How to Prevent Sudo Privilege Escalation in Ubuntu

Securing your Ubuntu system involves controlling who can execute administrative commands. This article provides a direct method to revoke sudo access from specific users. You will learn how to remove users from the sudo group and edit the sudoers file to block privilege escalation effectively.

Remove the User from the Sudo Group

By default, users granted sudo access in Ubuntu are added to the sudo group. The quickest way to revoke this access is to remove the user from this group. Open your terminal and run the following command, replacing username with the actual account name:

sudo deluser username sudo

This command immediately strips the user of the group permissions associated with sudo execution.

Edit the Sudoers File

Some users may have explicit permissions defined outside of the group structure. To ensure all privileges are revoked, you should check the sudoers configuration. Always use the visudo command to edit this file, as it prevents syntax errors that could lock you out of the system:

sudo visudo

Search for any lines referencing the specific user. These lines often look like username ALL=(ALL:ALL) ALL. Delete any lines granting the user full access or specific command permissions. Save and exit the editor to apply the changes.

Verify the Changes

To confirm that the user can no longer escalate privileges, switch to the user account or ask them to attempt a sudo command. When they run a command prefixed with sudo, such as sudo ls, the system should return a permission denied error:

user is not in the sudoers file. This incident will be reported.

This confirms that the privilege escalation path has been successfully blocked.