[sudo-users] sudo -l minimum grants
Todd C. Miller
Todd.Miller at sudo.ws
Tue Dec 19 14:53:16 MST 2017
On Tue, 19 Dec 2017 21:28:49 +0100, Daniele Palumbo wrote:
> So to translate it I have to grant at least one command (even not
> existent) to be able to run sudo -l, correct?
Correct. The user (or a group the user belongs to) must be granted
at least one command on the current host. Whether the command
exists or not doesn't matter. You could even do something like:
ALL ALL=/no/such/command
to allow anyone to run a command that doesn't exist. Or for LDAP:
# stub, SUDOers, courtesan.com
dn: cn=stub,ou=SUDOers,dc=courtesan,dc=com
objectClass: top
objectClass: sudoRole
cn: stub
sudoUser: ALL
sudoHost: ALL
sudoCommand: none
> Are the defaults valid as well as definition to be able to run sudo -l?
For file-based sudoers, a per-user Defaults setting is not sufficient
to run "sudo -l" if that is what you mean.
- todd
More information about the sudo-users
mailing list