How to check if I have sudo access?

Question

I recently got into trouble because of this.

$sudo vim /etc/motd 
[sudo] password for bruce: 
bruce is not in the sudoers file.  This incident will be reported.

Is there a way to check if I have sudo access or not?

Answer 1

Run sudo -v. It is usually used to extend your sudo password timeout, but can be used for determining whether you have any sudo privileges.

$ sudo -v
Sorry, user [username] may not run sudo on [hostname].

Man page excerpt:

If given the -v (validate) option, sudo will update the user’s time stamp, prompting for the user’s password if necessary. This extends the sudo timeout for another 5 minutes (or whatever the timeout is set to in sudoers) but does not run a command.

If your user is only allowed to run specific commands, this command will work, indicating you are allowed to run something with different privileges. While the message looks different when trying to execute a command you're not allowed to in this case (and no mail is sent to root), it's still possible you'll get into trouble if the admins read /var/log/secure.

$ sudo ls
[sudo] password for [username]: 
Sorry, user [username] is not allowed to execute '/bin/ls' as root on [hostname].

To find out what you're allowed to run with different privileges, you can use sudo -l. Note that this command requires you to enter your password.

Answer 2

This is very simple. Run sudo -l. This will list any sudo privileges you have.

Answer 3

Gerald Schade's answer here, can still be improved!

Use

prompt=$(sudo -nv 2>&1)
if [ $? -eq 0 ]; then
  # exit code of sudo-command is 0
  echo "has_sudo__pass_set"
elif echo $prompt | grep -q '^sudo:'; then
  echo "has_sudo__needs_pass"
else
  echo "no_sudo"
fi

Here's a complete example of usage in a script:

#!/usr/bin/env bash

is_root () {
    return $(id -u)
}

has_sudo() {
    local prompt

    prompt=$(sudo -nv 2>&1)
    if [ $? -eq 0 ]; then
    echo "has_sudo__pass_set"
    elif echo $prompt | grep -q '^sudo:'; then
    echo "has_sudo__needs_pass"
    else
    echo "no_sudo"
    fi
}

elevate_cmd () {
    local cmd=$@

    HAS_SUDO=$(has_sudo)

    case "$HAS_SUDO" in
    has_sudo__pass_set)
        sudo $cmd
        ;;
    has_sudo__needs_pass)
        echo "Please supply sudo password for the following command: sudo $cmd"
        sudo $cmd
        ;;
    *)
        echo "Please supply root password for the following command: su -c \"$cmd\""
        su -c "$cmd"
        ;;
    esac
}

if is_root; then
    echo "Error: need to call this script as a normal user, not as root!"
    exit 1
fi


elevate_cmd which adduser

Answer 4

Here is the script-friendly version:

timeout 2 sudo id && echo Access granted || echo Access denied

since it won't stuck on the password input if you do not have the sudo access.

You can also set it in a variable like:

timeout 2 sudo id && sudo="true" || sudo="false"
echo "$sudo"

^{Note: On macOS, you need to install coreutils, e.g. brew install coreutils.}

Answer 5

For me, 'sudo -v' and 'sudo -l' did not work in a script because sometimes interactive (asking me for a password, like mentioned above). 'sudo -n -l' did also not work, it gave the exit code '1' although I have sudo permissions, because of the missing password. But extending the command to:

A=$(sudo -n -v 2>&1);test -z "$A" || echo $A|grep -q asswor

was successful for me for the script. This expression gives 0 if the current user can call 'sudo' and 1 if not.

Explanation:
The additional parameter -n to sudo prevents interactivity.
The output $A of the command 'sudo -n -v 2>&1' may be:
- empty (in this case, sudo can be called by the current user), or:
- a note that the current user is not authorized for sudo, or:
- a question text for the password (in this case, the user is authorized).
("asswor" will fit for an english "password" as well as for a German "Passwort").

