How could I list all super users?
I want a command to list all users who have root privileges i.e. sudo ? Suppose I’m a sudoer user. How could I know all other sudoer users?
Note that only Joker and muru’s answers are correct, only parsing user/group conf files does not give you who has the sudo permission and who has not. if a user is in sudo group but the sudoers file has nothing mentioned for sudo group, then?
9 Answers 9
If you just need to list the sudoers listed in the sudo group, I think that the best way to do it would be to run this command (which should be computationally lighter than any of the other commands in this answer):
Also as suggested in the comments by muru, the format of the entries in /etc/group can be easily handled by cut :
grep '^sudo:.*$' /etc/group | cut -d: -f4 Also again as suggested in the comments by muru, one can use getent in place of grep :
getent group sudo | cut -d: -f4 Any of these commands will print all the users listed in the sudo group in /etc/group (if any).
- grep : Prints all the lines matching a regex in a file
- -P : makes grep match Perl-style regexes
- o : makes grep print only the matched string
- ‘^sudo.+:\K.*$’ : makes grep match the regex between the quotes
- Any character or group of characters not listed matches the character or the group of characters itself
- ^ : start of line
- .+ : one or more characters
- \K : discard the previous match
- .* : zero or more characters
- $ : end of line
- grep : Prints all the lines matching a regex in a file
- ‘^sudo.+:\K.*$’ : makes grep match the regex between the quotes
- cut : Prints only a specified section of each line in a file
- -d: : makes cut interpret : as a field delimiter
- -f4 : makes cut print only the fourth field
- Any character or group of characters not listed matches the character or the group of characters itself
- ^ : start of line
- .* : zero or more characters
- $ : end of line
-1: this won’t catch other users or groups who may have been added to sudoers, or external sources like LDAP, and boy is it an ugly way to do this. getent group sudo | cut -d: -f4 , or use awk, but either way remember that group and passwd have fixed formats, with delimiters.
@kos Also note the you really should use getent group — you don’t need the grep at all. getent group foo is like grep foo /etc/group , but more capable.
@muru I didn’t know getent at all, any tought on how grep and getent compare computationally? Would it be lighter to run getent ?
This answer assumes that all sudoers are members of the sudo group. Some unixes have other groups such as wheel . The answer by @muru will include all sudoers no matter what groups they are in.
As it stated here I consider the simpliest way to discover with -l & -U options together, just type users it will list e.g.: John then:
If the user has sudo access, it will print the level of sudo access for that particular user:
sudo -l -U John User John may run the following commands on this host: (ALL : ALL) ALL If the user don’t have sudo access, it will print that a user is not allowed to run sudo on localhost:
sudo -l -U John User John is not allowed to run sudo on localhost. You could loop through all the normal users and return the details on them using something like: for u in $(awk -F'[/:]’ ‘
This also works in a active directory setup. For instance you can pick a user from some special group and check on the user. If you added the AD group correctly something like «%domain admins@mycompany.intra» ALL=(ALL) ALL then it works. You saved me a lot of time, because I was unaware this works for non-local users as well.
Expanding on the sudo -l -U test, one can use getent passwd to determine the users who can use sudo . Using getent allows us to access users who may not be present in the passwd file, such as LDAP users:
getent passwd | cut -f1 -d: | sudo xargs -L1 sudo -l -U | grep -v 'not allowed' sudo -U does not return a non-zero exit value that we could take advantage of, so we are reduced to grepping the output.
As it has already been stated, the answer can be found on Unix & Linux Stack Exchange:
This shows that user «saml» is a member of the wheel group.
$ getent group wheel wheel:x:10:saml The only difference is that the group in Ubuntu is not wheel , but sudo (or admin in older versions of Ubuntu). So the command becomes:
What do these numbers mean? I did geten group and I see a lot of different numbers. My original question is, how to find out if a user is a system user (created with useradd -r )
Tom, Stacy are the users with sudo privileges.
On most Unix-like systems, that have the sudo command, and have a sudo configuration file; running visudo as root:
will allow an administrator to inspect and amend the privileges of groups that can use the sudo command.
On Debian based Unix-like systems, like Ubuntu, the groups 4 and 27 generally have access rights to the sudo privileges.
Group 4 is the administrator group (adm) and group 27 is the sudo gid.
To see what users are currently assigned to these groups cat the /etc/group file as shown below:
A sample output, on Ubuntu (but not Redhat based, Oracle Solaris/Solaris based, or BSD based systems) would yield this:
adm:x:4:youruser tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24:youruser,mybrother floppy:x:25: tape:x:26: sudo:x:27:youruser,mybrother As we can tell, youruser is the administrator of the system, and member of group 4 (adm). But youruser and mybrother are both members of group 27, which is the gid (group identification) number of group sudo. So mybrother can also attain root privileges (super user).
Many linux systems like Fedora and Slackware, incorporate the wheel group gid=10. Which allows administrator privileges when the sudo command is applied. On BSD based systems (e.g. FreeBSD), the root user is a member of the wheel group which is gid 0.
Also by using the id command any user can find the group information of another known user to the system.
uid=1001(mybrother) gid=1001(mybrother) groups=1001(mybrother),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) This command returns a list of users with sudo rights:
: adm cdrom sudo dip plugdev lpadmin sambashare docker If only the user name to be displayed, then this command:
awk -F ":" '< system("groups " $1 " | grep -P \"[[:space:]]sudo([[:space:]]|$)\"") >' | awk -F ":" '< print $1 >' /etc/passwd I was stumped about how the vagrant user can use sudo even without being mentioned in /etc/sudoers nor in /etc/group nor found with getent .
Turns out sudo also reads entries from all files under /etc/sudoers.d/ . So if you haven’t looked through that directory, you may not realize how many users actually have sudo access.
This kind of sudo access can be detected by JoKeR’s answer using sudo -l -U vagrant but is not detected by any of the other answers here which all rely on either getent or /etc/group .
It is worth noting that the reason for this is these lines in the config file (/etc/sudoers): #includedir /etc/sudoers.d
Based on answers from @muru and @kos, but with some optimizations.
The getent group sudo command lists only users who have the sudo group. The rest of the commands test whether the user is actually capable of running as root. There are also other additions to improve the formatting of the output.
if [ -z $(getent group sudo) ]; then printf "\n >>>>>>>>>>> NO ENTRIES >>>>>>>>>> CAN RUN COMMANDS AS ROOT >>>>>>>>>>>\n\nMatching Defaults entries/g' | sed '$a\\'; fi >>>>>>>>>>> CAN RUN COMMANDS AS ROOT >>>>>>>>>>> Matching Defaults entries for may_user_i on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User may_user_i may run the following commands on localhost: (ALL) ALL (ALL) ALL >>>>>>>>>>> CAN RUN COMMANDS AS ROOT >>>>>>>>>>> Matching Defaults entries for may_user_ii on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User may_user_ii may run the following commands on localhost: (ALL) ALL