How could I list all super users?
I want a command to list all users who have root privileges i.e. sudo ?
Suppose I'm a sudoer user. How could I know all other sudoer users?
command-line sudo
add a comment |
I want a command to list all users who have root privileges i.e. sudo ?
Suppose I'm a sudoer user. How could I know all other sudoer users?
command-line sudo
Here is the answer: unix.stackexchange.com/a/140974/107084
– A.B.
Apr 20 '15 at 11:00
1
I find this one nice unix.stackexchange.com/questions/50785/…
– JoKeR
Apr 20 '15 at 11:31
@JoKeR nice and tricky
– Maythux
Apr 20 '15 at 11:33
1
Note that only Joker and muru's answers are correct, only parsing user/group conf files does not give you who has thesudo
permission and who has not....if a user is insudo
group but thesudoers
file has nothing mentioned forsudo
group, then?
– heemayl
Apr 20 '15 at 16:32
add a comment |
I want a command to list all users who have root privileges i.e. sudo ?
Suppose I'm a sudoer user. How could I know all other sudoer users?
command-line sudo
I want a command to list all users who have root privileges i.e. sudo ?
Suppose I'm a sudoer user. How could I know all other sudoer users?
command-line sudo
command-line sudo
edited May 14 '15 at 5:24
TechJhola
2,300112962
2,300112962
asked Apr 20 '15 at 10:57
MaythuxMaythux
50.7k32169215
50.7k32169215
Here is the answer: unix.stackexchange.com/a/140974/107084
– A.B.
Apr 20 '15 at 11:00
1
I find this one nice unix.stackexchange.com/questions/50785/…
– JoKeR
Apr 20 '15 at 11:31
@JoKeR nice and tricky
– Maythux
Apr 20 '15 at 11:33
1
Note that only Joker and muru's answers are correct, only parsing user/group conf files does not give you who has thesudo
permission and who has not....if a user is insudo
group but thesudoers
file has nothing mentioned forsudo
group, then?
– heemayl
Apr 20 '15 at 16:32
add a comment |
Here is the answer: unix.stackexchange.com/a/140974/107084
– A.B.
Apr 20 '15 at 11:00
1
I find this one nice unix.stackexchange.com/questions/50785/…
– JoKeR
Apr 20 '15 at 11:31
@JoKeR nice and tricky
– Maythux
Apr 20 '15 at 11:33
1
Note that only Joker and muru's answers are correct, only parsing user/group conf files does not give you who has thesudo
permission and who has not....if a user is insudo
group but thesudoers
file has nothing mentioned forsudo
group, then?
– heemayl
Apr 20 '15 at 16:32
Here is the answer: unix.stackexchange.com/a/140974/107084
– A.B.
Apr 20 '15 at 11:00
Here is the answer: unix.stackexchange.com/a/140974/107084
– A.B.
Apr 20 '15 at 11:00
1
1
I find this one nice unix.stackexchange.com/questions/50785/…
– JoKeR
Apr 20 '15 at 11:31
I find this one nice unix.stackexchange.com/questions/50785/…
– JoKeR
Apr 20 '15 at 11:31
@JoKeR nice and tricky
– Maythux
Apr 20 '15 at 11:33
@JoKeR nice and tricky
– Maythux
Apr 20 '15 at 11:33
1
1
Note that only Joker and muru's answers are correct, only parsing user/group conf files does not give you who has the
sudo
permission and who has not....if a user is in sudo
group but the sudoers
file has nothing mentioned for sudo
group, then?– heemayl
Apr 20 '15 at 16:32
Note that only Joker and muru's answers are correct, only parsing user/group conf files does not give you who has the
sudo
permission and who has not....if a user is in sudo
group but the sudoers
file has nothing mentioned for sudo
group, then?– heemayl
Apr 20 '15 at 16:32
add a comment |
7 Answers
7
active
oldest
votes
If you just need to list the sudoers listed in the sudo
group, I think that the best way to do it would be to run this command (which should be computationally lighter than any of the other commands in this answer):
grep -Po '^sudo.+:K.*$' /etc/group
Also as suggested in the comments by muru, the format of the entries in /etc/group
can be easily handled by cut
:
grep '^sudo:.*$' /etc/group | cut -d: -f4
Also again as suggested in the comments by muru, one can use getent
in place of grep
:
getent group sudo | cut -d: -f4
Any of these commands will print all the users listed in the sudo
group in /etc/group
(if any).
Command #1 breakdown:
grep
: Prints all the lines matching a regex in a file
-P
: makesgrep
match Perl-style regexes
o
: makesgrep
print only the matched string
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
Regex #1 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.+
: one or more characters
K
: discard the previous match
.*
: zero or more characters
$
: end of line
Command #2 breakdown:
grep
: Prints all the lines matching a regex in a file
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
cut
: Prints only a specified section of each line in a file
-d:
: makescut
interpret:
as a field delimiter
-f4
: makescut
print only the fourth field
Regex #2 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.*
: zero or more characters
$
: end of line
3
-1: this won't catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this.getent group sudo | cut -d: -f4
, or use awk, but either way remember that group and passwd have fixed formats, with delimiters.
