Results 1 to 7 of 7

Thread: Restrict specific user from sudo

  1. #1
    Join Date
    Jul 2010
    Beans
    13

    Restrict specific user from sudo

    Sorry, I know the general topic is covered in many forums and websites but I cannot find any examples of exactly what I would like to do and I really dont want to mess up my sudoers file.

    I would like to restrict one specific user from having sudo on my computer. The sudoers file right now reads (in part):
    root ALL=(ALL) ALL
    ...
    ...
    ...
    %Domain\ Users ALL=(ALL) ALL

    the user is included in the Domain (as I am). Also, would restricting him in this way keep him from having sudo when connecting via ssh?

    Thanks

  2. #2
    Join Date
    Jun 2007
    Location
    Poughkeepsie, NY
    Beans
    5,814
    Distro
    Ubuntu

    Re: Restrict specific user from sudo

    Create an account for the user and don't add the user to the sudo group, simple as that... Ubuntu even has a simple GUI for adding users, these should help

    https://help.ubuntu.com/community/AddUsersHowto
    https://help.ubuntu.com/community/RootSudo
    Last night I lay in bed looking up at the stars in the sky and I thought to myself, where the heck is the ceiling.

  3. #3
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Restrict specific user from sudo

    Quote Originally Posted by phour10n3 View Post
    I would like to restrict one specific user from having sudo
    No problem. Just go to System > Admin > Users & Groups and make sure that user is not in the admin group.

  4. #4
    Join Date
    Jul 2010
    Beans
    13

    Re: Restrict specific user from sudo

    Read through those pages... the user is already part of the "Domain" group. I suppose it would help if I described that this is a work machine and my desktop specifically but all of the users who log on get a home directory assuming that they are on a list on one of our servers as a valid user. Essentially anyone can log on with their username and password on any of our linux computers.

    I do not have access to the Users and Groups on gnome (at least I don't know how to), but like everyone else I have sudo. I was hoping that there was a specific line that would specifically restrict this user from having sudo capabilities on my machine alone. Or possibly I could add his username on sudo but he needs to use the root pass?

  5. #5
    Join Date
    Feb 2010
    Location
    Silicon Valley
    Beans
    1,898
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: Restrict specific user from sudo

    Yout can deny a single user, even if he is in the %Domain group.

    Assuming this evil doer's name is issac, add the following line (with visudo), after the %Domain line. This works since "last match wins" in the sudoers file.
    Code:
    issac ALL=(ALL) !ALL
    Note the bang (!) before the last ALL.

  6. #6
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Restrict specific user from sudo

    Quote Originally Posted by gmargo View Post
    Yout can deny a single user, even if he is in the %Domain group.

    Assuming this evil doer's name is issac, add the following line (with visudo), after the %Domain line. This works since "last match wins" in the sudoers file.
    Code:
    issac ALL=(ALL) !ALL
    Note the bang (!) before the last ALL.
    Either remove the evil user from the Domain group or if that is not possible use a different group for admin access and add the other users in.

    If you are going to try the !ALL method, take care as listing users more then once in sudoers has unpredictable effects.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #7
    Join Date
    Jul 2010
    Beans
    13

    Re: Restrict specific user from sudo

    Thanks all. I will look into changing the group, but I think it is through the network and out of my control. The bang method seems to work fine right now and hopefully it will not negatively affect anything.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •