I'm writing a small utility program. I'd like it to attempt to sudo
-run something if required.
That is: if file permissions don't allow the current user to operate on a particular file (and sudo
rules would allow it) I'd like my utility to sudo
-run something as the owner of the file.
I'm hoping to check this ability beforehand, because I'd prefer that system logs don't fill up with noise from failed sudo
attempts. As sudo
itself reports upon failure: "This incident will be reported".
So, I'm hoping to programatically check: can user <x>
run command <y>
via sudo
?.
Here's the problem: while /etc/sudoers
contains that mapping, it's root-owned and not readable by regular users.
I was considering spawning a subprocess to run sudo -l
(which outputs commands that the current user can sudo-run). I would then parse the output of this.
However, this seems a little fragile. The output contains the information I want, but it seems like it was designed for humans to read (not for programmatic consumption). I don't know if there's any guarantee that the output will follow the same format in future, or across different platforms.
Is programmatic parsing of sudo -l
output considered safe? If not, are there any better options, to determine ahead of time whether a sudo command would succeed?
(background on the X/Y: This utility is for use by a limited-access role account. I expect some other users to effectively opt in to allow the limited-access account to operate on their files via sudo rules. However, I won't know ahead of time which of those other users have the relevant sudo rule in place)
Best Answer
According to the sudo man page:
so this will boil down to
As pointed out by Muru, use either
-U $USER
or-U $USERTOTEST
or nothing, depending on your need.