LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Listing sudo commands assigned to a group (https://www.linuxquestions.org/questions/linux-general-1/listing-sudo-commands-assigned-to-a-group-4175475286/)

devUnix 08-30-2013 03:33 AM
Listing sudo commands assigned to a group
 
I want to list the sudo permissions of / commands allowed to be executed by all the members of a given group, but this one is not working:


Code:
# sudo -l -g Production-Support.GG
usage: sudo -h | -K | -k | -L | -V
usage: sudo -v [-AknS] [-p prompt]
usage: sudo -l[l] [-AknS] [-g groupname|#gid] [-p prompt] [-U username] [-u username|#uid] [-g groupname|#gid]
            [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p prompt] [-u username|#uid] [-g
            groupname|#gid] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p prompt] [-u username|#uid] file ...
I used the GID in place of the group name but still I the same usage message as shown above.

I can however list the sudo commands assigned to a user:


Code:
# sudo -l -U Jack
Matching Defaults entries for Jack on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

User Jack may run the following commands on this host:
    (root) NOPASSWD: /bin/ls
    (root) NOPASSWD: /bin/view
How do I do the same thing for a group?

druuna 08-30-2013 03:49 AM
There is no option available for what you want/need.

-U (in combination with -l) does this for users.

The -u and -g options are there to run commands as a different user then root (have a look at the sudo manual page).

There is no -G option.

Firerat 08-30-2013 04:16 AM
Code:
sudo grep "%Production-Support.GG" /etc/sudoers* -r
but Jack can't run that... Yet..

Code:
sudo view
# assuming it is vi/vim
:!bash # or some other shell
# you now have full root
grep "%Production-Support.GG" /etc/sudoers* -r
Fix the 'exploit', in sudoers..
Code:
Jack ALL=(root) NOPASSWD: NOEXEC: /usr/bin/view
but still, since Jack can edit any file as root, they can remove NOEXEC: and get full root again.


All times are GMT -5. The time now is 04:39 PM.