[sudo-users] sudo -l semantics

Alec Leamas leamas.alec at gmail.com
Thu Jan 2 11:57:06 MST 2014

On 2014-01-02 19:37, Shawn McMahon wrote:
> The problem is that your use case is an information leakage. It's also a
> malicious user's use case, and there's no way to detect whether it was a
> good guy doing it or a bad guy, much less an ostensible good guy doing it
> for bad reasons.
I just don't see this (that is not to say it isn't there...): What's the 
difference between prompting for a password or directly return a "You 
need a password to do this" from an information leak point of view?
> However, if you're bound and determined to do this, you could give that
> user a passwordless sudo rule allowing them to run "sudo -U <username> -l"
> as root, and parse that output for what you're searching for.

Not really. This is a chicken and egg problem, to handle what happens 
when my app is started  after a clean install.  Of course, opening up 
for all users as part of installation is an option,  but that would be 
system-wide and not really the way to go IMHO. The username is basically 
unknown at installation time.

Perhaps if I installed a rule allowing all users to run exactly "sudo -l 
my-cmd" or so.... Dunno, that is perhaps not to bad?!


> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list