Do not use "sudo" with vim for security reasons

[thomasmerz]

Use sudoedit for security reasons in

bash-it/aliases/available/general.aliases.bash

Line 74 in 2ef5d48

# sudo editors

because sudo vim gives users a root shell by executing arbitrary shell commands.

PR will follow…

[gaelicWizard]

I would definitely prefer to use the most correct tool for the job, but it doesn't seem like this is a vulnerability anywhere except a specially configured sudoers environment. If the user can already sudo then what happens after that is not a vulnerability.

I left a review on the PR asking for some logic to deal with not having a sudoedit binary on the system.

[thomasmerz]

If a user already can do sudo everything, than I fully agree. But if a user is only allowed to sudo vim (any file) he/she/it can get a root-shell but normally this is not intended by allowing users editing all files. At home I'm fine that my user can sudo everything. But would never allow any non-root-granted person than me sudo vim.

[tbhaxor]

I agree with @gaelicWizard, this is not a vulnerability but a misconfiguration I would say. We can have shell set to /bin/false, but it is mostly required on the servers.

We can also run vim with -Z flag, it will restrict executing shell commands.

[cornfeedhobo]

Instead, I vote we remove any customizations and/or tools that require sudo, most especially, not in the general aliases.