Home / ubuntu / Questions / 1531121
Accepted
Mario Palumbo
Asked: 2024-10-25 17:45:53 +0800 CST

What's the difference between "sudo -u" and "sudo -U"?

  • 772

man sudo doesn't let me understand the differences.

sudo

1 Answers

  1. Best Answer

    From the sudo manpage:

    -U user, --other-user=user
     Used in conjunction with the -l option to list the privileges for user instead of
     for the invoking user.  The security policy may restrict listing other users'
     privileges.  When using the sudoers policy, the -U option is restricted to the root
     user and users with either the “list” priviege for the specified user or the ability
     to run any command as root or user on the current host.

    And:

    -l, --list
     If no command is specified, list the privileges for the invoking user (or the user
     specified by the -U option) on the current host.  A longer list format is used if
     this option is specified multiple times and the security policy supports a verbose
     output format.

     If a command is specified and is permitted by the security policy for the invoking
     user (or the, user specified by the -U option) on the current host, the fully-
     qualified path to the command is displayed along with any args. If -l is specified
     more than once (and the security policy supports it), the matching rule is displayed
     in a verbose format along with the command.  If a command is specified but not
     allowed by the policy, sudo will exit with a status value of 1.

    So -U is exclusively for use with -l. sudo -l checks what your user can do using sudo, and sudo -lU <some-user> checks what <some-user> can do using sudo. Using -U with anything else will result in an error.

    On the other hand, -u <some-user> is used to run commands as <some-user>.

    Example:

    % sudo -l
Matching Defaults entries for muru on pi:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/bin, env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=PATH

Runas and Command-specific defaults for muru:
    Defaults!/usr/bin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User muru may run the following commands on pi:
    (ALL : ALL) NOPASSWD: ALL

% sudo -lU nobody
User nobody is not allowed to run sudo on pi.

% sudo -l id
/usr/sbin/id

% sudo -lU nobody id
% echo $?
1

% sudo -u nobody id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
    • 3