Skip to main content
Marc JESTIN’s Blog

How to disable sudo in Debian

·409 words·2 mins
Digital Tech and Computer Science Tutorials #Debian #Sudo #Su #Root #Security #Hardening
Table of Contents

Hello,

Security Best Practices
#

A secure machine is one where just anyone cannot do just anything.

A secure machine requires logging into an account with elevated privileges to perform administrative tasks.

This can be the root account itself or other specific accounts, but it should not be just any user account, even if it belongs to the owner of the machine.

This is the default behavior in Debian, and—spoiler alert—it’s no accident: in Debian, if you make this mistake, it is by your own choice…

Important Precaution
#

Before disabling or uninstalling sudo, we must ensure that we can access the root account:

  • using the command:
1

su -

or directly via a local or remote connection to the machine. 1

Disabling sudo
#

The command to use with root privileges (preferably logged in as root) to modify sudo settings is:

1

visudo

This allows us to modify the configuration file and comment out the following lines to:

  • Revoke privileges from the sudo group.
  • Stop loading additional sudoers files.
1
2
3
4
5
6
7


```conf
# Allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:
# @includedir /etc/sudoers.d

While we are at it, we should ensure this file does not contain any other lines granting sudo privileges to accounts or groups we don’t want.

We can also clear the contents of the /etc/sudoers.d directory (but do not delete the /etc/sudoers file itself).

Uninstalling sudo
#

As a further precaution, we can go even further in hardening our machine by removing sudo entirely.

Simply uninstall the package associated with sudo:

1

apt purge sudo

About “Substitution” Commands
#

As a reminder:

  • su = Substitute user (execute as another user) and
  • sudo = Substitute user do (execute as another user)

These are very similar. The main difference lies in which password is requested:

  • su: the password of the target account.
  • sudo: the password of the requesting account.

The fact that the root account is associated with these commands by default when no user is specified should not make us forget their broader uses.

For this reason, it is generally preferable to keep both sudo and su on a machine.

However, we may choose to remove them, after an audit, as part of strict hardening requirements.

Best regards,

Marc JESTIN
https://marcjestin.fr

  1. Note: I do not recommend enabling direct root access via SSH or other equivalent protocols. ↩︎