Restricting sudo / su to only 1 account
 

I have 3 accounts:

1) The 1st account is the only one in the sudo group
2) The 2nd account is a limited desktop user
3) The 3rd account is like #2

When accounts 2 or 3 are in use, one can click on something requiring root level privilege and get a prompt asking for the password of the 1st account, who is my only sudo member. Is it possible to stop that?

For example, pretend someone is in the 2nd account and clicks on Synaptic. That person would then have a prompt asking for the password of the 1st account, which is the sudo (Administrator) account. I don't want the 2nd and 3rd accounts on this system to even have the ability to input the sudo password, even if it is known.

Is it possible to create this restriction? If yes, then how?

Basically, I only want the 1st account to be able gain elevated privilege. I don't want the 2nd and 3rd accounts able to gain elevated privilege, even if those users know the proper password.

Thank you.

Other users should not have access to your password. That is a basic security practice. There should be no "even if it is known." It should not be known.

The first thing to do is to change the password for account number 1, the one with legitimate sudo privileges, and not reveal it to accounts 2 and 3. If the sudoers file is configured properly, that should take care of this issue.

You can use config in /etc/pam.d/su:

With that set, even if they know your password, they can not log in as another user if they are not member of the sudo group. So, they will probably not be able to do anything even if they guess your password.

Exactly. PAM serves just as another layer, to prevent others from "guessing" your password.

Thank you for the replies.

Let me clarify. Currently I am the only person using this system even though it has 3 accounts (administrator plus 2 regular users).

In the future, I would not expect any regular user to know my Administration (sudo) password. However, I noticed that the system asked for the Administration (sudo) password while I was testing the 2 regular user accounts. Those 2 regular user accounts are not in the sudo group. Only my 1st account (Administrator) is in the sudo group.

Are you folks saying that even if a regular user account gets an "Enter password for XYZ" message (Where XYZ is my only sudo group member) that the system would not accept the password, even if it is correct, because that regular user is not a sudo group member?

Well, there is simple way of testing it, right?

HaHa - Yes, good point.

Also on some distros you may have pkexec muddying the water instead of normal sudo.

I never heard of pkexec. What is it?

It's a shoddy mess that on the surface aims to provide a similar functionality as sudo, minus the flexibility and granularity. pkexec has no redeeming features as far as I can tell. It's rather lacking in all areas. I have no qualms about people trying new things or even revisiting old things in new ways, but I am adamant that they ought be a clear improvement before inclusion in a mainstream distro, but then the decision process these days seems bizarre to say the least.

Anyway, it's just a heads up that if your DE is ignoring your sudoers file, then you might have uncovered a pkexec backdoor. I haven't looked into how to disable it. The configuration documentation shows a convoluted disorganized tangle.

Oh wow. I tested the sudo password on a non suso account to access Synaptic and it let me right insider!

Not good.

This must be a bug. I very clearly established only 1 sudo.

Would it be a Linux Mint bug or a Mate bug?

I am using Mint 18.1.

Not sure, do not use Mint Mate. But feel free to report it here: https://bugs.launchpad.net/linuxmint. Also, did you try to set /etc/pam.d/su as suggested?

sudo is just a tool. The password is tied to an account. Which distro is this on? It might be afflicted with pkexec.

I am running Linux Mint 18.1 with Mate, but I don't know which version of Mate.

No, I haven't gotten that far yet. I want to search for other options before trying that.

How do I know if I have pkexec and if it is causing that problem?