[sudo-users] sudo -l semantics

Shawn McMahon syberghost at gmail.com
Thu Jan 2 11:37:25 MST 2014

The problem is that your use case is an information leakage. It's also a
malicious user's use case, and there's no way to detect whether it was a
good guy doing it or a bad guy, much less an ostensible good guy doing it
for bad reasons.

However, if you're bound and determined to do this, you could give that
user a passwordless sudo rule allowing them to run "sudo -U <username> -l"
as root, and parse that output for what you're searching for. You may also
find "-ll" useful for that. But for any non-trivial case, you'll be
re-writing sudo's parser to do this. Good luck, and note that there is
still no way to determine the intentions of the application that does this.
Once you strip the lock off the gate, everybody can come in.

More information about the sudo-users mailing list