Answer 6

"Sudo access" comes in flavors. Two primary flavors: First you, or a group your a member of, needs to be setup for sudo access in the /etc/sudoers file.

Secondly you need to know your password, or you need to have done a sudo command recently. Recently enough that the timeout hasn't expired. (Fun fact: you can make the time out very long in your sudoer's file.)

I often want to test for the second kind of access in the prolog of a script that will need to sudo some steps. When this check fails I can advise the user he needs to enable the 2nd kind of access before running the script.

bash-3.2$ if sudo -S -p '' echo -n < /dev/null 2> /dev/null ; then echo 'Sudo is enabled.' ; else echo 'Sudo is not enabled' ; fi
Sudo is enabled.
bash-3.2$ sudo -K
bash-3.2$ if sudo -S -p '' echo -n < /dev/null 2> /dev/null ; then echo 'Sudo is enabled.' ; else echo 'Sudo is not enabled' ; fi
Sudo is not enabled

The -S tells sudo to read the password from stdin. The -p sets an empty prompt. The -K clears the second time of access.

Since it sends stderr to /dev/null, it will also check if the user has the first type of sudo access.

Answer 7

This should be enough to tell you if you have root or not:

sudo whoami

If sudo asks for root password, or it does not work, it also means that you don't have root privileges (at least not through sudo).

Answer 8

sudo -nv 2>/dev/null||sudo -v||exit 64

Answer 9

            # Verify if current user is root.
            local current_username=$(whoami)
            [[ "$current_username" == 'root' ]] && echo true && return 0

            # Verify if sudo is installed.
            if [[ $(validate_apt 'sudo') == 'false' ]]; then
                echo false && return 0
            fi

            # Verify if the current user belongs to groups 'sudo' or 'root'.
            local current_user_groups=$(groups $current_username)
            if [[ $current_user_groups == *'root'* ]] ||
                   [[ $current_user_groups == *'sudo'* ]]; then
                echo true && return 0
            fi

            # Verify if file /etc/sudoers.d/username exists.
            if [[ -f /etc/sudoers.d/$current_username ]]; then
                echo true && return 0
            fi

Answer 10

I want to check sudo mode for nice script interactivity/error-checking.

I like Kenorb's answer which uses timeout, it didn't work for me though because of the default kill signal. So I edited this bit and sprinkled some additions as explained below.

timeout -s SIGKILL 5s sudo -v && (echo SUDO Access Granted ; exit 0) || (echo SUDO Access Denied ; exit 1)

Explanation:

• -s SIGKILL specifies SIGKILL as a kill signal. I prefer this over SIGSTOP since it has less clutter in STDOUT. Full list of kill signals can be found here. Also SIGSTOP v.s. SIGKILL

The signals SIGKILL and SIGSTOP cannot be caught, blocked, or ignored.

• 5s denotes 5 seconds, seconds is the default but you can also use m minutes or h hours. For a reference: DURATION parameter description in man timeout
• sudo -v for reasons specified in the selected answer
• exit 0 and exit 1 to represent success and failure exit status codes respectively. Full list of exit status codes can be found here 1, here 2 and here 3
• ; was used to chain shell commands inline.
• && and || are just some boolean expressions that uses sudo -v exit code. If you're confused, it's just Boolean/Logical Short Circuit Evaluation

Answer 11

The code below returns a sentence that is better understandable for average user:

[ $(fgrep "${USER}" /etc/group | egrep -c ^"(sudo|wheel)\:") -eq 1 ] && echo -e "${USER} has sudo rights" || echo -e "${USER} has not sudo rights"

(or there are Linux Distros with other group names for sudo than sudo and wheel ?)

Answer 12

Follow these steps to view the sudoers file. If you're in there, you have sudo. If not, you can add yourself.

1. su
2. visudo
3. Bottom of the file, enter your_username_here ALL=(ALL) ALL
4. Hit ESC and type :wq
5. Type exit
6. Re-run your command that needed sudo
7. Enter your password (not the root's password)