– muru
Apr 20 '15 at 13:06
@muru You're right, I updated my answer
– kos
Apr 20 '15 at 13:47
@kos Also note the you really should usegetent group
- you don't need the grep at all.getent group foo
is likegrep foo /etc/group
, but more capable.
– muru
Apr 20 '15 at 13:51
@muru I didn't knowgetent
at all, any tought on howgrep
andgetent
compare computationally? Would it be lighter to rungetent
?
– kos
Apr 20 '15 at 14:02
1
This answer assumes that all sudoers are members of thesudo
group. Some unixes have other groups such aswheel
. The answer by @muru will include all sudoers no matter what groups they are in.
– Simon Woodside
Mar 14 '17 at 6:17
|
show 4 more comments
As it stated here I consider the simpliest way to discover with -l
& -U
options together, just type users
it will list e.g.: John
then:
If the user has sudo
access, it will print the level of sudo
access for that particular user:
sudo -l -U John
User John may run the following commands on this host:
(ALL : ALL) ALL
If the user don't have sudo access, it will print that a user is not allowed to run sudo
on localhost:
sudo -l -U John
User John is not allowed to run sudo on localhost.
2
You could loop through all the normal users and return the details on them using something like:for u in $(awk -F'[/:]' '{if($3>=1000&&$3!=65534) print $1}' /etc/passwd); do sudo -lU "$u" ; done
. quick hack nothing guaranteed :)
– Wilf
Jun 8 '15 at 20:09
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like"%domain admins@mycompany.intra" ALL=(ALL) ALL
then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.
– AdamKalisz
May 26 '17 at 10:11
add a comment |
As it has already been stated, the answer can be found on Unix & Linux Stack Exchange:
This shows that user "saml" is a member of the wheel group.
$ getent group wheel
wheel:x:10:saml
The only difference is that the group in Ubuntu is not wheel
, but sudo
(or admin
in older versions of Ubuntu). So the command becomes:
getent group sudo
add a comment |
Expanding on the sudo -l -U
test, one can use getent passwd
to determine the users who can use sudo
. Using getent
allows us to access users who may not be present in the passwd
file, such as LDAP users:
getent passwd | cut -f1 -d: | sudo xargs -L1 sudo -l -U | grep -v 'not allowed'
sudo -U
does not return a non-zero exit value that we could take advantage of, so we are reduced to grepping the output.
This is the best answer because it doesn't assume that there is a group calledsudo
.
– Simon Woodside
Mar 14 '17 at 6:15
add a comment |
This command returns a list of users with sudo rights:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' /etc/passwd
Output is (e.g.):
<username> : <username> adm cdrom sudo dip plugdev lpadmin sambashare docker
If only the user name to be displayed, then this command:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' | awk -F ":" '{ print $1 }' /etc/passwd
1
it shows more users than the sudoers. It needs some modifications
– Maythux
Apr 20 '15 at 11:12
@NewUSer Is that better?
– A.B.
Apr 20 '15 at 11:24
Much better. Gd work
– Maythux
Apr 20 '15 at 11:26
add a comment |
On most Unix-like systems, that have the sudo command, and have a sudo configuration file; running visudo as root:
:~$ sudo bash
or
:~$ su
:~# visudo
will allow an administrator to inspect and amend the privileges of groups that can use the sudo command.
On Debian based Unix-like systems, like Ubuntu, the groups 4 and 27 generally have access rights to the sudo privileges.
Group 4 is the administrator group (adm) and group 27 is the sudo gid.
To see what users are currently assigned to these groups cat the /etc/group file as shown below:
:~$ cat /etc/group
A sample output, on Ubuntu (but not Redhat based, Oracle Solaris/Solaris based, or BSD based systems) would yield this:
adm:x:4:youruser
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:youruser,mybrother
floppy:x:25:
tape:x:26:
sudo:x:27:youruser,mybrother
As we can tell, youruser is the administrator of the system, and member of
group 4 (adm). But youruser and mybrother are both members of group 27, which is the gid (group identification) number of group sudo. So mybrother can also attain root privileges (super user).
Many linux systems like Fedora and Slackware, incorporate the wheel group gid=10. Which allows administrator privileges when the sudo command is applied. On BSD based systems (e.g. FreeBSD), the root user is a member of the wheel group which is gid 0.
Also by using the id command any user can find the group information of another known user to the system.
For Example:
:~$ id mybrother
Sample output
uid=1001(mybrother) gid=1001(mybrother) groups=1001(mybrother),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
add a comment |
Command -
cat group | grep sudo
Output -
sudo:x:27:Tom,Stacy
Tom,Stacy are the users with sudo privilages
1
Tom,Stacy are the users with sudo privilages
– XYZ
Jan 11 at 6:10
Welcome to Ask Ubuntu! Just to let you know, this is a useless use ofcat
.
