[sudo-users] sudo -l semantics
Alec Leamas
leamas.alec at gmail.com
Fri Dec 27 08:11:01 MST 2013
On 2013-12-27 14:33, Todd C. Miller wrote:
> It is not possible to test whether the user can run a command without
> specifying a password. This is by design as it should not be
> possible to list a user's allowed commands without authenticating
> first.
>
> However, the way the -l flag works with respect to authentication
> is a bit different. If the user is allowed to run any
"Any" on the sense pf "some" or in the sense of "all" ?! (sorry, this is
not my native language...)
> command they
> are able to run "sudo -l". This means that even if a user is not
> allowed to run, say, /bin/bash, as long as they are listed in sudoers
> they will be able to run "sudo -l /bin/bash".
>
> - todd
My usecase is really about what happens when "my" app pulls in sudo as a
dependency to a user otherwise not using sudo. Obviously, running user
isn't capable of doing anything in that case. I would like to warn her
about this without running into a in this context useless password
prompt. Any ideas?
My own is so far to use rpm to test if the config file is as
distributed. It's really not satisfactory, and adds a rpm dependency I'm
not really fond of...
--alec
More information about the sudo-users
mailing list