As an administrator, how can remove a users rights to use SUDO. Is there a simple command to do this?
Asked
Active
Viewed 6,120 times
3
-
1hey PerlDuck, please what is the exact command to do that? – fantamoja Feb 24 '18 at 16:24
2 Answers
11
Only users in the sudo group may use the sudo command. To remove the user jdoe from the group sudo type (as root):
deluser jdoe sudo
If you are not root, type
sudo deluser jdoe sudo
Reference: How to remove a user from a group?
Update
As pointed out by @Aleks G in a comment the above is only half the truth:
By default only members of the sudo group may run commands with sudo <command>. This is accomplished by the line
# who where as-whom what
%sudo ALL = (ALL:ALL) ALL
in the /etc/sudoers file. It means:
- members of the group
sudo(who) may run - on any computer (where)
- as any user and any group (as-whom)
- any command (what)
This is the default setup on Ubuntu and hence adding or removing a user to/from the group sudo gives or revokes the privilege to run commands with sudo <command>.
But it is also possible to add other groups and/or users to the /etc/sudoers file (or below /etc/sudoers.d/) like so:
alice myhost = (bob) /bin/ls
This means: user alice may run /bin/ls as user bob but only on host myhost.
alice could now do sudo -u bob ls /home/bob. This is independant of a membership in the sudo group. If you have such a setup, then it is not sufficient to remove alice from the sudo group. Instead you need to remove the alice line from the /etc/sudoers file.
The where part is only relevant if you share the sudoers file across different computers and want to keep it the same on every computer.
PerlDuck
- 13,335
-
2This answer is factually wrong. Any user can be granted sudo rights by their username directly - for example with the following line in the sudoers file:
username ALL=(ALL) ALLor via any other group using%somegroup ALL=(ALL) ALL– Aleks G Feb 24 '18 at 23:16 -
@AleksG Yes. Of course you are right. I don't know what made me forget that yesterday. I updated my answer to include this behaviour. – PerlDuck Feb 25 '18 at 13:37
4
The answer regarding the sudo group is correct for most situations. There is another way to give a user sudo rights, and that is to add their username directly to the sudoers file. If the username has been added, then it must be removed from that file -- Usually the entire line containing the username. This is not a common scenario, but is possible. To edit the sudoers file, use visudo.