– David Foerster
Jan 11 at 8:37
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f611584%2fhow-could-i-list-all-super-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you just need to list the sudoers listed in the sudo
group, I think that the best way to do it would be to run this command (which should be computationally lighter than any of the other commands in this answer):
grep -Po '^sudo.+:K.*$' /etc/group
Also as suggested in the comments by muru, the format of the entries in /etc/group
can be easily handled by cut
:
grep '^sudo:.*$' /etc/group | cut -d: -f4
Also again as suggested in the comments by muru, one can use getent
in place of grep
:
getent group sudo | cut -d: -f4
Any of these commands will print all the users listed in the sudo
group in /etc/group
(if any).
Command #1 breakdown:
grep
: Prints all the lines matching a regex in a file
-P
: makesgrep
match Perl-style regexes
o
: makesgrep
print only the matched string
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
Regex #1 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.+
: one or more characters
K
: discard the previous match
.*
: zero or more characters
$
: end of line
Command #2 breakdown:
grep
: Prints all the lines matching a regex in a file
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
cut
: Prints only a specified section of each line in a file
-d:
: makescut
interpret:
as a field delimiter
-f4
: makescut
print only the fourth field
Regex #2 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.*
: zero or more characters
$
: end of line
3
-1: this won't catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this.getent group sudo | cut -d: -f4
, or use awk, but either way remember that group and passwd have fixed formats, with delimiters.
– muru
Apr 20 '15 at 13:06
@muru You're right, I updated my answer
– kos
Apr 20 '15 at 13:47
@kos Also note the you really should usegetent group
- you don't need the grep at all.getent group foo
is likegrep foo /etc/group
, but more capable.
– muru
Apr 20 '15 at 13:51
@muru I didn't knowgetent
at all, any tought on howgrep
andgetent
compare computationally? Would it be lighter to rungetent
?
– kos
Apr 20 '15 at 14:02
1
This answer assumes that all sudoers are members of thesudo
group. Some unixes have other groups such aswheel
. The answer by @muru will include all sudoers no matter what groups they are in.
– Simon Woodside
Mar 14 '17 at 6:17
|
show 4 more comments
If you just need to list the sudoers listed in the sudo
group, I think that the best way to do it would be to run this command (which should be computationally lighter than any of the other commands in this answer):
grep -Po '^sudo.+:K.*$' /etc/group
Also as suggested in the comments by muru, the format of the entries in /etc/group
can be easily handled by cut
:
grep '^sudo:.*$' /etc/group | cut -d: -f4
Also again as suggested in the comments by muru, one can use getent
in place of grep
:
getent group sudo | cut -d: -f4
Any of these commands will print all the users listed in the sudo
group in /etc/group
(if any).
Command #1 breakdown:
grep
: Prints all the lines matching a regex in a file
-P
: makesgrep
match Perl-style regexes
o
: makesgrep
print only the matched string
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
Regex #1 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.+
: one or more characters
K
: discard the previous match
.*
: zero or more characters
$
: end of line
Command #2 breakdown:
grep
: Prints all the lines matching a regex in a file
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
cut
: Prints only a specified section of each line in a file
-d:
: makescut
interpret:
as a field delimiter
-f4
: makescut
print only the fourth field
Regex #2 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.*
: zero or more characters
$
: end of line
3
-1: this won't catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this.getent group sudo | cut -d: -f4
, or use awk, but either way remember that group and passwd have fixed formats, with delimiters.
– muru
Apr 20 '15 at 13:06
@muru You're right, I updated my answer
– kos
Apr 20 '15 at 13:47
@kos Also note the you really should usegetent group
- you don't need the grep at all.getent group foo
is likegrep foo /etc/group
, but more capable.
– muru
Apr 20 '15 at 13:51
@muru I didn't knowgetent
at all, any tought on howgrep
andgetent
compare computationally? Would it be lighter to rungetent
?
– kos
Apr 20 '15 at 14:02
1
This answer assumes that all sudoers are members of thesudo
group. Some unixes have other groups such aswheel
. The answer by @muru will include all sudoers no matter what groups they are in.
– Simon Woodside
Mar 14 '17 at 6:17
|
show 4 more comments
If you just need to list the sudoers listed in the sudo
group, I think that the best way to do it would be to run this command (which should be computationally lighter than any of the other commands in this answer):
grep -Po '^sudo.+:K.*$' /etc/group
Also as suggested in the comments by muru, the format of the entries in /etc/group
can be easily handled by cut
:
grep '^sudo:.*$' /etc/group | cut -d: -f4
Also again as suggested in the comments by muru, one can use getent
in place of grep
:
getent group sudo | cut -d: -f4
Any of these commands will print all the users listed in the sudo
group in /etc/group
(if any).
