How to forbid sudo command for main user?

-The complete howto-

"root password"

Open Mate-Terminal:

sudo passwd root
sudo su -
chmod 4755 /bin/su
ls -l /bin/su

Output: rwsr-xr-x

sudo deluser youruser sudo

su - (Enter root password)

pluma /etc/group

Remove youruser from sudo:

"save file"

visudo -f /etc/sudoers.d/youruser

youruser ALL=(ALL) ALL, !/bin/su, !/usr/bin/su, !/usr/bin/sudo





/bin/chmod -x /usr/bin/gksu
/bin/chmod -x /usr/bin/gksudo
/bin/chmod -x /usr/bin/passwd
/bin/chmod -x /usr/bin/sudo
/bin/chmod -x /usr/bin/sudoedit
/bin/chmod -x /usr/bin/sudoreplay


If you need it, put these commands in /etc/rc.local:

Disable sudo commands

/bin/chmod -x /usr/bin/gksu
/bin/chmod -x /usr/bin/gksudo
/bin/chmod -x /usr/bin/passwd
/bin/chmod -x /usr/bin/sudo
/bin/chmod -x /usr/bin/sudoedit
/bin/chmod -x /usr/bin/sudoreplay

exit 0

to forbid completly sudo after boot or even when an update of sudo revoke the x-permissions.

Take it at your own risk. Make Backup before.

See below:

Read it carefully though. If you remove a user on the system from the sudo group and you are that user and that was the only account on the system, you will not be able to re-enable it for sudo access because you will no longer have sudo privileges to do so. Nor will you be able to create a new user with sudo access for the same reasons.

In other words, you must always have the safety net of one user on the system who has root access and who never loses that privilege.

1 Like


The 'main-user' is the only one in /home/...

I did:
sudo deluser main-user sudo

After that. I can run still sudo commands with the 'main-user'.

sudo apt-get update and so on.


I want this:

After boot, login with the 'main-user' account.

Example... when I must update my system then i want run "mate-terminal"
run "su -" to login in the root account.

Login into root account via the main-user over mate-terminal works.

But sudo commands with the main-user are still working.

Must I edit the sudoers file?

User privilege specification


Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

Allow members of group sudo to execute any command


Disable 'sudo su' with user-account

main-user ALL = ALL, !/bin/su

In /etc/group

Line before:


Do I need add?
sudo:x:27:root ???

ISTM like you're doing all this backwards.

There sort-of isn't really any "root" user left these days in the desktop space: security theater and the very genuine problems of Windows have basically killed off the concept, so now everyone has more power than they should have half the time, but not enough the other half.

You're fighting the system. Give it up. It's a BAD system, but you still can't win. Work with it instead.

Create your "main user" as "admin" / etc. Create a different user to BE the user. Done. That meets all your goals, instantly, without any of this random hackery that's only going to break later.


thanks for the info @ arQon...

by the way, I figured it out...

su -
visudo -f /etc/sudoers.d/main-user
main-user ALL=(ALL) ALL, !/bin/su, !/usr/bin/su, !/usr/bin/sudo

Run Mate-Terminal:

sudo su
sudo caja
sudo passwd

Mate-Terminal Output:
Sorry, user main-user is not allowed to execute '/bin/su' as root on blabla.
Sorry, user main-user is not allowed to execute '/usr/bin/caja' as root on blabla.
Sorry, user main-user is not allowed to execute '/usr/bin/passwd' as root on blabla.

I have a question:

If your "main-user" is the only user and if, while your "main-user" still had sudo privileges, you used it to remove its own sudo privileges, how do you get to re-add sudo privileges to that single "main-user", if ever the need arose to download software/perform updates/repairs on the system? Because, in order to add someone to the sudo group, the user doing so needs to have sudo privileges themselves.

@ stevecook172001

...I removed sudo also from the 'main-user' in /etc/group.


I login into my desktop with the user 'main-user'.

When I want update my system then I open
Mate Terminal and login with root. (# su -)

Enter the root password and run command apt-get update without sudo command.

When I'm done then exit mate-terminal.

...and so on.

I re-add main-user in: /etc/group.


To forbid sudo completly with my main-user (Workaround)

I did:
Open Mate-Terminal...

Login with root. (su -)


chmod -x /usr/bin/sudo

After that:
run command with main-user:
sudo -i
sudo -l
sudo -v
sudo su
sudo su -

bash: /usr/bin/sudo: Permission denied

When you test it out, make Backup of your harddisk or test it in a VM.

For admin things for my system, I only login with root via mate-terminal.

...Rebooted my system, test all programms and so on, no errors, all works great.