A user on my AWS EC2 instance has unrestricted sudo access, and no password prompt. This is an Ubuntu 20.04.4 LTS VM.
Here's an example of the problem:
~$ whoami
ubuntu
~$ groups
ubuntu
~$ sudo deluser ubuntu sudo
/usr/sbin/deluser: The user `ubuntu' is not a member of group `sudo'.
~$ sudo whoami
root
As you can see, I've already removed this user from all groups but their own (ubuntu
).
Here is my /etc/sudoers
file:
~$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
#%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
I commented out the %admin
group entry and also the secure_path
entry in the Defaults
just to test.
I've rebooted the machine and logged back in as ubuntu
. I still have sudo access and can switch to the root user unrestricted.
$ sudo su
root@ip-x-x-x-x:/home/ubuntu#
The root user does have a password on the account.
I have added a new user, and confirmed that this new user had to be added to the group sudo
before being able to use sudo.
So, why does my user ubuntu
have free root access?
Best Answer
Do you see this line near/at the end of your
/etc/sudoers
file?This loads files that are present in the
/etc/sudoers.d
directory, treating them as part of the/etc/sudoers
file. As the comment line above that line indicates, the man page for the sudoers file explains the full details of how the#includedir
directive works.Have a look at the files in the
/etc/sudoers.d
directory and you'll find the entry that gives theubuntu
user permission to invoke commands asroot
.