Command #1 breakdown:
grep
: Prints all the lines matching a regex in a file
-P
: makesgrep
match Perl-style regexes
o
: makesgrep
print only the matched string
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
Regex #1 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.+
: one or more characters
K
: discard the previous match
.*
: zero or more characters
$
: end of line
Command #2 breakdown:
grep
: Prints all the lines matching a regex in a file
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
cut
: Prints only a specified section of each line in a file
-d:
: makescut
interpret:
as a field delimiter
-f4
: makescut
print only the fourth field
Regex #2 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.*
: zero or more characters
$
: end of line
If you just need to list the sudoers listed in the sudo
group, I think that the best way to do it would be to run this command (which should be computationally lighter than any of the other commands in this answer):
grep -Po '^sudo.+:K.*$' /etc/group
Also as suggested in the comments by muru, the format of the entries in /etc/group
can be easily handled by cut
:
grep '^sudo:.*$' /etc/group | cut -d: -f4
Also again as suggested in the comments by muru, one can use getent
in place of grep
:
getent group sudo | cut -d: -f4
Any of these commands will print all the users listed in the sudo
group in /etc/group
(if any).
Command #1 breakdown:
grep
: Prints all the lines matching a regex in a file
-P
: makesgrep
match Perl-style regexes
o
: makesgrep
print only the matched string
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
Regex #1 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.+
: one or more characters
K
: discard the previous match
.*
: zero or more characters
$
: end of line
Command #2 breakdown:
grep
: Prints all the lines matching a regex in a file
'^sudo.+:K.*$'
: makesgrep
match the regex between the quotes
cut
: Prints only a specified section of each line in a file
-d:
: makescut
interpret:
as a field delimiter
-f4
: makescut
print only the fourth field
Regex #2 breakdown:
- Any character or group of characters not listed matches the character or the group of characters itself
^
: start of line
.*
: zero or more characters
$
: end of line
edited Apr 20 '15 at 14:55
answered Apr 20 '15 at 11:57
koskos
25.4k870120
25.4k870120
3
-1: this won't catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this.getent group sudo | cut -d: -f4
, or use awk, but either way remember that group and passwd have fixed formats, with delimiters.
– muru
Apr 20 '15 at 13:06
@muru You're right, I updated my answer
– kos
Apr 20 '15 at 13:47
@kos Also note the you really should usegetent group
- you don't need the grep at all.getent group foo
is likegrep foo /etc/group
, but more capable.
– muru
Apr 20 '15 at 13:51
@muru I didn't knowgetent
at all, any tought on howgrep
andgetent
compare computationally? Would it be lighter to rungetent
?
– kos
Apr 20 '15 at 14:02
1
This answer assumes that all sudoers are members of thesudo
group. Some unixes have other groups such aswheel
. The answer by @muru will include all sudoers no matter what groups they are in.
– Simon Woodside
Mar 14 '17 at 6:17
|
show 4 more comments
3
-1: this won't catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this.getent group sudo | cut -d: -f4
, or use awk, but either way remember that group and passwd have fixed formats, with delimiters.
– muru
Apr 20 '15 at 13:06
@muru You're right, I updated my answer
– kos
Apr 20 '15 at 13:47
@kos Also note the you really should usegetent group
- you don't need the grep at all.getent group foo
is likegrep foo /etc/group
, but more capable.
– muru
Apr 20 '15 at 13:51
@muru I didn't knowgetent
at all, any tought on howgrep
andgetent
compare computationally? Would it be lighter to rungetent
?
– kos
Apr 20 '15 at 14:02
1
This answer assumes that all sudoers are members of thesudo
group. Some unixes have other groups such aswheel
. The answer by @muru will include all sudoers no matter what groups they are in.
– Simon Woodside
Mar 14 '17 at 6:17
3
3
-1: this won't catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this.
getent group sudo | cut -d: -f4
, or use awk, but either way remember that group and passwd have fixed formats, with delimiters.– muru
Apr 20 '15 at 13:06
-1: this won't catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this.
getent group sudo | cut -d: -f4
, or use awk, but either way remember that group and passwd have fixed formats, with delimiters.– muru
Apr 20 '15 at 13:06
@muru You're right, I updated my answer
– kos
Apr 20 '15 at 13:47
@muru You're right, I updated my answer
– kos
Apr 20 '15 at 13:47
@kos Also note the you really should use
getent group
- you don't need the grep at all. getent group foo
is like grep foo /etc/group
, but more capable.– muru
Apr 20 '15 at 13:51
@kos Also note the you really should use
getent group
- you don't need the grep at all. getent group foo
is like grep foo /etc/group
, but more capable.– muru
Apr 20 '15 at 13:51
@muru I didn't know
getent
at all, any tought on how grep
and getent
compare computationally? Would it be lighter to run getent
?– kos
Apr 20 '15 at 14:02
@muru I didn't know
getent
at all, any tought on how grep
and getent
compare computationally? Would it be lighter to run getent
?– kos
Apr 20 '15 at 14:02
1
1
This answer assumes that all sudoers are members of the
sudo
group. Some unixes have other groups such as wheel
. The answer by @muru will include all sudoers no matter what groups they are in.– Simon Woodside
Mar 14 '17 at 6:17
This answer assumes that all sudoers are members of the
sudo
group. Some unixes have other groups such as wheel
. The answer by @muru will include all sudoers no matter what groups they are in.– Simon Woodside
Mar 14 '17 at 6:17
|
show 4 more comments
As it stated here I consider the simpliest way to discover with -l
& -U
options together, just type users
it will list e.g.: John
then:
If the user has sudo
access, it will print the level of sudo
access for that particular user:
sudo -l -U John
User John may run the following commands on this host:
(ALL : ALL) ALL
If the user don't have sudo access, it will print that a user is not allowed to run sudo
on localhost:
sudo -l -U John
User John is not allowed to run sudo on localhost.
