Ssh – Test whether a user has sudo privileges without requiring user input

sshsudo

I have a local shell script that performs a number of tests on a remote host, before delivering the payload; one of these tests being whether the user has sudo privileges, checked simply with sudo -v however this requires the user to enter their password. Additionally the remote host seems to have instant sudo timeout so the password entry is required on every new connection, and this is something I don't have permission to change (as a policy).

I can of course test whether the user is part of certain groups, but then this would not be agnostic to the remote host configuration, so I was hoping there's a method that can check that doesn't need to assume the user's groups, as well as not needing user input?

Thanks!

UPDATE: To echo my comments, I only want to test whether a user could possibly sudo, without requiring user interaction for that test.

Best Answer

I'm afraid the only thing you can test is if the user has sudo privileges without a password.

Execute

sudo -n true

If $? is 0, the user has sudo access without a password, if $? is 1, the user needs a password.

If you need verification for a specific program, change true with your program, in a way the program doesn't do anything, like chmod --help

Related Solutions

Ubuntu execute python script at logon as root after user logon

rc.local is run at system boot, so well before a user logs on.

You have two options for running the script. One is to use visudo(8) to set up the command to allow to be run, with a NOPASSWD: tag in the command entry, and then just use sudo to start the command, perhaps from /etc/profile and whatever other files are needed for whichever shells people might use. It might be as simple as dropping something in /etc/profile.d/ if that exists. Eg, if everyone who logs in will be in group video then when you run visudo you'd want a rule like:

%video  ALL=NOPASSWD: /path/to/Linux_Asus_AI_remote.py

and then you'd invoke with:

sudo /path/to/Linux_Asus_AI_remote.py

The other option is to use pam_exec to run a command after login while still root; it's cleaner but more dangerous because if you make mistakes you can hose your system and be unable to login. If you want to examine this, read up on the PAM modules and how authentication and authorisation work and look in /etc/pam.d/; also, think carefully about how you'll restrict this to only happen for appropriate users.

Whichever method you choose, you'll probably want to make sure that this does not happen if logging in as root, to reduce the gunk that's involved in letting the admin user get into the system.

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Related Solutions

Ubuntu execute python script at logon as root after user logon

Ssh-agent forwarding and sudo to another user

Related Topic