[sudo-users] sudo -l semantics

Alec Leamas leamas.alec at gmail.com
Fri Dec 27 08:11:01 MST 2013

On 2013-12-27 14:33, Todd C. Miller wrote:
> It is not possible to test whether the user can run a command without
> specifying a password.  This is by design as it should not be
> possible to list a user's allowed commands without authenticating
> first.
> However, the way the -l flag works with respect to authentication
> is a bit different.  If the user is allowed to run any
"Any" on the sense pf "some" or in the sense of "all" ?! (sorry, this is 
not my native language...)
>   command they
> are able to run "sudo -l".  This means that even if a user is not
> allowed to run, say, /bin/bash, as long as they are listed in sudoers
> they will be able to run "sudo -l /bin/bash".
>   - todd

My usecase is really about what happens when "my" app pulls in sudo as a 
dependency to a user otherwise not using sudo. Obviously, running user 
isn't capable of doing anything in that case.  I would like to warn her 
about this without running into a in this context useless password 
prompt. Any ideas?

My own is so far to use rpm to test if the config file is as 
distributed. It's really not satisfactory, and adds a rpm dependency I'm 
not really fond of...


More information about the sudo-users mailing list