2
You could loop through all the normal users and return the details on them using something like:for u in $(awk -F'[/:]' '{if($3>=1000&&$3!=65534) print $1}' /etc/passwd); do sudo -lU "$u" ; done
. quick hack nothing guaranteed :)
– Wilf
Jun 8 '15 at 20:09
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like"%domain admins@mycompany.intra" ALL=(ALL) ALL
then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.
– AdamKalisz
May 26 '17 at 10:11
add a comment |
As it stated here I consider the simpliest way to discover with -l
& -U
options together, just type users
it will list e.g.: John
then:
If the user has sudo
access, it will print the level of sudo
access for that particular user:
sudo -l -U John
User John may run the following commands on this host:
(ALL : ALL) ALL
If the user don't have sudo access, it will print that a user is not allowed to run sudo
on localhost:
sudo -l -U John
User John is not allowed to run sudo on localhost.
2
You could loop through all the normal users and return the details on them using something like:for u in $(awk -F'[/:]' '{if($3>=1000&&$3!=65534) print $1}' /etc/passwd); do sudo -lU "$u" ; done
. quick hack nothing guaranteed :)
– Wilf
Jun 8 '15 at 20:09
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like"%domain admins@mycompany.intra" ALL=(ALL) ALL
then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.
– AdamKalisz
May 26 '17 at 10:11
add a comment |
As it stated here I consider the simpliest way to discover with -l
& -U
options together, just type users
it will list e.g.: John
then:
If the user has sudo
access, it will print the level of sudo
access for that particular user:
sudo -l -U John
User John may run the following commands on this host:
(ALL : ALL) ALL
If the user don't have sudo access, it will print that a user is not allowed to run sudo
on localhost:
sudo -l -U John
User John is not allowed to run sudo on localhost.
As it stated here I consider the simpliest way to discover with -l
& -U
options together, just type users
it will list e.g.: John
then:
If the user has sudo
access, it will print the level of sudo
access for that particular user:
sudo -l -U John
User John may run the following commands on this host:
(ALL : ALL) ALL
If the user don't have sudo access, it will print that a user is not allowed to run sudo
on localhost:
sudo -l -U John
User John is not allowed to run sudo on localhost.
edited Apr 13 '17 at 12:37
Community♦
1
1
answered Apr 20 '15 at 11:40
JoKeRJoKeR
4,91543353
4,91543353
2
You could loop through all the normal users and return the details on them using something like:for u in $(awk -F'[/:]' '{if($3>=1000&&$3!=65534) print $1}' /etc/passwd); do sudo -lU "$u" ; done
. quick hack nothing guaranteed :)
– Wilf
Jun 8 '15 at 20:09
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like"%domain admins@mycompany.intra" ALL=(ALL) ALL
then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.
– AdamKalisz
May 26 '17 at 10:11
add a comment |
2
You could loop through all the normal users and return the details on them using something like:for u in $(awk -F'[/:]' '{if($3>=1000&&$3!=65534) print $1}' /etc/passwd); do sudo -lU "$u" ; done
. quick hack nothing guaranteed :)
– Wilf
Jun 8 '15 at 20:09
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like"%domain admins@mycompany.intra" ALL=(ALL) ALL
then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.
– AdamKalisz
May 26 '17 at 10:11
2
2
You could loop through all the normal users and return the details on them using something like:
for u in $(awk -F'[/:]' '{if($3>=1000&&$3!=65534) print $1}' /etc/passwd); do sudo -lU "$u" ; done
. quick hack nothing guaranteed :)– Wilf
Jun 8 '15 at 20:09
You could loop through all the normal users and return the details on them using something like:
for u in $(awk -F'[/:]' '{if($3>=1000&&$3!=65534) print $1}' /etc/passwd); do sudo -lU "$u" ; done
. quick hack nothing guaranteed :)– Wilf
Jun 8 '15 at 20:09
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like
"%domain admins@mycompany.intra" ALL=(ALL) ALL
then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.– AdamKalisz
May 26 '17 at 10:11
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like
"%domain admins@mycompany.intra" ALL=(ALL) ALL
then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.– AdamKalisz
May 26 '17 at 10:11
add a comment |
As it has already been stated, the answer can be found on Unix & Linux Stack Exchange:
This shows that user "saml" is a member of the wheel group.
$ getent group wheel
wheel:x:10:saml
The only difference is that the group in Ubuntu is not wheel
, but sudo
(or admin
in older versions of Ubuntu). So the command becomes:
getent group sudo
add a comment |
As it has already been stated, the answer can be found on Unix & Linux Stack Exchange:
This shows that user "saml" is a member of the wheel group.
