Skip to main content
Marc JESTIN’s Blog

How to remove sudo privileges from a user in Debian

·449 words·3 mins
Digital Tech and Computer Science Tutorials #Debian #Sudo #Root #Security #Hardening #Loginctl #Pkill #Deluser
Table of Contents

Hello,

Security Best Practices
#

A secure machine is one where just anyone cannot do just anything.

A secure machine requires logging into an account with elevated privileges to perform administrative tasks.

This can be the root account itself or other specific accounts, but it should not be just any user account, even if it belongs to the owner of the machine.

This is the default behavior in Debian, and—spoiler alert—it’s no accident: in Debian, if you make this mistake, it is by your own choice…

Communication and Preliminary Checks
#

Before making these changes, we discuss them with the user concerned.

We perform an audit to ensure that no important data or tasks are currently being managed via their user account.

We transfer administrative tasks or data to an account dedicated to administration.

How to Remove Sudo Privileges from a User
#

To remove sudo privileges from a user, simply remove them from the sudo group.

1

deluser user sudo

We also check the sudo configuration file (using visudo) to ensure there is no line such as:

1

user  ALL=(ALL:ALL) ALL

We should only see:

1

root    ALL=(ALL:ALL) ALL

Or, possibly, accounts (or groups) specifically dedicated to administration and used only for that purpose.

How to Verify That a User No Longer Has Sudo Privileges
#

To check that everything went as planned:

  • On the user side, we attempt to run a command with sudo:
1
2
3

user@debian:~$ sudo ls
[sudo] password for user: 
user is not in the sudoers file.
  • On the administrator side, we verify that the sudo group is no longer in the user’s list with the command:
1

groups user

Closing the Open User Session
#

For changes to take effect, the user session must be closed.

In principle, we should not have to do this as an administrator, as we communicate clearly and visibly with the user.

System Reminder / Warning Message
#

We can send a message via:

1

echo "Closing your session in [time to be completed]" | write user

But be careful: we cannot be certain that this message will actually be seen.

I will say it clearly again: we communicate with the user and ensure they have understood.

Ideally, if we do our job well, the user logs out and back in on their own when instructed.

Commands to Close User Session / Processes
#

However, here are the commands that may be useful if needed.

The command to terminate a session:

1

loginctl terminate-user user

To check if a user still has active processes:

1

pgrep -u user

If the user has stuck processes, we can perform a:

1

pkill -u user

Best regards,

Marc JESTIN
https://marcjestin.fr