Sudoers list?

Erik Christiansen erik at dd.nec.com.au
Thu Apr 6 05:43:29 UTC 2006 

On Wed, Apr 05, 2006 at 12:01:15PM +0200, Dennis Kaarsemaker wrote:
> On wo, 2006-04-05 at 17:24 +1000, Matt Palmer wrote:
> > That's far from a complete solution -- I might grant a specific
> > privileges in /etc/sudoers because I want to use some of the many
> > features that sudo provides to manage the granting of privileges (and
> > ain't there a *lot* of them!)
> 
> True, but short of writing your own parser for /etc/sudoers and having
> root access to read it, there's no way to reliably do something even
> remotely like checking whether a user can use sudo to run a specific
> command. 

If sudo has timed out, the password is required before the privileged
install action can be effected. By asking for it in time to use it for
the "am I a sudoer" query (sudo -v), it is still only entered once, and
the script can choose the install path based on this information, as
Daniel seems to need. e.g.:

#!/bin/bash
echo "Please authenticate this install. (If sudo has timed out):"
sudo -v
if [ $? -eq 0 ] ; then
   echo Can use privileged directories.
   sudo touch /home/elephant              # <- Install action (2nd sudo)
else
   echo Cannot use privileged directories.
fi

For a sudoer, this rips straight into the privileged install if
sudo has not timed out, but after a password prompt if it has. 
If the password attempts fail, or when used by a non-privileged user,
the non-privileged path is taken.

Testing for privileged user:
----------------------------
$ /tmp/fred
Please authenticate this install. (If sudo has timed out):
Password: <fumble & ^C out>
Cannot use privileged directories.

$ /tmp/fred
Please authenticate this install. (If sudo has timed out):
Password: <correct password>
Can use privileged directories.

and unprivileged:
-----------------
$ sudo su nobody
sh-3.00$ /tmp/fred 
Please authenticate this install. (If sudo has timed out):
Password:
Sorry, user nobody may not run sudo on dvalin.
Cannot use privileged directories.

This seems to be fairly close to checking whether a user can use sudo to
do what Daniel requires, IIUC.

Erik

More information about the ubuntu-users mailing list