$ getent group wheel
wheel:x:10:saml
The only difference is that the group in Ubuntu is not wheel
, but sudo
(or admin
in older versions of Ubuntu). So the command becomes:
getent group sudo
add a comment |
As it has already been stated, the answer can be found on Unix & Linux Stack Exchange:
This shows that user "saml" is a member of the wheel group.
$ getent group wheel
wheel:x:10:saml
The only difference is that the group in Ubuntu is not wheel
, but sudo
(or admin
in older versions of Ubuntu). So the command becomes:
getent group sudo
As it has already been stated, the answer can be found on Unix & Linux Stack Exchange:
This shows that user "saml" is a member of the wheel group.
$ getent group wheel
wheel:x:10:saml
The only difference is that the group in Ubuntu is not wheel
, but sudo
(or admin
in older versions of Ubuntu). So the command becomes:
getent group sudo
edited Apr 13 '17 at 12:37
Community♦
1
1
answered Apr 20 '15 at 11:02
Andrea CorbelliniAndrea Corbellini
12k24465
12k24465
add a comment |
add a comment |
Expanding on the sudo -l -U
test, one can use getent passwd
to determine the users who can use sudo
. Using getent
allows us to access users who may not be present in the passwd
file, such as LDAP users:
getent passwd | cut -f1 -d: | sudo xargs -L1 sudo -l -U | grep -v 'not allowed'
sudo -U
does not return a non-zero exit value that we could take advantage of, so we are reduced to grepping the output.
This is the best answer because it doesn't assume that there is a group calledsudo
.
– Simon Woodside
Mar 14 '17 at 6:15
add a comment |
Expanding on the sudo -l -U
test, one can use getent passwd
to determine the users who can use sudo
. Using getent
allows us to access users who may not be present in the passwd
file, such as LDAP users:
getent passwd | cut -f1 -d: | sudo xargs -L1 sudo -l -U | grep -v 'not allowed'
sudo -U
does not return a non-zero exit value that we could take advantage of, so we are reduced to grepping the output.
This is the best answer because it doesn't assume that there is a group calledsudo
.
– Simon Woodside
Mar 14 '17 at 6:15
add a comment |
Expanding on the sudo -l -U
test, one can use getent passwd
to determine the users who can use sudo
. Using getent
allows us to access users who may not be present in the passwd
file, such as LDAP users:
getent passwd | cut -f1 -d: | sudo xargs -L1 sudo -l -U | grep -v 'not allowed'
sudo -U
does not return a non-zero exit value that we could take advantage of, so we are reduced to grepping the output.
Expanding on the sudo -l -U
test, one can use getent passwd
to determine the users who can use sudo
. Using getent
allows us to access users who may not be present in the passwd
file, such as LDAP users:
getent passwd | cut -f1 -d: | sudo xargs -L1 sudo -l -U | grep -v 'not allowed'
sudo -U
does not return a non-zero exit value that we could take advantage of, so we are reduced to grepping the output.
answered Apr 20 '15 at 13:26
murumuru
1
1
This is the best answer because it doesn't assume that there is a group calledsudo
.
– Simon Woodside
Mar 14 '17 at 6:15
add a comment |
This is the best answer because it doesn't assume that there is a group calledsudo
.
– Simon Woodside
Mar 14 '17 at 6:15
This is the best answer because it doesn't assume that there is a group called
sudo
.– Simon Woodside
Mar 14 '17 at 6:15
This is the best answer because it doesn't assume that there is a group called
sudo
.– Simon Woodside
Mar 14 '17 at 6:15
add a comment |
This command returns a list of users with sudo rights:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' /etc/passwd
Output is (e.g.):
<username> : <username> adm cdrom sudo dip plugdev lpadmin sambashare docker
If only the user name to be displayed, then this command:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' | awk -F ":" '{ print $1 }' /etc/passwd
1
it shows more users than the sudoers. It needs some modifications
– Maythux
Apr 20 '15 at 11:12
@NewUSer Is that better?
– A.B.
Apr 20 '15 at 11:24
Much better. Gd work
– Maythux
Apr 20 '15 at 11:26
add a comment |
This command returns a list of users with sudo rights:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' /etc/passwd
Output is (e.g.):
<username> : <username> adm cdrom sudo dip plugdev lpadmin sambashare docker
If only the user name to be displayed, then this command:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' | awk -F ":" '{ print $1 }' /etc/passwd
1
it shows more users than the sudoers. It needs some modifications
– Maythux
Apr 20 '15 at 11:12
@NewUSer Is that better?
– A.B.
Apr 20 '15 at 11:24
Much better. Gd work
– Maythux
Apr 20 '15 at 11:26
add a comment |
This command returns a list of users with sudo rights:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' /etc/passwd
Output is (e.g.):
<username> : <username> adm cdrom sudo dip plugdev lpadmin sambashare docker
If only the user name to be displayed, then this command:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' | awk -F ":" '{ print $1 }' /etc/passwd
This command returns a list of users with sudo rights:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' /etc/passwd
Output is (e.g.):
<username> : <username> adm cdrom sudo dip plugdev lpadmin sambashare docker
If only the user name to be displayed, then this command:
awk -F ":" '{ system("groups " $1 " | grep -P "[[:space:]]sudo([[:space:]]|$)"") }' | awk -F ":" '{ print $1 }' /etc/passwd
edited Apr 20 '15 at 13:08
muru
1
1
answered Apr 20 '15 at 11:12
A.B.A.B.
