On 11/14/21 20:44, tempforever wrote:
> Lars Noodén via Dng wrote:
[snip]
>> On 11/8/21 05:12, tempforever wrote: > You say that sudoedit will run the editor itself under the unprivileged
> account; however, it appears it does run as root:
[snip]

Yes, I say that, but I got it from the manual page which is much more
authoritative. It goes through the steps:

    1.   Temporary copies are made of the files to be edited with
        the owner set to the invoking user.
    2.   The editor specified by the policy is run to edit the
        temporary files.  The sudoers policy uses the
        SUDO_EDITOR, VISUAL and EDITOR environment variables (in
        that order).  If none of SUDO_EDITOR, VISUAL or EDITOR
        are set, the first program listed in the editor
        sudoers(5) option is used.
    3.   If they have been modified, the temporary files are
        copied back to their original location and the temporary
        versions are removed.

sudoedit is running as root there, but it is not itself an editor.

You can verify for yourself that the editor runs under the unprivileged
account. Here is an example of using sudoedit to fire up Geany:

$ EDITOR=geany sudoedit /etc/group &

$ ps -p $(pgrep -d , 'sudoedit|geany') -o user,pid,ppid,args
USER         PID    PPID COMMAND
root      221381  221316 sudoedit /etc/group
lars      221382  221381 geany /var/tmp/group.XXm6gNkW

As you see, sudoedit is a wrapper which supervises the editor and a
temporary file.

/Lars