentication).
