108
29
I recently got into trouble because of this.
$sudo vim /etc/motd
[sudo] password for bruce:
bruce is not in the sudoers file. This incident will be reported.
Is there a way to check if I have sudo access or not?
Bruce
Posted 2013-02-18T19:36:35.767
Reputation: 2 067
123
Run sudo -v. It is usually used to extend your sudo password timeout, but can be used for determining whether you have any sudo privileges.
$ sudo -v
Sorry, user [username] may not run sudo on [hostname].
Man page excerpt:
If given the -v (validate) option, sudo will update the user’s time stamp, prompting for the user’s password if necessary. This extends the sudo timeout for another 5 minutes (or whatever the timeout is set to in sudoers) but does not run a command.
If your user is only allowed to run specific commands, this command will work, indicating you are allowed to run something with different privileges. While the message looks different when trying to execute a command you're not allowed to in this case (and no mail is sent to root), it's still possible you'll get into trouble if the admins read /var/log/secure.
$ sudo ls
[sudo] password for [username]:
Sorry, user [username] is not allowed to execute '/bin/ls' as root on [hostname].
To find out what you're allowed to run with different privileges, you can use sudo -l. Note that this command requires you to enter your password.
Daniel Beck
Posted 2013-02-18T19:36:35.767
Reputation: 98 421
@PatrickM It looks like a problem with the sudoers file. In there you can specify on which host a user is authorized to run a specific command (this is useful when using the same sudoers file on multiple machines). Possibly the hostname specified in that file could not be resolved. Try checking it with the host command for example. – Ale – 2014-12-17T23:10:21.757
Doesn't work for me on RHEL 6, sudo -v gave "xx is not in the sudoers file. This incident will be reported." – 79E09796 – 2016-09-01T17:03:39.840
@79E09796 Do you know more about your environment? What version of RHEL 6? What version of sudo? I can't find anything in the sources that would explain that, but Red Hat's source RPMs are pretty annoying. Notably, it seems sudo was recently patched quite a bit by Red Hat, so this may be very recent. – Daniel Beck – 2016-09-01T17:41:44.297
2Thanks. sudo -v works for me. The man page says I can run sudo -l as well but that asks for a password. Why is that? – Bruce – 2013-02-18T20:00:12.553
2@Bruce I'm guessing here, but otherwise someone (or a program you run) could find out what programs can be executed (possibly without entering password) by your current user and try to use that information maliciously. – Daniel Beck – 2013-02-18T20:05:47.153
What do you suppose it means when I get this back: patrick@<host>:~$ sudo -v sudo: unable to resolve host <host>? I entered my password and didn't get anything about unauthorized. I know I have sudo from successfully running other commands, but that unable to resolve host message has me concerned something else might be funky on the host. – Patrick M – 2014-04-21T03:04:29.393
43
This is very simple. Run sudo -l. This will list any sudo privileges you have.
Brad Dausses
Posted 2013-02-18T19:36:35.767
Reputation: 547
1Maybe downvoted because it repeats what Daniel Beck said nearly two years ago. – G-Man Says 'Reinstate Monica' – 2014-12-18T04:09:11.730
1Or explains what happen, it's a comment, at best – Ramhound – 2014-12-18T20:47:00.170
2@Jonathan: if u would script in ubuntu rigt now, sudo -l asks for a password if u can sudo or not. sudo -v asks only if u can, and "$(whoami)" != "root" will never ask anything in any linux. – bksunday – 2015-08-03T03:37:32.110
@bksunday You are correct. I tested now on a clean Debian Jessy and confirmed your results. My previous (deleted now) comment was probably a result of testing on a machine on which I had some sudo privs. – Jonathan Ben-Avraham – 2015-08-03T04:30:41.223
@G-Man but this simple answer helped me more than probably more precise Daniel's answer, where this command is the the very end unfortunatelly... – Betlista – 2016-01-04T14:48:16.797
12
Here is the script-friendly version:
timeout 2 sudo id && echo Access granted || echo Access denied
since it won't stuck on the password input if you do not have the sudo access.
You can also set it in a variable like:
timeout 2 sudo id && sudo="true" || sudo="false"
echo "$sudo"
Note: On macOS, you need to install coreutils, e.g. brew install coreutils.
kenorb
Posted 2013-02-18T19:36:35.767
Reputation: 16 795
Any alternatives for where timeout isn't available by default, e.g. on OS X? – Harry – 2018-06-01T16:27:18.530
1You need to install coreutils, e.g. brew install coreutils. – kenorb – 2018-06-13T15:08:24.407
2This does not work for me in a script. For unexplained reason the script hangs until I kill it. – beruic – 2018-10-11T11:04:15.957
9
Gerald Schade's answer here, can still be improved!
