Restricting sudo / su to only 1 account
I have 3 accounts:
1) The 1st account is the only one in the sudo group 2) The 2nd account is a limited desktop user 3) The 3rd account is like #2 When accounts 2 or 3 are in use, one can click on something requiring root level privilege and get a prompt asking for the password of the 1st account, who is my only sudo member. Is it possible to stop that? For example, pretend someone is in the 2nd account and clicks on Synaptic. That person would then have a prompt asking for the password of the 1st account, which is the sudo (Administrator) account. I don't want the 2nd and 3rd accounts on this system to even have the ability to input the sudo password, even if it is known. Is it possible to create this restriction? If yes, then how? Basically, I only want the 1st account to be able gain elevated privilege. I don't want the 2nd and 3rd accounts able to gain elevated privilege, even if those users know the proper password. Thank you. |
Other users should not have access to your password. That is a basic security practice. There should be no "even if it is known." It should not be known.
The first thing to do is to change the password for account number 1, the one with legitimate sudo privileges, and not reveal it to accounts 2 and 3. If the sudoers file is configured properly, that should take care of this issue. |
You can use config in /etc/pam.d/su:
Code:
auth required pam_wheel.so group=sudo Quote:
|
Thank you for the replies.
Let me clarify. Currently I am the only person using this system even though it has 3 accounts (administrator plus 2 regular users). In the future, I would not expect any regular user to know my Administration (sudo) password. However, I noticed that the system asked for the Administration (sudo) password while I was testing the 2 regular user accounts. Those 2 regular user accounts are not in the sudo group. Only my 1st account (Administrator) is in the sudo group. Are you folks saying that even if a regular user account gets an "Enter password for XYZ" message (Where XYZ is my only sudo group member) that the system would not accept the password, even if it is correct, because that regular user is not a sudo group member? |
Well, there is simple way of testing it, right?
|
HaHa - Yes, good point.
|
Also on some distros you may have pkexec muddying the water instead of normal sudo.
|
Quote:
|
Quote:
Anyway, it's just a heads up that if your DE is ignoring your sudoers file, then you might have uncovered a pkexec backdoor. I haven't looked into how to disable it. The configuration documentation shows a convoluted disorganized tangle. |
Quote:
Not good. This must be a bug. I very clearly established only 1 sudo. Would it be a Linux Mint bug or a Mate bug? I am using Mint 18.1. |
Not sure, do not use Mint Mate. But feel free to report it here: https://bugs.launchpad.net/linuxmint. Also, did you try to set /etc/pam.d/su as suggested?
|
Quote:
|
Quote:
|
Quote:
|
Quote:
|
All times are GMT -5. The time now is 12:50 PM. |