Sudo / Su Permissions per file


#1

Hi All,

Just a quick Feature request.
I use Atom on Debian Sid.

When I edit another file that requires su/sudo permissions it wont save due to the fact the program wasnt started as Sudo or the superuser.
This is different if Atom was already closed, and opened with su/sudo permissions (then it has no problems).

The way Sublime text handles this, is just opening the file in another window that has the sudo/su permissions.

It would be great if Atom would be able to handle the permissions of the file per tab, that way the existing behaviour could be kept and yet give permissions to save if need be.
The Sublime text way is OK, but it would be great to do it per file tab so multiple windows don’t need to be opened.


#2

I’m not an expert on the Unix security model, so forgive me if my understanding is incomplete. Aren’t sudo and su permissions granted by changing the user account the process is running under, for example to root? (Or creating a new process that is running under that other user account.) I would think this would mean that if I:

  1. Opened a blank file
  2. Elevated to sudo to edit /etc/foo
  3. Edited /etc/foo but did not yet save or close it
  4. Created another file /home/lee/foo/bar/baz
  5. Clicked Save All

Then either #1 and #4 would be saved as root or if I needed to edit multiple files as root, I would have to elevate for each and every one of them.

Also, if the entire process is elevated to root … what about all the non-editor-window activity that happens in the process? All the package code. All the writing of window serialization files. I’m not sure that it would be very easy to sandbox off some portions of the process as “this part is sudo” and “this part isn’t”.

Personally, given that my understanding is correct … I think the separate “sudo window” and separate process is a better solution.


#3

… Then no packages would be loaded, because root's home directory (~/) would be /root/ so Atom would be looking for packages in /root/.atom/packages/. This is one of the reasons I think Atom should have a configurable config directory.

A seperate root window would be my preferred way to do it in terms of Unix security, and definitely the easiest for the Atom devs, although opinions may vary a lot on the subject


#4

The way OS X applications handle this is on save. If the current user doesn’t have access to save the file a sudo dialog is shown asking for a password. The save process is sudo’d but the actual application is still running as the current user.

Normal sudo timeouts occur, the file can be saved for several minutes but at some point the password is required again. This is the same as the command line sudo.

I like this approach because the application stays running as the current user with the same configuration.


#5

I would recommend this approach as well.
Couldn’t it be just a core plugin with a pre-save hook if that makes sense?
A typical basic security rule in the Linux world is to never run a graphical program - a program that isn’t just a single terminal command - with root privileges.


#6

Emacs has “tramp” but I agree in that I prefer just plainly doing “sudo atom”. I would like atom to give feedback as to which user is running it though.


#7

Hi, I know this is an old discussion but there has been any progress on this


#8

+1

Having used Tramp in Emacs, I miss being able to briefly edit /etc/hosts without having to leave the editor.