This was quite a head-scratcher. I wanted to remove a user
sammy from the
sudo group and did that by running this as root
root> deluser sammy sudo
However, when I logged in as
sammy I was still able to run –
sammy> sudo su
Checking which groups the user belonged to was of no help either.
sammy> groups sammy
visudo again. The only line was the one below and even commenting it out didn’t help!
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
Finally, the answer at Superuser gave me a hint what was going on.
There’s a line at the bottom of the
This line makes it include files from
/ect/sudoers.d/ directory. The
# at the beginning of the line made it seem that it was commented out. But actually, the directive itself is
#includedir with the leading
Looking into the
/etc/sudoers.d/ directory, there was indeed a file with the following entry!
# User rules for sammy sammy ALL=(ALL) NOPASSWD:ALL
This file, then, was overriding whatever I was doing using
visudo. Deleting this file solved the problem!
Besides that offending file, there was also this very helpfule
README file there.
# # As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on # installation of the package now includes the directive: # # #includedir /etc/sudoers.d # # This will cause sudo to read and parse any files in the /etc/sudoers.d # directory that do not end in '~' or contain a '.' character. # # Note that there must be at least one file in the sudoers.d directory (this # one will do), and all files in this directory should be mode 0440. # # Note also, that because sudoers contents can vary widely, no attempt is # made to add this directive to existing sudoers files on upgrade. Feel free # to add the above directive to the end of your /etc/sudoers file to enable # this functionality for existing installations if you wish! # # Finally, please note that using the visudo command is the recommended way # to update sudoers content, since it protects against many failure modes. # See the man page for visudo for more information. #
Live and learn, as they say.