scaffolding for sudoedit (note: this does not compile and is not supposed to)

squell · squell · commit e20a1f1b24fa · 2025-07-01T15:03:46.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -55,6 +55,10 @@ dev = []
 # compilation using "cargo --all-features", which should not be used on sudo-rs
 do-not-use-all-features = []
 
+# whether to enable 'sudoedit' (this will become a default feature, or
+# perhaps we can just remove the feature flag altogether)
+sudoedit = []
+
 [profile.release]
 strip = "symbols"
 lto = true
diff --git a/src/sudo/cli/mod.rs b/src/sudo/cli/mod.rs
@@ -9,8 +9,7 @@ pub mod help;
 #[cfg(test)]
 mod tests;
 
-// remove dead_code when sudoedit has been implemented
-#[allow(dead_code)]
+#[cfg_attr(not(feature = "sudoedit"), allow(dead_code))]
 pub enum SudoAction {
     Edit(SudoEditOptions),
     Help(SudoHelpOptions),
@@ -218,7 +217,7 @@ impl TryFrom<SudoOptions> for SudoValidateOptions {
 }
 
 // sudo -e [-ABkNnS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
-#[allow(dead_code)]
+#[cfg_attr(not(feature = "sudoedit"), allow(dead_code))]
 pub struct SudoEditOptions {
     // -B
     pub bell: bool,
diff --git a/src/sudo/mod.rs b/src/sudo/mod.rs
@@ -108,6 +108,9 @@ fn sudo_process() -> Result<(), Error> {
                 }
             }
             SudoAction::List(options) => pipeline::run_list(options),
+            #[cfg(feature = "sudoedit")]
+            SudoAction::Edit(options) => pipeline::run_edit(options),
+            #[cfg(not(feature = "sudoedit"))]
             SudoAction::Edit(_) => {
                 eprintln_ignore_io_error!("error: `--edit` flag has not yet been implemented");
                 std::process::exit(1);
diff --git a/src/sudo/pipeline.rs b/src/sudo/pipeline.rs
@@ -19,9 +19,13 @@ use crate::system::timestamp::{RecordScope, SessionRecordFile, TouchResult};
 use crate::system::{escape_os_str_lossy, Process};
 
 mod list;
-
 pub(super) use list::run_list;
 
+#[cfg(feature = "sudoedit")]
+mod edit;
+#[cfg(feature = "sudoedit")]
+pub(super) use edit::run_edit;
+
 fn read_sudoers() -> Result<Sudoers, Error> {
     let sudoers_path = &super::candidate_sudoers_file();
 
diff --git a/src/sudo/pipeline/edit.rs b/src/sudo/pipeline/edit.rs
@@ -0,0 +1,80 @@
+use std::process::exit;
+
+use super::super::cli::SudoRunOptions;
+use crate::common::{Context, Error};
+use crate::exec::ExitReason;
+use crate::sudo::env::environment;
+use crate::sudo::pam::pre_exec;
+use crate::sudoers::Authorization;
+
+pub fn run_edit(mut cmd_opts: SudoRunOptions) -> Result<(), Error> {
+    let mut policy = super::read_sudoers()?;
+
+    let user_requested_env_vars = std::mem::take(&mut cmd_opts.env_var_list);
+
+    let mut context = Context::from_run_opts(cmd_opts, &mut policy)?;
+
+    let policy = super::judge(policy, &context)?;
+
+    let Authorization::Allowed(auth, controls) = policy.authorization() else {
+        return Err(Error::Authorization(context.current_user.name.to_string()));
+    };
+
+    super::apply_policy_to_context(&mut context, &controls)?;
+    let mut pam_context = super::auth_and_update_record_file(&context, auth)?;
+
+    // build environment
+    let additional_env = pre_exec(&mut pam_context, &context.target_user.name)?;
+
+    let current_env = environment::system_environment();
+    let (checked_vars, trusted_vars) = if controls.trust_environment {
+        (vec![], user_requested_env_vars)
+    } else {
+        (user_requested_env_vars, vec![])
+    };
+
+    let mut target_env = environment::get_target_environment(
+        current_env,
+        additional_env,
+        checked_vars,
+        &context,
+        &controls,
+    )?;
+
+    environment::dangerous_extend(&mut target_env, trusted_vars);
+
+    let pid = context.process.pid;
+
+    // prepare switch of apparmor profile
+    #[cfg(feature = "apparmor")]
+    if let Some(profile) = controls.apparmor_profile {
+        crate::apparmor::set_profile_for_next_exec(&profile)
+            .map_err(|err| Error::AppArmor(profile, err))?;
+    }
+
+    // run command and return corresponding exit code
+    let command_exit_reason = if context.command.resolved {
+        super::log_command_execution(&context);
+
+        crate::exec::run_command(
+            context
+                .try_as_run_options()
+                .map_err(|io_error| Error::Io(Some(context.command.command.clone()), io_error))?,
+            target_env,
+        )
+        .map_err(|io_error| Error::Io(Some(context.command.command), io_error))
+    } else {
+        Err(Error::CommandNotFound(context.command.command))
+    };
+
+    pam_context.close_session();
+
+    match command_exit_reason? {
+        ExitReason::Code(code) => exit(code),
+        ExitReason::Signal(signal) => {
+            crate::system::kill(pid, signal)?;
+        }
+    }
+
+    Ok(())
+}

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,9 @@ fn sudo_process() -> Result<(), Error> {`
`108`	`108`	`}`
`109`	`109`	`}`
`110`	`110`	`SudoAction::List(options) => pipeline::run_list(options),`
	`111`	`+ #[cfg(feature = "sudoedit")]`
	`112`	`+ SudoAction::Edit(options) => pipeline::run_edit(options),`
	`113`	`+ #[cfg(not(feature = "sudoedit"))]`
`111`	`114`	`SudoAction::Edit(_) => {`
`112`	`115`	eprintln_ignore_io_error!("error: `--edit` flag has not yet been implemented");
`113`	`116`	`std::process::exit(1);`