How to check for privileges to use useradd and groupadd for creation of users and groups

Question

How can I check if the current user has all privileges to use useradd and groupadd for creation of users and groups?

I don't want to request root privileges (e.g. requireing to be root or calling sudo) for my bash script unnecessarily. Instead I just want to ensure that the privileges are there to just use those commands.

The commands:

$ ls -l $(which useradd) $(which groupadd)
-rwxr-xr-x 1 root root  93136 Mai 28  2020 /usr/sbin/groupadd
-rwxr-xr-x 1 root root 147160 Mai 28  2020 /usr/sbin/useradd

Answer 1

On Linux debian-linux 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64 GNU/Linux,
you can try this way in your script.

groupadd 2>/dev/null ; if test $? -eq 2 ; then echo ok ; else echo bad ; fi

If you can access groupadd or useradd, the return value is 2 because there is missings arguments.
If you can't acess groupadd or useradd, the return value is 127.

Answer 2

As useradd and groupadd commands need some extra priviledges to run, you can setup access to sudo for specific commands like useradd and groupadd like below :-

Please go through it once, it will make most of the things clear to you

Controlling Access To sudo

The /etc/sudoers file configures the programs that users can access using sudo, along with whether or not a password will be needed.

The system administrator adds users to this file using the /usr/sbin/visudo command. Each non-comment line in the file has two parts:

A username ("<USER_NAME>"), or a group name ("%<GROUP_NAME>").

A list of machine names where a program may be run, or the keyword ALL. Following an equal sign (=), a list of user identities the command may be run as, enclosed in round brackets (parenthesis); the wildcard ALL may also appear. Finally, a list of applications that may be run as the named users; the keyword ALL is a wildcard.

The following examples should help make this clear:

<USER_NAME> ALL=(ALL) ALL
    # User <USER_NAME> can execute any command as any user, but must know the password to the <USER_NAME> account.

<USER_NAME> ALL=(root) shutdown
    # User <USER_NAME> can execute only command shutdown, but must know the password to the <USER_NAME> account.

<USER_NAME> ALL=(root) NOPASSWD: /usr/bin/id
    # User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.


<USER_NAME> ALL=() NOPASSWD: /usr/bin/id
    # User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.

Once the system administrator has entered the necessary setup into the /etc/sudoers file, users can safely access privileged system resources and activities like this:

$ sudo useradd username

No awkward quoting on the command line, just prefix the command you want with the word sudo. If you want to run the command as a user other than root, just add the -u username switch:

$ sudo -u <USER_NAME> useradd username

There will be a log entry written to the /var/log/secure file to show who did the deed.

Of course, the sysadmin can configure sudo not to request a password. In this case, the command is immediately executed although the audit trail entry will still be written.

Reference :- Sudo Tutorial

Please reach in the comments section for any help

Will be glad to help !!!

Answer 3

Assuming that you need root or sudo to add new users (same for group), you can check if the user has sudo rights, by checking if he is in the corresponding groups.

   getent group sudo  // shows all users in groupd sudo

Dont know what system/distro you are on - but on arch for example sudoers are in group wheel...