46

On a linux box, how do I list all users that possess identical privilege to the superuser (and even better, all users in general along with if they are able to escalate their privilege to that level or not)?

BEEDELLROKEJULIANLOCKHART
  • 3
  • 2
Eric
  • 463
  • 1
  • 4
  • 4
  • 3
    Can you be more specific as to what you mean by "root privileges"? You mean users with UID=0? – Chris S Dec 02 '10 at 14:36
  • Users having the ability to do anything. Basically - I need to list users along with the groups they are members of if it is possible. – Eric Dec 02 '10 at 14:39
  • 2
    If I knew where your computer was, I could walk up and pull the power cord. That would qualify as "do anything" which means I'm on your list. [Rafiq](http://serverfault.com/questions/208347/208353#208353) has listed the three most common things, but there could be more and we know noting about your system or how it's setup. – Chris S Dec 02 '10 at 14:46

8 Answers8

49

Don't forget to change the root password. If any user has UID 0 besides root, they shouldn't. Bad idea. To check:

grep 'x:0:' /etc/passwd

Again, you shouldn't do this but to check if the user is a member of the root group:

grep root /etc/group

To see if anyone can execute commands as root, check sudoers:

cat /etc/sudoers

To check for SUID bit, which allows programs to be executed with root privileges:

find / -perm -04000

Warner
  • 23,440
  • 2
  • 57
  • 69
47

To see who is UID 0:

getent passwd 0

To see who is in groups root, wheel adm and admin:

getent group root wheel adm admin

To list all users and the groups they are members of:

getent passwd | cut -d : -f 1 | xargs groups
Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
  • 12
    Unlike all other answers which wrongly rely on the /etc/passwd file, this one, using `getent passwd` instead, is actually correct. Just don't forget to check /etc/sudoers. – mivk Jun 09 '12 at 16:02
  • Thanks for this. Much clearer. For me this is the accepted answer. – Fiddy Bux Jan 09 '19 at 23:28
  • Might add `sudo egrep '\(root\)|\(ALL\)' /etc/sudoers; sudo ls /etc/sudoers.d` for sudo – bbodenmiller Apr 09 '21 at 03:37
6

Pure root is user id "0".

All the users in the system are in the /etc/passwd file:

less /etc/passwd

Those who are root have "0" as the user id, which is the 3rd column. Those with "0" as the group (4th column) may also have some root privileges.

Next, you'll want to look at the groups, and see who is an additional member of the "root" or "wheel" or "admin" groups:

less /etc/group

Users listed in those groups could have some root privileges, especially via the "sudo" command.

The final thing you will want to check is the "sudo" config and see who is listed as having authorisation to run this command. This file itself is well documented so I won't reproduce it here:

less /etc/sudoers

That covers the main areas of who could have root access.

Rafiq Maniar
  • 1,120
  • 9
  • 15
  • See also http://serverfault.com/questions/205598/how-to-tweak-gnome-user-elevation-in-rhel-centos/205610#205610 for a few more places where privilege-escalation rights could be granted. (Namely, `consolehelper` and `PackageKit`.) – mattdm Dec 02 '10 at 15:18
  • 2
    All users are definitely NOT guaranteed to be in /etc/passwd. They may be in LDAP, for example. But `getent passwd` should list all system users (including root), in passwd format, regardless of the database where they are defined. – mivk Jun 09 '12 at 15:57
3

To print all users

perl -n -e '@user = split /:/ ; print "@user[0]\n";' < /etc/passwd

To print only those users with UID 0, being as others have said, the users with implicit root privileges:

perl -n -e '@user = split /:/ ; print "@user[0]\n" if @user[2] == "0";' < /etc/passwd
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • That's a good one liner, but be aware of the limitations (I'm sure MadHatter is aware of this already) - it won't check groups and it won't check sudoers. It will only check, as he says, implicit root. – Rafiq Maniar Dec 02 '10 at 14:54
  • 2
    Don't parse /etc/passwd. Users may be defined elsewhere. Use `getent passwd` instead. For your first "print all users" example, rather try this: `getent passwd | perl -naF: -e 'print "$F[0]\n"'` – mivk Jun 09 '12 at 16:08
2

For a quick list of all users, try hitting tab twice (to auto-complete) after typing the passwd command followed by a space. This works with the su command as well.

Must be done as a root-privileged user.

Emeraldo
  • 191
  • 1
  • 4
0

None of the other answers work for enterprise-grade systems with LDAP-based permissions management. Try the following command that works universally on all setups to check whether a user has sudo access:

sudo -l -U $(whoami)
Raymo111
  • 101
  • 1
0

ps -jf 1 | tail -n 1 | awk '{print $1}' provides the name of the superuser across any unix-based operating-system without extra dependencies, and operates if invoked via pwsh/pwsh-preview, etcetera.

Although this answer provides this ability well, it does not operate via PowerShell, because The '<' operator is reserved for future use., and it requires installation of perl, which is not necessary available, and not available by default on macOS, which may be important.

mforsetti
  • 2,488
  • 2
  • 14
  • 20
BEEDELLROKEJULIANLOCKHART
  • 3
  • 2
  • FYI Linux's [`procps-ng`'s `ps -j`](https://gitlab.com/procps-ng/procps/-/blob/v4.0.0/ps/output.c#L1561) output is different compared to FreeBSD's [`ps`](https://www.freebsd.org/cgi/man.cgi?ps(1)) output. your `awk '{print $1}'` might not work. – mforsetti May 29 '22 at 07:19
0

It was annoying me that there wasnt a one-liner answer... If you want to list all UID 0 (root) accounts use the following: 

cat /etc/passwd | cut -f1,3,4 -d":" | grep"0:0" | cut -f1 -d":" | awk '{print $1}'

Best,

Boschko
  • 127
  • 5