1

Can we restrict a user and do not let him to go to the root mode. For example, when he inter sudo su, The system tells him you can not access the root?

Tim
  • 32,861
  • 27
  • 118
  • 178
Mohammad Reza Rezwani
  • 10,286
  • 36
  • 92
  • 128
  • Sorry i am now confused because i have a user on a Virtualbox who is not in sudo group, but can do sudo. – TuKsn Jun 10 '14 at 18:58
  • Ok I solved it, there was an entry in the sudoers file username ALL=(ALL:ALL) ALL in this case the user can do sudo without being member of the sudo group. But normally the link from Jacob Vlijm should reach. To be sure you can look into the sudoers file with sudo visudo if there any entry for the user. If not he should not be able to do sudo if he is not in the sudo group. – TuKsn Jun 10 '14 at 19:32

2 Answers2

6

By default, on Ubuntu, any Linux user which is member of the group sudo or admin is allowed to use sudo to run any commands as root on the system.

But this can be more complex than that.

In fact, the authorizations to use sudo are defined into the /etc/sudoers file. You must edit this file using the visudo command as root. The default behaviour I've expressed at the beginning of this answer is represented by the line :

%admin ALL=(ALL) ALL

%sudo ALL=(ALL:ALL) ALL

Short overview of this syntax :

  1. First ALL : indicate that members of this group can run sudo from any host
  2. Second ALL : command will be run as the specified user (by default it is root) with sudo -u <username>
  3. The third ALL (on the line with %sudo) specify that the group can also set when running sudo (sudo -g <group name>)
  4. The last ALL indicate that any command present on the system can be run by the concerned users.

Therefore, the syntax (see man visudo for more example) would allow you to specify restriction in a sense that :

  • A given user is given sudo priviledge
  • A user or group may be restricted to use only some command
  • A user or group may be restricted to change to a specify user only

Restrictive example :

operator ALL=(root) /sbin/reboot

which allows the user operator to run only the command /sbin/reboot as root.

Community
  • 1
Benoit
  • 7,567
  • 1
  • 25
  • 34
1

Open System Settings from an admin account.

Click User Accounts, then the Unlock at the top corner. Enter your password.

Click the account you wish to change, then click the word Administrator, next to Account Type.

Change it to Standard, and they won't be able to use sudo or run any system changing programs, such as in Software Centre, they won't be able to install anything from it, just browse.

Tim
  • 32,861
  • 27
  • 118
  • 178