I recently got into trouble because of this.
$sudo vim /etc/motd
[sudo] password for bruce:
bruce is not in the sudoers file. This incident will be reported.Is there a way to check if I have sudo access or not?
312 Answers
Run sudo -v. It is usually used to extend your sudo password timeout, but can be used for determining whether you have any sudo privileges.
$ sudo -v
Sorry, user [username] may not run sudo on [hostname].Man page excerpt:
If given the -v (validate) option, sudo will update the user’s time stamp, prompting for the user’s password if necessary. This extends the sudo timeout for another 5 minutes (or whatever the timeout is set to in sudoers) but does not run a command.
If your user is only allowed to run specific commands, this command will work, indicating you are allowed to run something with different privileges. While the message looks different when trying to execute a command you're not allowed to in this case (and no mail is sent to root), it's still possible you'll get into trouble if the admins read /var/log/secure.
$ sudo ls
[sudo] password for [username]:
Sorry, user [username] is not allowed to execute '/bin/ls' as root on [hostname].To find out what you're allowed to run with different privileges, you can use sudo -l. Note that this command requires you to enter your password.
This is very simple. Run sudo -l. This will list any sudo privileges you have.
Gerald Schade's answer here, can still be improved!
Use
prompt=$(sudo -nv 2>&1)
if [ $? -eq 0 ]; then # exit code of sudo-command is 0 echo "has_sudo__pass_set"
elif echo $prompt | grep -q '^sudo:'; then echo "has_sudo__needs_pass"
else echo "no_sudo"
fiHere's a complete example of usage in a script:
#!/usr/bin/env bash
is_root () { return $(id -u)
}
has_sudo() { local prompt prompt=$(sudo -nv 2>&1) if [ $? -eq 0 ]; then echo "has_sudo__pass_set" elif echo $prompt | grep -q '^sudo:'; then echo "has_sudo__needs_pass" else echo "no_sudo" fi
}
elevate_cmd () { local cmd=$@ HAS_SUDO=$(has_sudo) case "$HAS_SUDO" in has_sudo__pass_set) sudo $cmd ;; has_sudo__needs_pass) echo "Please supply sudo password for the following command: sudo $cmd" sudo $cmd ;; *) echo "Please supply root password for the following command: su -c \"$cmd\"" su -c "$cmd" ;; esac
}
if is_root; then echo "Error: need to call this script as a normal user, not as root!" exit 1
fi
elevate_cmd which adduserHere is the script-friendly version:
timeout 2 sudo id && echo Access granted || echo Access deniedsince it won't stuck on the password input if you do not have the sudo access.
You can also set it in a variable like:
timeout 2 sudo id && sudo="true" || sudo="false"
echo "$sudo"Note: On macOS, you need to install coreutils, e.g. brew install coreutils.
For me, 'sudo -v' and 'sudo -l' did not work in a script because sometimes interactive (asking me for a password, like mentioned above).
'sudo -n -l' did also not work, it gave the exit code '1' although I have sudo permissions, because of the missing password.
But extending the command to:
A=$(sudo -n -v 2>&1);test -z "$A" || echo $A|grep -q assworwas successful for me for the script.
This expression gives 0 if the current user can call 'sudo' and 1 if not.
Explanation:
The additional parameter -n to sudo prevents interactivity.
The output $A of the command 'sudo -n -v 2>&1' may be:
- empty (in this case, sudo can be called by the current user), or:
- a note that the current user is not authorized for sudo, or:
- a question text for the password (in this case, the user is authorized).
("asswor" will fit for an english "password" as well as for a German "Passwort").
i've got low rank to vote and comment, but i wanted to upvote Gerald Schade's answer, as i've found that the only way previously, and thought that no1 else knows it - til now :D
btw my solution:
[[ "$(whereis sudo)" == *'/'* && "$(sudo -nv 2>&1)" != 'Sorry, user'* ]](from the end of 2015 mwhahaaa)
1This should be enough to tell you if you have root or not:
sudo whoamiIf sudo asks for root password, or it does not work, it also means that you don't have root privileges (at least not through sudo).
"Sudo access" comes in flavors. Two primary flavors: First you, or a group your a member of, needs to be setup for sudo access in the /etc/sudoers file.
Secondly you need to know your password, or you need to have done a sudo command recently. Recently enough that the timeout hasn't expired. (Fun fact: you can make the time out very long in your sudoer's file.)
I often want to test for the second kind of access in the prolog of a script that will need to sudo some steps. When this check fails I can advise the user he needs to enable the 2nd kind of access before running the script.
bash-3.2$ if sudo -S -p '' echo -n < /dev/null 2> /dev/null ; then echo 'Sudo is enabled.' ; else echo 'Sudo is not enabled' ; fi
Sudo is enabled.
bash-3.2$ sudo -K
bash-3.2$ if sudo -S -p '' echo -n < /dev/null 2> /dev/null ; then echo 'Sudo is enabled.' ; else echo 'Sudo is not enabled' ; fi
Sudo is not enabledThe -S tells sudo to read the password from stdin. The -p sets an empty prompt. The -K clears the second time of access.
Since it sends stderr to /dev/null, it will also check if the user has the first type of sudo access.
# Verify if current user is root. local current_username=$(whoami) [[ "$current_username" == 'root' ]] && echo true && return 0 # Verify if sudo is installed. if [[ $(validate_apt 'sudo') == 'false' ]]; then echo false && return 0 fi # Verify if the current user belongs to groups 'sudo' or 'root'. local current_user_groups=$(groups $current_username) if [[ $current_user_groups == *'root'* ]] || [[ $current_user_groups == *'sudo'* ]]; then echo true && return 0 fi # Verify if file /etc/sudoers.d/username exists. if [[ -f /etc/sudoers.d/$current_username ]]; then echo true && return 0 fiI want to check sudo mode for nice script interactivity/error-checking.
I like Kenorb's answer which uses timeout, it didn't work for me though because of the default kill signal. So I edited this bit and sprinkled some additions as explained below.
timeout -s SIGKILL 5s sudo -v && (echo SUDO Access Granted ; exit 0) || (echo SUDO Access Denied ; exit 1)Explanation:
-s SIGKILLspecifiesSIGKILLas a kill signal. I prefer this overSIGSTOPsince it has less clutter in STDOUT. Full list of kill signals can be found here. Also SIGSTOP v.s. SIGKILL
The signals SIGKILL and SIGSTOP cannot be caught, blocked, or ignored.
5sdenotes 5 seconds, seconds is the default but you can also usemminutes orhhours. For a reference: DURATION parameter description inman timeoutsudo -vfor reasons specified in the selected answerexit 0andexit 1to represent success and failure exit status codes respectively. Full list of exit status codes can be found here 1, here 2 and here 3;was used to chain shell commands inline.&&and||are just some boolean expressions that usessudo -vexit code. If you're confused, it's just Boolean/Logical Short Circuit Evaluation
The code below returns a sentence that is better understandable for average user:
[ $(fgrep "${USER}" /etc/group | egrep -c ^"(sudo|wheel)\:") -eq 1 ] && echo -e "${USER} has sudo rights" || echo -e "${USER} has not sudo rights"(or there are Linux Distros with other group names for sudo than sudo and wheel ?)
1Follow these steps to view the sudoers file. If you're in there, you have sudo. If not, you can add yourself.
suvisudo- Bottom of the file, enter
your_username_here ALL=(ALL) ALL - Hit ESC and type
:wq - Type
exit - Re-run your command that needed
sudo - Enter your password (not the root's password)