68.3k12168256
68.3k12168256
1
it shows more users than the sudoers. It needs some modifications
– Maythux
Apr 20 '15 at 11:12
@NewUSer Is that better?
– A.B.
Apr 20 '15 at 11:24
Much better. Gd work
– Maythux
Apr 20 '15 at 11:26
add a comment |
1
it shows more users than the sudoers. It needs some modifications
– Maythux
Apr 20 '15 at 11:12
@NewUSer Is that better?
– A.B.
Apr 20 '15 at 11:24
Much better. Gd work
– Maythux
Apr 20 '15 at 11:26
1
1
it shows more users than the sudoers. It needs some modifications
– Maythux
Apr 20 '15 at 11:12
it shows more users than the sudoers. It needs some modifications
– Maythux
Apr 20 '15 at 11:12
@NewUSer Is that better?
– A.B.
Apr 20 '15 at 11:24
@NewUSer Is that better?
– A.B.
Apr 20 '15 at 11:24
Much better. Gd work
– Maythux
Apr 20 '15 at 11:26
Much better. Gd work
– Maythux
Apr 20 '15 at 11:26
add a comment |
On most Unix-like systems, that have the sudo command, and have a sudo configuration file; running visudo as root:
:~$ sudo bash
or
:~$ su
:~# visudo
will allow an administrator to inspect and amend the privileges of groups that can use the sudo command.
On Debian based Unix-like systems, like Ubuntu, the groups 4 and 27 generally have access rights to the sudo privileges.
Group 4 is the administrator group (adm) and group 27 is the sudo gid.
To see what users are currently assigned to these groups cat the /etc/group file as shown below:
:~$ cat /etc/group
A sample output, on Ubuntu (but not Redhat based, Oracle Solaris/Solaris based, or BSD based systems) would yield this:
adm:x:4:youruser
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:youruser,mybrother
floppy:x:25:
tape:x:26:
sudo:x:27:youruser,mybrother
As we can tell, youruser is the administrator of the system, and member of
group 4 (adm). But youruser and mybrother are both members of group 27, which is the gid (group identification) number of group sudo. So mybrother can also attain root privileges (super user).
Many linux systems like Fedora and Slackware, incorporate the wheel group gid=10. Which allows administrator privileges when the sudo command is applied. On BSD based systems (e.g. FreeBSD), the root user is a member of the wheel group which is gid 0.
Also by using the id command any user can find the group information of another known user to the system.
For Example:
:~$ id mybrother
Sample output
uid=1001(mybrother) gid=1001(mybrother) groups=1001(mybrother),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
add a comment |
On most Unix-like systems, that have the sudo command, and have a sudo configuration file; running visudo as root:
:~$ sudo bash
or
:~$ su
:~# visudo
will allow an administrator to inspect and amend the privileges of groups that can use the sudo command.
On Debian based Unix-like systems, like Ubuntu, the groups 4 and 27 generally have access rights to the sudo privileges.
Group 4 is the administrator group (adm) and group 27 is the sudo gid.
To see what users are currently assigned to these groups cat the /etc/group file as shown below:
:~$ cat /etc/group
A sample output, on Ubuntu (but not Redhat based, Oracle Solaris/Solaris based, or BSD based systems) would yield this:
adm:x:4:youruser
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:youruser,mybrother
floppy:x:25:
tape:x:26:
sudo:x:27:youruser,mybrother
As we can tell, youruser is the administrator of the system, and member of
group 4 (adm). But youruser and mybrother are both members of group 27, which is the gid (group identification) number of group sudo. So mybrother can also attain root privileges (super user).
Many linux systems like Fedora and Slackware, incorporate the wheel group gid=10. Which allows administrator privileges when the sudo command is applied. On BSD based systems (e.g. FreeBSD), the root user is a member of the wheel group which is gid 0.
Also by using the id command any user can find the group information of another known user to the system.
For Example:
:~$ id mybrother
Sample output
uid=1001(mybrother) gid=1001(mybrother) groups=1001(mybrother),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
add a comment |
On most Unix-like systems, that have the sudo command, and have a sudo configuration file; running visudo as root:
:~$ sudo bash
or
:~$ su
:~# visudo
will allow an administrator to inspect and amend the privileges of groups that can use the sudo command.
On Debian based Unix-like systems, like Ubuntu, the groups 4 and 27 generally have access rights to the sudo privileges.
Group 4 is the administrator group (adm) and group 27 is the sudo gid.
