13

I have a local shell script that performs a number of tests on a remote host, before delivering the payload; one of these tests being whether the user has sudo privileges, checked simply with sudo -v however this requires the user to enter their password. Additionally the remote host seems to have instant sudo timeout so the password entry is required on every new connection, and this is something I don't have permission to change (as a policy).

I can of course test whether the user is part of certain groups, but then this would not be agnostic to the remote host configuration, so I was hoping there's a method that can check that doesn't need to assume the user's groups, as well as not needing user input?

Thanks!

UPDATE: To echo my comments, I only want to test whether a user could possibly sudo, without requiring user interaction for that test.

DanH
  • 827
  • 2
  • 9
  • 26
  • do you need to check wether the user has the possibility to use sudo, or if he is executing the shell script via sudo? – Niko S P Feb 28 '12 at 04:51
  • Just whether he has the possibility. The local script will require the sudo password to be entered later on, so I just want to check early on that the user on the remote host is even a sudoer. – DanH Feb 28 '12 at 09:32
  • a quick check on my ubuntu box gave me sudo -l, it returns the commands the user may run, if (ALL) ALL is part of them, the user is able to use sudo for any command. Maybe that's the right angle? – Niko S P Feb 28 '12 at 11:16
  • 1
    ``sudo -l`` prompts me for my password. – ThatGraemeGuy Feb 28 '12 at 11:55
  • strange, there may be differences in behaviour based on versions or setups, i just checked again, with a new session and it did not prompt me for my password – Niko S P Feb 28 '12 at 13:24
  • 1
    Sudo caches based on tty so a if a new session gives you the same tty you may not be prompted. Try executing `sudo -k` first. – Mark Wagner Mar 06 '12 at 20:39

4 Answers4

18

I'm afraid the only thing you can test is if the user has sudo privileges without a password.

Execute

sudo -n true

If $? is 0, the user has sudo access without a password, if $? is 1, the user needs a password.

If you need verification for a specific program, change true with your program, in a way the program doesn't do anything, like chmod --help

erickzetta
  • 599
  • 2
  • 4
  • 1
    Note that this does not help preliminary detecting if command `X` is `sudo`able _without entering a password_ and _without accidently running it_ – try-catch-finally Jul 02 '14 at 23:05
3

If you have one user with sudo access, like "root", you can use it to check other logins. As the user with access run:

sudo -n -l -U foo 2>&1 | egrep -c -i "not allowed to run sudo|unknown user"

If it returns zero, "foo" has access. Otherwise, it doesn't have sudo access.

Todd Moyer
  • 31
  • 1
  • 3
    Simply `sudo -n -l cmd` and you will be told if the current user has sudo access to cmd. If you want to test the result. – Philippe A. Oct 18 '16 at 19:07
2

I know that this is a super old question, but I found luck with the -n (non-interactive) flag and -v / -l. But, you do have to inspect the output:

$ sudo -vn && sudo -ln  #User with cached credentials
User adminuser may run the following commands on computername:
    (ALL) ALL
$ sudo -vn && sudo -ln  #User who _can_ sudo but isn't cached
sudo: a password is required
$ sudo -vn && sudo -ln  #User who can't at all
Sorry, user nonadmin may not run sudo on computername.

Some output-redirection and grepping will get you there, probably:

if (sudo -vn && sudo -ln) 2>&1 | grep -v 'may not' > /dev/null; then
  #they're cool
  exit 0 #Or, whatever
fi
Matt Moretti
  • 21
  • 1
1

sudo -l

That should give you enough to decide if you have the privs you want/need.

dmourati
  • 25,540
  • 2
  • 42
  • 72