How could I list all super users?
I want a command to list all users who have root privileges i.e. sudo ? Suppose I’m a sudoer user. How could I know all other sudoer users?
Note that only Joker and muru’s answers are correct, only parsing user/group conf files does not give you who has the sudo permission and who has not. if a user is in sudo group but the sudoers file has nothing mentioned for sudo group, then?
9 Answers 9
If you just need to list the sudoers listed in the sudo group, I think that the best way to do it would be to run this command (which should be computationally lighter than any of the other commands in this answer):
Also as suggested in the comments by muru, the format of the entries in /etc/group can be easily handled by cut :
grep '^sudo:.*$' /etc/group | cut -d: -f4 Also again as suggested in the comments by muru, one can use getent in place of grep :
getent group sudo | cut -d: -f4 Any of these commands will print all the users listed in the sudo group in /etc/group (if any).
- grep : Prints all the lines matching a regex in a file
- -P : makes grep match Perl-style regexes
- o : makes grep print only the matched string
- ‘^sudo.+:\K.*$’ : makes grep match the regex between the quotes
- Any character or group of characters not listed matches the character or the group of characters itself
- ^ : start of line
- .+ : one or more characters
- \K : discard the previous match
- .* : zero or more characters
- $ : end of line
- grep : Prints all the lines matching a regex in a file
- ‘^sudo.+:\K.*$’ : makes grep match the regex between the quotes
- cut : Prints only a specified section of each line in a file
- -d: : makes cut interpret : as a field delimiter
- -f4 : makes cut print only the fourth field
- Any character or group of characters not listed matches the character or the group of characters itself
- ^ : start of line
- .* : zero or more characters
- $ : end of line
-1: this won’t catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this. getent group sudo | cut -d: -f4 , or use awk, but either way remember that group and passwd have fixed formats, with delimiters.
@kos Also note the you really should use getent group — you don’t need the grep at all. getent group foo is like grep foo /etc/group , but more capable.
@muru I didn’t know getent at all, any tought on how grep and getent compare computationally? Would it be lighter to run getent ?
This answer assumes that all sudoers are members of the sudo group. Some unixes have other groups such as wheel . The answer by @muru will include all sudoers no matter what groups they are in.
As it stated here I consider the simpliest way to discover with -l & -U options together, just type users it will list e.g.: John then:
If the user has sudo access, it will print the level of sudo access for that particular user:
sudo -l -U John User John may run the following commands on this host: (ALL : ALL) ALL If the user don’t have sudo access, it will print that a user is not allowed to run sudo on localhost:
sudo -l -U John User John is not allowed to run sudo on localhost. You could loop through all the normal users and return the details on them using something like: for u in $(awk -F'[/:]’ ‘
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like «%domain admins@mycompany.intra» ALL=(ALL) ALL then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.
Expanding on the sudo -l -U test, one can use getent passwd to determine the users who can use sudo . Using getent allows us to access users who may not be present in the passwd file, such as LDAP users:
getent passwd | cut -f1 -d: | sudo xargs -L1 sudo -l -U | grep -v 'not allowed' sudo -U does not return a non-zero exit value that we could take advantage of, so we are reduced to grepping the output.
As it has already been stated, the answer can be found on Unix & Linux Stack Exchange:
This shows that user «saml» is a member of the wheel group.
$ getent group wheel wheel:x:10:saml The only difference is that the group in Ubuntu is not wheel , but sudo (or admin in older versions of Ubuntu). So the command becomes:
What do these numbers mean? I did geten group and I see a lot of different numbers. My original question is, how to find out if a user is a system user (created with useradd -r )
Tom, Stacy are the users with sudo privileges.
On most Unix-like systems, that have the sudo command, and have a sudo configuration file; running visudo as root:
will allow an administrator to inspect and amend the privileges of groups that can use the sudo command.
On Debian based Unix-like systems, like Ubuntu, the groups 4 and 27 generally have access rights to the sudo privileges.
Group 4 is the administrator group (adm) and group 27 is the sudo gid.
To see what users are currently assigned to these groups cat the /etc/group file as shown below:
A sample output, on Ubuntu (but not Redhat based, Oracle Solaris/Solaris based, or BSD based systems) would yield this:
adm:x:4:youruser tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24:youruser,mybrother floppy:x:25: tape:x:26: sudo:x:27:youruser,mybrother As we can tell, youruser is the administrator of the system, and member of group 4 (adm). But youruser and mybrother are both members of group 27, which is the gid (group identification) number of group sudo. So mybrother can also attain root privileges (super user).
Many linux systems like Fedora and Slackware, incorporate the wheel group gid=10. Which allows administrator privileges when the sudo command is applied. On BSD based systems (e.g. FreeBSD), the root user is a member of the wheel group which is gid 0.