To see what users are currently assigned to these groups cat the /etc/group file as shown below:
:~$ cat /etc/group
A sample output, on Ubuntu (but not Redhat based, Oracle Solaris/Solaris based, or BSD based systems) would yield this:
adm:x:4:youruser
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:youruser,mybrother
floppy:x:25:
tape:x:26:
sudo:x:27:youruser,mybrother
As we can tell, youruser is the administrator of the system, and member of
group 4 (adm). But youruser and mybrother are both members of group 27, which is the gid (group identification) number of group sudo. So mybrother can also attain root privileges (super user).
Many linux systems like Fedora and Slackware, incorporate the wheel group gid=10. Which allows administrator privileges when the sudo command is applied. On BSD based systems (e.g. FreeBSD), the root user is a member of the wheel group which is gid 0.
Also by using the id command any user can find the group information of another known user to the system.
For Example:
:~$ id mybrother
Sample output
uid=1001(mybrother) gid=1001(mybrother) groups=1001(mybrother),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
On most Unix-like systems, that have the sudo command, and have a sudo configuration file; running visudo as root:
:~$ sudo bash
or
:~$ su
:~# visudo
will allow an administrator to inspect and amend the privileges of groups that can use the sudo command.
On Debian based Unix-like systems, like Ubuntu, the groups 4 and 27 generally have access rights to the sudo privileges.
Group 4 is the administrator group (adm) and group 27 is the sudo gid.
To see what users are currently assigned to these groups cat the /etc/group file as shown below:
:~$ cat /etc/group
A sample output, on Ubuntu (but not Redhat based, Oracle Solaris/Solaris based, or BSD based systems) would yield this:
adm:x:4:youruser
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:youruser,mybrother
floppy:x:25:
tape:x:26:
sudo:x:27:youruser,mybrother
As we can tell, youruser is the administrator of the system, and member of
group 4 (adm). But youruser and mybrother are both members of group 27, which is the gid (group identification) number of group sudo. So mybrother can also attain root privileges (super user).
Many linux systems like Fedora and Slackware, incorporate the wheel group gid=10. Which allows administrator privileges when the sudo command is applied. On BSD based systems (e.g. FreeBSD), the root user is a member of the wheel group which is gid 0.
Also by using the id command any user can find the group information of another known user to the system.
For Example:
:~$ id mybrother
Sample output
uid=1001(mybrother) gid=1001(mybrother) groups=1001(mybrother),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
edited Jun 8 '15 at 22:00
answered Jun 8 '15 at 20:13
oOpSgEooOpSgEo
40629
40629
add a comment |
add a comment |
Command -
cat group | grep sudo
Output -
sudo:x:27:Tom,Stacy
Tom,Stacy are the users with sudo privilages
1
Tom,Stacy are the users with sudo privilages
– XYZ
Jan 11 at 6:10
Welcome to Ask Ubuntu! Just to let you know, this is a useless use ofcat
.
– David Foerster
Jan 11 at 8:37
add a comment |
Command -
cat group | grep sudo
Output -
sudo:x:27:Tom,Stacy
Tom,Stacy are the users with sudo privilages
1
Tom,Stacy are the users with sudo privilages
– XYZ
Jan 11 at 6:10
Welcome to Ask Ubuntu! Just to let you know, this is a useless use ofcat
.
– David Foerster
Jan 11 at 8:37
add a comment |
Command -
cat group | grep sudo
Output -
sudo:x:27:Tom,Stacy
Tom,Stacy are the users with sudo privilages
Command -
cat group | grep sudo
Output -
sudo:x:27:Tom,Stacy
Tom,Stacy are the users with sudo privilages
edited Jan 11 at 8:35
tinlyx
78721023
78721023
answered Jan 11 at 6:09
XYZXYZ
1
1
1
Tom,Stacy are the users with sudo privilages
– XYZ
Jan 11 at 6:10
Welcome to Ask Ubuntu! Just to let you know, this is a useless use ofcat
.
– David Foerster
Jan 11 at 8:37
add a comment |
1
Tom,Stacy are the users with sudo privilages
– XYZ
Jan 11 at 6:10
Welcome to Ask Ubuntu! Just to let you know, this is a useless use ofcat
.
– David Foerster
Jan 11 at 8:37
1
1
Tom,Stacy are the users with sudo privilages
– XYZ
Jan 11 at 6:10
Tom,Stacy are the users with sudo privilages
– XYZ
Jan 11 at 6:10
Welcome to Ask Ubuntu! Just to let you know, this is a useless use of
cat
.– David Foerster
Jan 11 at 8:37
Welcome to Ask Ubuntu! Just to let you know, this is a useless use of
cat
.– David Foerster
Jan 11 at 8:37
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f611584%2fhow-could-i-list-all-super-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Here is the answer: unix.stackexchange.com/a/140974/107084
– A.B.
Apr 20 '15 at 11:00
1
I find this one nice unix.stackexchange.com/questions/50785/…
– JoKeR
Apr 20 '15 at 11:31
@JoKeR nice and tricky
– Maythux
Apr 20 '15 at 11:33
1
Note that only Joker and muru's answers are correct, only parsing user/group conf files does not give you who has the
sudo
permission and who has not....if a user is insudo
group but thesudoers
file has nothing mentioned forsudo
group, then?– heemayl
Apr 20 '15 at 16:32