As an administrator, how can remove a users rights to use SUDO. Is there a simple command to do this?
Asked
Active
Viewed 6,816 times
2 Answers
11
Only users in the sudo group may use the sudo command. To remove the user jdoe from the group sudo type (as root):
deluser jdoe sudo
If you are not root, type
sudo deluser jdoe sudo
Reference: How to remove a user from a group?
Update
As pointed out by @Aleks G in a comment the above is only half the truth:
By default only members of the sudo group may run commands with sudo <command>. This is accomplished by the line
# who where as-whom what
%sudo ALL = (ALL:ALL) ALL
in the /etc/sudoers file. It means:
- members of the group
sudo(who) may run - on any computer (where)
- as any user and any group (as-whom)
- any command (what)
This is the default setup on Ubuntu and hence adding or removing a user to/from the group sudo gives or revokes the privilege to run commands with sudo <command>.
But it is also possible to add other groups and/or users to the /etc/sudoers file (or below /etc/sudoers.d/) like so:
alice myhost = (bob) /bin/ls
This means: user alice may run /bin/ls as user bob but only on host myhost.
alice could now do sudo -u bob ls /home/bob. This is independant of a membership in the sudo group. If you have such a setup, then it is not sufficient to remove alice from the sudo group. Instead you need to remove the alice line from the /etc/sudoers file.
The where part is only relevant if you share the sudoers file across different computers and want to keep it the same on every computer.
PerlDuck
- 13,885
4
The answer regarding the sudo group is correct for most situations. There is another way to give a user sudo rights, and that is to add their username directly to the sudoers file. If the username has been added, then it must be removed from that file -- Usually the entire line containing the username. This is not a common scenario, but is possible. To edit the sudoers file, use visudo.
Jonathan Bennett
- 41
- 2