[sudo-users] sudo -l semantics

Alec Leamas leamas.alec at gmail.com
Thu Jan 2 11:17:16 MST 2014

On 2013-12-27 14:33, Todd C. Miller wrote:
> It is not possible to test whether the user can run a command without
> specifying a password.  This is by design as it should not be
> possible to list a user's allowed commands without authenticating
> first.
> However, the way the -l flag works with respect to authentication
> is a bit different.  If the user is allowed to run any command they
> are able to run "sudo -l".  This means that even if a user is not
> allowed to run, say, /bin/bash, as long as they are listed in sudoers
> they will be able to run "sudo -l /bin/bash".
>   - todd

Sorry for repeated answers, but things evolve...

My usecase is really simple: a GUI application using sudo for specific
tasks, but not the complete app. When things are not configured I just
wan't to give a sane error message, nothing more. However, this is not
possible as of today - as described above running sudo -l when user is
not mentioned will return a prompt. From a GUI perspective, this is hard
(impossible?) to handle, given that user doesn't know the required password.

I understand the reasons why a user  can't list commands if it's not
mentioned in sudoers. However, I'm still looking for a solution for my

Out of the top of my head comes the idea of a new simple test answering
if user is mentioned in sudoers i. e., if user can run sudo -l without
running into a prompt. Or perhaps some kind of extra option which makes
sudo -l return direct instead of trying to prompt in this case. Would
any of these approaches be acceptable?


More information about the sudo-users mailing list