[sudo-users] sudo -l semantics
Todd C. Miller
Todd.Miller at courtesan.com
Fri Dec 27 06:33:18 MST 2013
It is not possible to test whether the user can run a command without
specifying a password. This is by design as it should not be
possible to list a user's allowed commands without authenticating
first.
However, the way the -l flag works with respect to authentication
is a bit different. If the user is allowed to run any command they
are able to run "sudo -l". This means that even if a user is not
allowed to run, say, /bin/bash, as long as they are listed in sudoers
they will be able to run "sudo -l /bin/bash".
- todd
More information about the sudo-users
mailing list