[sudo-users] How to display group sudo rights

Todd C. Miller Todd.Miller at sudo.ws
Tue Mar 19 07:06:05 MDT 2019

On Tue, 19 Mar 2019 12:44:59 +0200, AvigdorFin wrote:

> When I define a group in sudoers, using %mygroup I expect to see and check
> the group sudo definition.
> I am not asking about using the group credentials, just to be able to get
> the report of what this group is permitted to perform with sudo.
> Reading the help message and the man page, did not help me.
> I'd like to know if this option is possible at all.

"sudo -l" will display permissions for a single user only.  If that
user is a member of a group that has sudo privileges then those
privileges will be displayed.  The purpose of the -l flag is to let
a user know what they are allowed to run (or to allow root to see
what a specific user may run).

However, you may be able to use the cvtsudoers program present in
recent sudo versions.  For example, to see the sudoers rules the
match group wheel you could do:

    $ cvtsudoers -e -f sudoers -m group=wheel /etc/sudoers
    %wheel ALL = (ALL) ALL

> What is the meaning of the help line:
> usage: sudo -l [-g group]  [-h host] ....
> that I receive when I try
> sudo -l -g mygroup
> Maybe there is some undocumented rule to combine some options with the -l
> -g
> When I do 'sudo -l -U user', I get the response I expect, but not with the
> '-g group' flag

You can only use "-g group" in conjunction with the -l option when
testing whether a specific command is allowed.  This works:

$ sudo -l -g mygroups id /usr/bin/id

But this does not:

$ sudo -l -g mygroups
usage: sudo ...

 - todd

More information about the sudo-users mailing list