Use
prompt=$(sudo -nv 2>&1)
if [ $? -eq 0 ]; then
# exit code of sudo-command is 0
echo "has_sudo__pass_set"
elif echo $prompt | grep -q '^sudo:'; then
echo "has_sudo__needs_pass"
else
echo "no_sudo"
fi
Here's a complete example of usage in a script:
#!/usr/bin/env bash
is_root () {
return $(id -u)
}
has_sudo() {
local prompt
prompt=$(sudo -nv 2>&1)
if [ $? -eq 0 ]; then
echo "has_sudo__pass_set"
elif echo $prompt | grep -q '^sudo:'; then
echo "has_sudo__needs_pass"
else
echo "no_sudo"
fi
}
elevate_cmd () {
local cmd=$@
HAS_SUDO=$(has_sudo)
case "$HAS_SUDO" in
has_sudo__pass_set)
sudo $cmd
;;
has_sudo__needs_pass)
echo "Please supply sudo password for the following command: sudo $cmd"
sudo $cmd
;;
*)
echo "Please supply root password for the following command: su -c \"$cmd\""
su -c "$cmd"
;;
esac
}
if is_root; then
echo "Error: need to call this script as a normal user, not as root!"
exit 1
fi
elevate_cmd which adduser
ajneu
Posted 2013-02-18T19:36:35.767
Reputation: 91
3
For me, 'sudo -v' and 'sudo -l' did not work in a script because sometimes interactive (asking me for a password, like mentioned above).
'sudo -n -l' did also not work, it gave the exit code '1' although I have sudo permissions, because of the missing password.
But extending the command to:
A=$(sudo -n -v 2>&1);test -z "$A" || echo $A|grep -q asswor
was successful for me for the script.
This expression gives 0 if the current user can call 'sudo' and 1 if not.
Explanation:
The additional parameter -n to sudo prevents interactivity.
The output $A of the command 'sudo -n -v 2>&1' may be:
- empty (in this case, sudo can be called by the current user), or:
- a note that the current user is not authorized for sudo, or:
- a question text for the password (in this case, the user is authorized).
("asswor" will fit for an english "password" as well as for a German "Passwort").
Gerald Schade
Posted 2013-02-18T19:36:35.767
Reputation: 151
2
i've got low rank to vote and comment, but i wanted to upvote Gerald Schade's answer, as i've found that the only way previously, and thought that no1 else knows it - til now :D
btw my solution:
[[ "$(whereis sudo)" == *'/'* && "$(sudo -nv 2>&1)" != 'Sorry, user'* ]]
(from the end of 2015 mwhahaaa)
user629901
Posted 2013-02-18T19:36:35.767
Reputation: 21
1
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT – 2017-10-01T23:24:42.0771
"Sudo access" comes in flavors. Two primary flavors: First you, or a group your a member of, needs to be setup for sudo access in the /etc/sudoers file.
Secondly you need to know your password, or you need to have done a sudo command recently. Recently enough that the timeout hasn't expired. (Fun fact: you can make the time out very long in your sudoer's file.)
I often want to test for the second kind of access in the prolog of a script that will need to sudo some steps. When this check fails I can advise the user he needs to enable the 2nd kind of access before running the script.
bash-3.2$ if sudo -S -p '' echo -n < /dev/null 2> /dev/null ; then echo 'Sudo is enabled.' ; else echo 'Sudo is not enabled' ; fi
Sudo is enabled.
bash-3.2$ sudo -K
bash-3.2$ if sudo -S -p '' echo -n < /dev/null 2> /dev/null ; then echo 'Sudo is enabled.' ; else echo 'Sudo is not enabled' ; fi
Sudo is not enabled
The -S tells sudo to read the password from stdin. The -p sets an empty prompt. The -K clears the second time of access.
Since it sends stderr to /dev/null, it will also check if the user has the first type of sudo access.
Ben Hyde
Posted 2013-02-18T19:36:35.767
Reputation: 121
1
This should be enough to tell you if you have root or not:
sudo whoami
If sudo asks for root password, or it does not work, it also means that you don't have root privileges (at least not through sudo).
Vedran
Posted 2013-02-18T19:36:35.767
Reputation: 121
The OP would need to be on the sudoers list for this to work which defeats the point of the question. – Burgi – 2020-02-11T09:59:39.710
@Burgi The unsaid part of the answer is that if sudo asks for root password, or it does not work, it also means that you don't have root privileges (at least not through sudo). I insert it into the answer. – peterh - Reinstate Monica – 2020-02-11T11:04:27.977
-5
Follow these steps to view the sudoers file. If you're in there, you have sudo. If not, you can add yourself.
suvisudoyour_username_here ALL=(ALL) ALL:wqexitsudo
Kruug
Posted 2013-02-18T19:36:35.767
Reputation: 5 078
11The OP "got into trouble" for running sudo, so he probably isn't *the* system administrator, nor even one of the elite system administrators. He's probably just a user who thought he might have been granted some limited powers. What makes you suspect that he can go su? – Scott – 2014-08-20T20:46:26.063
Ask your systems administrator? – mdpc – 2013-02-18T19:40:36.673
1@mdpc: Is there another way besides that? – Bruce – 2013-02-18T19:45:13.400
You have not mentioned if you can attain root access or not. – mdpc – 2013-02-18T19:46:12.403
49
This has to be the first instance of seeing someone following up on "This incident will be reported".
– slhck – 2013-02-18T19:55:48.867