Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

The list pseudo-command

Peter Czanik, Open Source Evangelist at One Identity

Version 1.9.13 of sudo adds the list pseudo-command. Previously, only root or a user with the ability to run any command as either root or the target user could list privileges. Using the list pseudo-command it is possible to list the privileges of another user without any additional privileges, thus tightening security even more.

Before you begin

Unless you are using a rolling Linux distribution, there is a good chance that sudo 1.9.13 is not yet available for your system. Luckily the sudo project provides you with easy to use binary packages for many popular Linux distributions and UNIX variants. Check https://www.sudo.ws/getting/packages/ to see if your system is supported. If not, you can still build sudo from source.

Configuration and testing

I created a test user on my host, which is not member of the wheel group and has no sudo privileges. I then verified it:

bla@czplaptop:~> sudo  -l
bla's password: 
Sorry, user bla may not run sudo on czplaptop.
bla@czplaptop:~> sudo -U czanik -l
bla's password: 
Sorry, user bla is not allowed to execute 'list' as czanik on czplaptop.

For the next step I gave the user access to the list pseudo-command. Using visudo I added the following line to the sudoers file:

bla ALL=(ALL) list

Now, the output of the output of the above two commands is completely different:

bla@czplaptop:~> sudo  -l
bla's password: 
Matching Defaults entries for bla on czplaptop:
    always_set_home,
    secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin\:/usr/local/bin\:/usr/local/sbin,
    env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
    !insults, ignore_iolog_errors, log_output, log_input

User bla may run the following commands on czplaptop:
    (ALL) list
bla@czplaptop:~> sudo -U czanik -l
Matching Defaults entries for czanik on czplaptop:
    always_set_home,
    secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin\:/usr/local/bin\:/usr/local/sbin,
    env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
    !insults, ignore_iolog_errors, log_output, log_input

User czanik may run the following commands on czplaptop:
    (ALL) ALL

As you can see, the “bla” user now only has access to the list pseudo-command, and it enables the user to list the privileges of my user. All this without being able to run commands as root or as my user.

What is next?

The list pseudo-command is just one of the new features, bug fixes and enhancements introduced in sudo version 1.9.13. Check the release notes at https://www.sudo.ws/releases/stable/#1.9.13 for a complete list.

If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.

Running sudo without updating cached credentials More info with -ll in sudo 1.9.15