How to check if a user has sudo access in Linux

Introduction

In this lab, you will learn how to check if a user has sudo access in Linux. You will explore three common methods: testing sudo privileges directly using sudo -l, examining the /etc/sudoers configuration file, and verifying if the user belongs to the sudo group.

By completing these steps, you will gain practical skills in understanding and verifying user permissions related to administrative tasks in a Linux environment.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux(("Linux")) -.-> linux/UserandGroupManagementGroup(["User and Group Management"]) linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") linux/UserandGroupManagementGroup -.-> linux/sudo("Privilege Granting") linux/UserandGroupManagementGroup -.-> linux/groups("Group Displaying") subgraph Lab Skills linux/cat -.-> lab-558774{{"How to check if a user has sudo access in Linux"}} linux/sudo -.-> lab-558774{{"How to check if a user has sudo access in Linux"}} linux/groups -.-> lab-558774{{"How to check if a user has sudo access in Linux"}} end

Test sudo privileges with sudo -l

In this step, you will learn how to check your sudo privileges using the sudo -l command. sudo (SuperUser DO) allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

The sudo -l command lists the commands that the user is allowed to run on the current host, or the commands allowed on a specified host.

Let's check the sudo privileges for the current user (labex). Open your terminal if it's not already open.

Type the following command and press Enter:

sudo -l

You should see output similar to this:

Matching Defaults entries for labex on ...:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User labex may run the following commands on ...:
    (ALL : ALL) NOPASSWD: ALL

This output tells you that the user labex can run ALL commands as ALL users (ALL : ALL) without needing a password (NOPASSWD: ALL). This confirms that your labex user has full sudo privileges without requiring a password.

Understanding sudo is crucial for managing permissions and executing administrative tasks in Linux.

Click Continue to proceed to the next step.

Check sudoers file with cat /etc/sudoers

In this step, you will examine the /etc/sudoers file, which is the main configuration file for sudo. This file determines which users or groups can run which commands as which users.

Important: Editing the /etc/sudoers file directly can be dangerous and can lock you out of your system if done incorrectly. It's generally recommended to use the visudo command to edit this file, as it provides syntax checking. However, for this step, we will simply view the file's contents using the cat command to understand its structure.

Since /etc/sudoers is a system file, you need sudo privileges to read it.

Type the following command in your terminal and press Enter:

sudo cat /etc/sudoers

You will see the content of the /etc/sudoers file. Look for lines that define user or group permissions. You might see lines similar to these (comments start with #):

#
## This file MUST be edited with the 'visudo' command as root.
#
## Please consider adding local content in /etc/sudoers.d/ instead of
## directly modifying this file.
#
## See the man page for details on how to write a sudoers file.
#

Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

## Host alias specification

## User alias specification

## Cmnd alias specification

## User privilege specification
root	ALL=(ALL:ALL) ALL

## Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

## See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

The line %sudo ALL=(ALL:ALL) ALL is particularly important. It means that any user who is a member of the sudo group (%sudo) can execute commands (ALL) as any user (ALL) and any group (ALL) on any host (ALL). This is a common way to grant administrative privileges to users in Debian-based systems like Ubuntu.

By viewing this file, you gain insight into how sudo permissions are configured on the system.

Click Continue to move to the next step.

Verify sudo group with groups command

In the previous step, you saw in the /etc/sudoers file that members of the sudo group have full sudo privileges. In this step, you will verify that the labex user is indeed a member of the sudo group using the groups command.

The groups command displays the names of the primary and supplementary groups for each given username, or for the current process if no username is given.

Type the following command in your terminal and press Enter:

groups

You should see output similar to this, listing the groups that the labex user belongs to:

labex sudo ssl-cert public

This output shows that labex is a member of the labex, sudo, ssl-cert, and public groups. The presence of sudo in the list confirms that the labex user is part of the group that is granted sudo privileges according to the /etc/sudoers file.

Alternatively, you can specify the username with the groups command:

groups labex

The output will be the same:

labex : labex sudo ssl-cert public

This step reinforces the connection between group membership and sudo privileges as configured in the system.

Click Continue to complete this lab.

Summary

In this lab, you learned how to check if a user has sudo access in Linux. You started by using the sudo -l command to list the commands the current user is allowed to run with sudo privileges, which confirmed that the labex user has full sudo access without a password.

You then explored the /etc/sudoers file using the cat command to understand its role in configuring sudo permissions, although it was emphasized that visudo is the recommended tool for editing this file. Finally, you would typically verify if the user is part of the sudo group using the groups command, as group membership is a common way to grant sudo access.