Home / server / Questions / 568627
Accepted
TomOnTime
Asked: 2014-01-21 14:12:21 +0800 CST

Can a program tell it is being run under sudo?

  • 772

I have a program that should behave differently if it is being run under "sudo". Is there a way it can find out if it was run under sudo?

Update: Someone asked why would I want to do this. In this case, on a Mac using MacPorts there is output that tells you to cut-and-paste a particular command. If the MacPorts command was run with "sudo", it should include sudo in the sample command:

$ sudo port selfupdate 
--->  Updating MacPorts base sources using rsync
MacPorts base version 2.2.1 installed,
MacPorts base version 2.2.1 downloaded.
--->  Updating the ports tree
--->  MacPorts base is already the latest version

The ports tree has been updated. To upgrade your installed ports, you should run
  port upgrade outdated

^^^^^^^^^ it would be really sweet if it output "sudo port upgrade outdated" instead.  It would be even better if it just did it for you :-)
linux

7 Answers

  1. Best Answer

    Yes, there are 4 environment variables set when a program is running under sudo:

    $ sudo env |grep SUDO
SUDO_COMMAND=/usr/bin/env
SUDO_USER=tal
SUDO_UID=501
SUDO_GID=20

    Note that these can be faked by simply setting them. Don't trust them for anything critical.

    For example: In this program we need to tell the user to run some other program. If the current one was run with sudo, the other one will be too.

    #!/bin/bash

echo 'Thank you for running me.'

if [[ $(id -u) == 0 ]]; then
  if [[ -z "$SUDO_COMMAND" ]]; then
    echo 'Please now run: next_command'
  else
    echo 'Please now run: sudo next_command'
  fi
else  echo 'Error: Sadly you need to run me as root.'
  exit 1
fi

    Note that it only tests for a SUDO_* variable if it can first prove that it is running as root. Even then it only uses it to change some helpful text.

    • 52

  2. This does not answer the question directly but I do not think the right question is being asked here. It appears to me the asker wants a program which will act different presumably if it has certain permissions or not, however I would argue checking for sudo is not the way to do that. Firstly many systems may not implement a "sudo", it is by no means required on Linux or many Unixes.

    For example a user may be logged in as root already, making the sudo nonsensical or perhaps the system has non root users who still have capabilities to perform the administrative task that the program may wish to do. Finally perhaps the system has no root or sudo at all and instead uses a mandatory access control system with different capabilities and no catch all superuser to sudo into. Or the user could be sudoed, but into an account that has -less- permissions than their own account for security reasons (I often run untrusted code with a temporary unprivileged user who can only write to ramdisks in order to drop, not raise my permissions). It is overall a bad idea to assume a specific permissions model like sudo or the existence of root or to assume a sudoed user has any particular privileges.

    If you want to find out if you have permissions to perform an operation the best way is usually to simply try and do it then check errno for permissions issues if it fails or if it is a multi stage operation that must either all fail or all succeed you can check if an operation will work with functions like the POSIX access function (beware of possible race conditions here if permissions are actively being changed)

    If in addition you need to know the real user behind the sudo you can use getlogin function which should work for any interactive session with an underlying terminal and would allow you for example to find who is 'really' running the command for auditing or find the home directory of the real user to save logs.

    Finally if what you really want is to find out if a user has root access (Still a bad idea but less implementation specific) you can use getuid to check for a uid of 0 and thus root.

    • 11

  3. There are two mechanisms that can be used.

    • Checking the environment variables can be faked either way, but is the easiest to do. growisofs doesn't like to run under SUDO, so I unset the SUDO variables in scripts where I use it. It can be faked the other way. (The SUDO variable are also carried into the environment for scripts run under the at and batch commands.)
    • Another way to see if you are running under sudo is to walk the process list from your parent process up looking for sudo. It would be difficult to hide that you were running under sudo this way, but is more complex. It is still possible to fake that you are running under sudo.

    It is more common to check if you are running as the appropriate user. The id command can be used to do this. TomOnTime's script uses the id command to determine if sudo might be required to run the next command.

    • 7

  4. You can compare effective vs. real user id.

    This does not strictly mean it is running undo sudo (could be setuid'd also), but indicates that the program has more rights than the user may expect. (for example in a program which is normally executed without such rights, but needs to be run with them during installation or to install updates. Then, you can use this to give some warning feedback about that).

    • 2

  5. You can check the effective UID (EUID) variable, as follows:

    if [[ $EUID -eq 0 ]]; then
    echo "running as root"
else
    echo "not running as root"
fi
    • 2

  6. You can touch a file in /root and then if -e it. And if -e is true, rm (checking the error code) it so your test works next time.

    Checking the error code (or return code) after the rm prevents someone from handily using sudo powers to create the file to play a prank on you.

    • -1

  7. I found that this works well for this

    [ $(cat /proc/$PPID/loginuid) -ne 0 ] && [ "$USER" == "root" ]
    • -2