51

How does Linux system behave when I am not sudoer? Here is what happens if I try to use sudo:

server:/tmp>$ sudo cal
[sudo] password for user:
Sorry, try again.

Is it possible that I just don't know my password or does this mean that I am not sudoer? (On another machine system printed out that I'm no sudoer and the incident will be reported)

Rasto
  • 689
  • 2
  • 6
  • 8
  • 1
    Better answer than any of the below: https://superuser.com/questions/553932/how-to-check-if-i-have-sudo-access – barnhillec Jan 15 '19 at 20:49

4 Answers4

58

To know whether a particular user is having sudo access or not, we can use -l and -U options together.

For example,

If the user has sudo access, it will print the level of sudo access for that particular user.

   $ sudo -l -U pradeep
     User pradeep may run the following commands on this host:
     (ALL : ALL) ALL

If the user don't have sudo access, it will print that user is not allowed to run sudo on localhost.

   $ sudo -l -U pradeep.c
     User pradeep.c is not allowed to run sudo on localhost.
pradeepchhetri
  • 9,859
  • 12
  • 51
  • 59
  • 9
    This does not work for me. Instead of giving me information it asks me for password again: `server:/home/drasto>$ sudo -l -U drasto [sudo] password for drasto:` There is Red Hat distro on that server if that helps – Rasto Oct 13 '12 at 19:25
  • 1
    From `man sudo` on Ubuntu 18.04: "The security policy may restrict listing other users' privileges. The sudoers policy only allows root or a user with the ALL privilege on the current host to use this option." – mklement0 Apr 19 '21 at 14:59
13

You can use the -l flag to list your privileges.

-l[l] [command]
   If no command is specified, the -l (list) option will list the allowed (and forbidden)
   commands for the invoking user (or the user specified by the -U option) on the current
   host.  If a command is specified and is permitted by sudoers, the fully-qualified path
   to the command is displayed along with any command line arguments.  If command is
   specified but not allowed, sudo will exit with a status value of 1.  If the -l option
   is specified with an l argument (i.e. -ll), or if -l is specified multiple times, a
   longer list format is used.

If you're not in the file, you should get the "not in the sudoers file" error you saw on the other machine.

Kevin
  • 40,087
  • 16
  • 88
  • 112
  • 4
    This also does not work for me. It just asks me for password: `server:/home/drasto>$ sudo -l [sudo] password for drasto:` – Rasto Oct 13 '12 at 19:31
  • 2
    Put in your password – Kevin Oct 13 '12 at 19:31
  • @drasto "Sorry, try again" means you entered the wrong password – Michael Mrozek Oct 13 '12 at 19:35
  • 1
    @Kevin @Michael My password does not work. I only know about one password for that server and that is the one I use to log in to the server. That one simply does not work when I'm asked for my sudo password (I have tried it about 100 times, capslock, numlock, etc). But the whole think does not make sense! I want to know if I have sudo privileges but to find it out I need sudo privileges?! To run `sudo -l` I need sudo password? So I have to be root to know if I'm root?! – Rasto Oct 13 '12 at 23:43
  • Your password for `sudo` is your login password. `sudo` will ask for your password to verify it is you checking. Passwords are usually remembered for a few minutes if you are few minutes. – BillThor Oct 13 '12 at 23:59
  • 1
    @drasto As bill said, `sudo` is looking for *your* login password. So if you've tried that and it doesn't work, either sudo is horribly misconfigured or you're in a jail of some sort where it can't see or read the proper files. Either way, you have in effect no sudo permissions. – Kevin Oct 14 '12 at 00:15
  • 1
    @Kevin Then I'm probably in that jail of some kind. Actually I think I should not have those sudo permissions on that machine. So I was surprised when it asked me for my sudo password at the first place. Anyway it is just as I wrote: my login password does not work. – Rasto Oct 14 '12 at 06:55
  • Some modern distributions configure sudo to ask root's password or target user's password. Also, there are known measures to provide another password file for sudo. If you are unable to check permissions with -l, likely a such setup is applied there. Ask administrator. – Netch Oct 14 '12 at 14:01
  • So that's what people mean when they say "Check your privilege!" – MechMK1 Nov 06 '15 at 10:57
4

You can check if you are in the sudo group, by using the command

groups

In a shell-script you may want to use this:

if groups | grep "\<sudo\>" &> /dev/null; then
   echo yes
else
   echo no
fi
Schlacki
  • 85
  • 4
  • 3
    The group could be `sudo`, `admin`, `wheel`, or something else altogether, and even with membership in a group, an individual user maybe denied sudo access via specific rules (or the other way around). – muru Mar 06 '17 at 08:51
  • This has too many false negatives for my purpose (hardening verification). Kevin's answer is more definitive. – StockB Jan 09 '18 at 17:11
0

I needed to check if a user has sudo privileges for script, but sometimes the user I was testing was not even allowed to run sudo -l

So I made this function:

check_if_user_has_sudo(){
  sudo -l -U $USER | grep -q 'may run the following' \
      && <has sudo privileges> \
      || <doesn't have sudo privileges> 
}

Basically it checks if sudo -l would work and actually print that the user is allowed.

The grep -q will simply return 0 if sudo -l prints that the user il allowed to run any commands. Otherwise it doesn't have sudo or is not even allowed to run it.

AdminBee
  • 21,637
  • 21
  • 47
  • 71
DAn Baltag
  • 101
  • 1