Possible to check ability to sudo before sudo’ing

sudo

I'm writing a small utility program. I'd like it to attempt to sudo-run something if required.

That is: if file permissions don't allow the current user to operate on a particular file (and sudo rules would allow it) I'd like my utility to sudo-run something as the owner of the file.

I'm hoping to check this ability beforehand, because I'd prefer that system logs don't fill up with noise from failed sudo attempts. As sudo itself reports upon failure: "This incident will be reported".

So, I'm hoping to programatically check: can user <x> run command <y> via sudo?.

Here's the problem: while /etc/sudoers contains that mapping, it's root-owned and not readable by regular users.

I was considering spawning a subprocess to run sudo -l (which outputs commands that the current user can sudo-run). I would then parse the output of this.
However, this seems a little fragile. The output contains the information I want, but it seems like it was designed for humans to read (not for programmatic consumption). I don't know if there's any guarantee that the output will follow the same format in future, or across different platforms.

Is programmatic parsing of sudo -l output considered safe? If not, are there any better options, to determine ahead of time whether a sudo command would succeed?

(background on the X/Y: This utility is for use by a limited-access role account. I expect some other users to effectively opt in to allow the limited-access account to operate on their files via sudo rules. However, I won't know ahead of time which of those other users have the relevant sudo rule in place)

Best Answer

According to the sudo man page:

 -l, --list  If no command is specified, list the allowed (and forbidden)
             commands for the invoking user (or the user specified by the
             -U option) on the current host.  A longer list format is used
             if this option is specified multiple times and the security
             policy supports a verbose output format.

             If a command is specified and is permitted by the security
             policy, the fully-qualified path to the command is displayed
             along with any command line arguments.  If command is
             specified but not allowed, sudo will exit with a status value
             of 1.

so this will boil down to

if sudo -l -U $USER shutdown > /dev/null
then
   ## $USER can
else
   ## $USER cannot
fi

As pointed out by Muru, use either -U $USER or -U $USERTOTEST or nothing, depending on your need.

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

This looks like an intentional configuration in Arch Linux. See this for discussion with links to solutions.

The best tip there seems to be adding "DISPLAY XAUTHORITY" to to the "env_keep" defaults in /etc/sudoers.

Fedora has in /etc/sudoers the following and this allows sudo somexapp to succeed.

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Security – Is Passwordless Sudo for `apt-get update` and `apt-get upgrade` Safe?

Allowing a less trusted user to run apt-get update is ok. They worst they can do is consume a lot of bandwidth and fill up some disk space, and they have plenty of other means to do this unless you've taken stringent measures to prevent this.

Allowing a user to run apt-get upgrade is likely to give them root access. Some packages query the user and might allow a shell escape; for example the user who has access to the terminal that apt-get upgrade (or any dpkg -i call) is running on might get prompted for what to do if a configuration file has been updated, and one of the options there is to run a shell to examine the situation.

You need to restrict the command some more:

#!/bin/sh
set -ex
exec </dev/null >"/var/log/automatic-apt-upgrade-$(date +%Y%m%d-%H%M%S)-$SUDO_USER.log" 2>&1
apt-get --assume-no upgrade

This shouldn't give the user a way to become root, since they can't interact with the package manager. As upgrades can sometimes break a system, and a user with only these permissions wouldn't be able to repair anything, this should only be done with a stable release, with only security updates pending. If it's a kernel update, let a user with full root access decide when to trigger a reboot.

By the way, the user wouldn't be able to inject package content — to do that, they'd need to be in control of the server distributing the package, and in addition to the server signing the package if the package is signed (which is the case for all official sources). It's irrelevant for this attack vector who's in command of the machine at the time of the upgrade.

All this being said… use unattended-upgrades, if that's what you want.

Best Answer

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

Security – Is Passwordless Sudo for `apt-get update` and `apt-get upgrade` Safe?

Related Question