How do I remove a sudo user? – [Answer] 2022

Answer

To make things easier for multiple users, you should create a separate user account for each one. Even if you no longer need that particular person to use your server, deleting their user is a simple process by running the command deluser −remove-home username.

How to grant terminal root without typing sudo su every time in Kali linux

Hmmm. I’d need to add /bin/bash for him to have bash . But he already had /bin/sh , so how about replacing this with a symlink? Time to do some reading:

Next I decided that if I was going to go through all that trouble of adding shell access, perhaps there might be some merit in bring him up to date on AppArmor by changing his default profile. This would provide much better protection than what’s currently available via SELinux, and may even help cure some of my headaches! Very happy with this decision and eagerly set about updating his profile:

So I’d created his needed directories, sudoers configuration and updated his AppArmor profile. All that was left to do was create a shell with bash in it for the user & SELinux would be happy… right? Well apparently not. Even after fixing all of these things, sestatus reported the same thing! So next step is to check what commands he had available to see if perhaps this was just a listing issue on my server:

As you can see above, despite everything being ticked to allow him access via apparmor (the file is even owned by root!) It doesn’t work! Instead what happens is that when moving into the directory which contains the AllowedApps_full path, he’s still denied access! Time to sort this out then…

Ah, there we go. So the command is installed… but it hasn’t been given execute permissions and SELinux isn’t happy about that because it doesn’t have a valid policy for the application at boot time. I can attempt to give him full access on an on-going basis using the sesearch command:

How to add user to sudoers in Linux

Unfortunately if this permission were to be removed again in the future or if a program without it’s own AO (like lets say wget ) was used instead of fetch , then this would stop working. I could try and fix this with some post-transaction script magic:

Not sure why, but it seems as though fetch has been installed incorrectly so it can’t find any user-applied policies at boot time. The first thing would be to check the hash:

So we know that the application exists on disk and hasn’t been deleted or moved – just missing access via SELinux. So I decide to try and see if I can fix this using the audit2allow command:

So the application matched a rule, but it’s not going to be applied due to our current policy (which is very restrictive). Time for plan B…

I’ve updated my policy file with all of the correct entries so that fetch now has access via SELinux. It should show up in sestatus when we run it, but does it? Let’s find out:

Great! So we have successfully managed to give him permission through apparmor and SELinux and even turn on some logging for wget / fetch ! But there doesn’t seem to be anything happening within his session… why not? Well let’s see what happens when we try something

How do I remove a sudo user?

To make things easier for multiple users, you should create a separate user account for each one. Even if you no longer need that particular person to use your server, deleting their user is a simple process by running the command deluser −remove-home username.

Leave a Comment