There is a server with a large number of system users who have access to it via SSH.

As part of the access inventory task, you need to get a list of all users who are allowed on this server to become root through sudo .

It is clear that about a single user you can see the output of id username on the subject of the wheel group (which out of the box gives you the opportunity to become root through sudo in CentOS), but how would you get a list of all such users? It is clear that you can write a cycle in which to iterate over the output of id for all users of the system, but is it possible to make something more elegant?

    2 answers 2

    A universal way to get the list of users of the specified group is using the getent program called for the group database (there are many databases, see the documentation: $ man getent ):

     $ getent group название-группы

    example output:

     название-группы:x:1000:пользователь1,пользователь2,пользователь3

    most often it is just a line from the /etc/group file, which could also be obtained by the command

     $ grep '^название-группы:' /etc/group

    but not always - because there are different authentication mechanisms that store data in a completely different way.

    addition

    and about the global issue - getting a list of users who are allowed to run sudo , there is no short, universal and simple solution, as far as I know. you must either parse the /etc/sudoers* files, or, after receiving a full list of users from all authentication subsystems (using $ getent passwd ), analyze the output of the command for each user (will not work on older versions of the program):

     $ sudo -l -U пользователь

    example output:

     User пользователь is not allowed to run sudo on ...

      On CentOS, you can see a list of all users belonging to a specific group using the lid command, for example, a list of all members of the wheel group (who are allowed to execute commands on behalf of the box and with root rights using sudo ) can be seen as follows:

       $ sudo lid -g wheel -- i.ivanov(uid=1000) p.petrov(uid=1001) v.pupkin(uid=1008)

      It should, however, be understood that sudoers can be set to “become root” for other groups (or for individual users), so it is also necessary to examine the contents of sudoers ( visudo command).

      • one
        And about Debian will be continued? ) - Nick Volynkin
      • one
        in Ubuntu 16.04 (the first Debian-like that I found) out of the lid box, none at all. I will definitely write how to deal =) - AntonioK
      • In fact, there is the standard POSIX command getent . - 0andriy Nov.