Also by using the id command any user can find the group information of another known user to the system.
uid=1001(mybrother) gid=1001(mybrother) groups=1001(mybrother),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) This command returns a list of users with sudo rights:
: adm cdrom sudo dip plugdev lpadmin sambashare docker If only the user name to be displayed, then this command:
awk -F ":" '< system("groups " $1 " | grep -P \"[[:space:]]sudo([[:space:]]|$)\"") >' | awk -F ":" '< print $1 >' /etc/passwd I was stumped about how the vagrant user can use sudo even without being mentioned in /etc/sudoers nor in /etc/group nor found with getent .
Turns out sudo also reads entries from all files under /etc/sudoers.d/ . So if you haven’t looked through that directory, you may not realize how many users actually have sudo access.
This kind of sudo access can be detected by JoKeR’s answer using sudo -l -U vagrant but is not detected by any of the other answers here which all rely on either getent or /etc/group .
It is worth noting that the reason for this is these lines in the config file (/etc/sudoers): #includedir /etc/sudoers.d
Based on answers from @muru and @kos, but with some optimizations.
The getent group sudo command lists only users who have the sudo group. The rest of the commands test whether the user is actually capable of running as root. There are also other additions to improve the formatting of the output.
if [ -z $(getent group sudo) ]; then printf "\n >>>>>>>>>>> NO ENTRIES >>>>>>>>>> CAN RUN COMMANDS AS ROOT >>>>>>>>>>>\n\nMatching Defaults entries/g' | sed '$a\\'; fi >>>>>>>>>>> CAN RUN COMMANDS AS ROOT >>>>>>>>>>> Matching Defaults entries for may_user_i on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User may_user_i may run the following commands on localhost: (ALL) ALL (ALL) ALL >>>>>>>>>>> CAN RUN COMMANDS AS ROOT >>>>>>>>>>> Matching Defaults entries for may_user_ii on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User may_user_ii may run the following commands on localhost: (ALL) ALL How to Know if a User has Sudo Rights
This tutorial shows how to find out if a user is sudoer or not. You’ll also learn to list all sudo users on your Linux system.
Wondering if you have sudo rights on your system? It’s easy to verify. Just run any command with sudo. If you don’t have sudo rights, you should see it in the output:
[email protected]:~$ sudo -v Sorry, user standard may not run sudo on linuxhandbook.That’s cool! But what about checking if any other user has got sudo rights? You can totally do that. Let me show you how.
How to test whether a user has sudo privileges or not
There are a few ways to check if a Linux user can use sudo or not. Here are a couple of them.
Method 1: Check if user is sudoer with the sudo command
The sudo command itself gives you an option to check if a user can run commands with sudo or not. In fact, it tells you what commands a certain user can run with sudo.
To check the sudo access for a user, run the following command:
If the user can run a few or all commands with sudo, you should see an output like this:
Matching Defaults entries for abhi on test-server: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User abhi may run the following commands on test-server: (ALL : ALL) NOPASSWD: ALLAs you can see, the user abhi can run all commands with sudo access. If the user doesn’t have sudo rights, you should see an output like this:
User abhi is not allowed to run sudo on test-server.If you want to check whether or not you have sudoer rights and which commands you can run with sudo, you can use the same command, just don’t provide the user name.
This command also shows what commands are forbidden for you to run with sudo. Yes, that’s right. You can configure what commands can be run with sudo and what cannot. This is useful in an environment where the dev team needs to run only a certain applications with sudo. Limiting their use of sudo to these applications only will help the system from unwarranted misuse of the sudo rights by the hands of the developers.
Method 2: Check if user is part of the sudo group
Another way to find out if a user has sudo access is by checking if the said user is member of the sudo group.
There are several ways to check the groups of a user in Linux. The easiest and my favorite way is to use the groups command like this:
If you see the group ‘sudo’ in the output, the user is a member of the sudo group and it should have sudo access.
[email protected]:~$ groups abhi abhi : abhi sudoBonus Tip: How to find all sudo users in your system
Okay, so you learned to check if a user has sudo access or not. How about listing all the sudoers in your Linux systems?
This is simple if you have followed the article so far. All you need to do is to list the members of the sudo group.
In Linux, there are multiple ways to achieve the same result. Unsurprisingly, you have multiple ways to list the members of a group in Linux.
To list all sudo users of your system, list the members of the sudo group in the following manner:
And this would list all the sudoers:
[email protected]:~$ getent group sudo sudo:x:27:abhi,seeniThat’s it. I hope now you know how to find if you have sudo rights or if other users has sudoer rights.
If you have some other cool tip on this topic, please leave a comment below.