How to forbid sudo command for main user?

mate2go · 26 October 2019 09:18

-The complete howto-

"root password"

Open Mate-Terminal:

sudo passwd root
sudo su -
chmod 4755 /bin/su
ls -l /bin/su

Output: rwsr-xr-x

sudo deluser youruser sudo

su - (Enter root password)

pluma /etc/group

Remove youruser from sudo:
sudo:x:27:youruser
to
sudo:x:27:

"save file"

visudo -f /etc/sudoers.d/youruser

add:
youruser ALL=(ALL) ALL, !/bin/su, !/usr/bin/su, !/usr/bin/sudo

"save"

strg+o

"exit"

strg+x

/bin/chmod -x /usr/bin/gksu
/bin/chmod -x /usr/bin/gksudo
/bin/chmod -x /usr/bin/passwd
/bin/chmod -x /usr/bin/sudo
/bin/chmod -x /usr/bin/sudoedit
/bin/chmod -x /usr/bin/sudoreplay

exit

If you need it, put these commands in /etc/rc.local:

#!/bin/sh
Disable sudo commands

/bin/chmod -x /usr/bin/gksu
/bin/chmod -x /usr/bin/gksudo
/bin/chmod -x /usr/bin/passwd
/bin/chmod -x /usr/bin/sudo
/bin/chmod -x /usr/bin/sudoedit
/bin/chmod -x /usr/bin/sudoreplay

exit 0

to forbid completly sudo after boot or even when an update of sudo revoke the x-permissions.

Take it at your own risk. Make Backup before.

stevecook172001 · 26 October 2019 12:58

See below:

Read it carefully though. If you remove a user on the system from the sudo group and you are that user and that was the only account on the system, you will not be able to re-enable it for sudo access because you will no longer have sudo privileges to do so. Nor will you be able to create a new user with sudo access for the same reasons.

In other words, you must always have the safety net of one user on the system who has root access and who never loses that privilege.

mate2go · 26 October 2019 14:06

hmm...

The 'main-user' is the only one in /home/...

I did:
sudo deluser main-user sudo

After that. I can run still sudo commands with the 'main-user'.

sudo apt-get update and so on.

Why?

I want this:

After boot, login with the 'main-user' account.

Example... when I must update my system then i want run "mate-terminal"
run "su -" to login in the root account.

Login into root account via the main-user over mate-terminal works.

But sudo commands with the main-user are still working.

Must I edit the sudoers file?

User privilege specification

root ALL=(ALL:ALL) ALL

Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

Disable 'sudo su' with user-account

main-user ALL = ALL, !/bin/su

In /etc/group

Line before:
sudo:x:27:main-user

After:
sudo:x:27:

Do I need add?
sudo:x:27:root ???

arQon · 27 October 2019 02:42

ISTM like you're doing all this backwards.

There sort-of isn't really any "root" user left these days in the desktop space: security theater and the very genuine problems of Windows have basically killed off the concept, so now everyone has more power than they should have half the time, but not enough the other half.

You're fighting the system. Give it up. It's a BAD system, but you still can't win. Work with it instead.

Create your "main user" as "admin" / etc. Create a different user to BE the user. Done. That meets all your goals, instantly, without any of this random hackery that's only going to break later.

mate2go · 27 October 2019 12:58

thanks for the info @ arQon...

by the way, I figured it out...

su -
visudo -f /etc/sudoers.d/main-user
main-user ALL=(ALL) ALL, !/bin/su, !/usr/bin/su, !/usr/bin/sudo

Run Mate-Terminal:
Commands:

sudo su
sudo caja
sudo passwd

Mate-Terminal Output:
Sorry, user main-user is not allowed to execute '/bin/su' as root on blabla.
Sorry, user main-user is not allowed to execute '/usr/bin/caja' as root on blabla.
Sorry, user main-user is not allowed to execute '/usr/bin/passwd' as root on blabla.

stevecook172001 · 27 October 2019 13:17

I have a question:

If your "main-user" is the only user and if, while your "main-user" still had sudo privileges, you used it to remove its own sudo privileges, how do you get to re-add sudo privileges to that single "main-user", if ever the need arose to download software/perform updates/repairs on the system? Because, in order to add someone to the sudo group, the user doing so needs to have sudo privileges themselves.

mate2go · 27 October 2019 14:46

@ stevecook172001

...I removed sudo also from the 'main-user' in /etc/group.

Example...

I login into my desktop with the user 'main-user'.

When I want update my system then I open
Mate Terminal and login with root. (# su -)

Enter the root password and run command apt-get update without sudo command.

When I'm done then exit mate-terminal.

...and so on.

I re-add main-user in: /etc/group.

sudo:x:27:main-user

mate2go · 27 October 2019 15:18

To forbid sudo completly with my main-user (Workaround)

I did:
Open Mate-Terminal...

Login with root. (su -)

run:

chmod -x /usr/bin/sudo
exit

After that:
run command with main-user:
sudo -i
sudo -l
sudo -v
sudo su
sudo su -

Output:
bash: /usr/bin/sudo: Permission denied

When you test it out, make Backup of your harddisk or test it in a VM.

For admin things for my system, I only login with root via mate-terminal.

...Rebooted my system, test all programms and so on, no errors, all works great.