How to create a sudo user that cannot delete me?

Question

I'm sudoer on a remote linux machine and would like to create another user with the maximum privileges, except the privilege of managing my account. I'm assuming a sudoer can delete or change the password of another sudoer.

score 9 · Accepted Answer · answered Dec 24 '11 at 15:58

9

The simple answer is that you can't. A user with root privileges can fatally harm your account in all kinds of way. Removing your account from the account database or changing your password is just one. Root can execute any process as your account, can snoop on everything done by any process on the system, can access and modify or remove your files, can access disks directly (bypassing all filesystem permissions), and so on.

If you want to give someone root privileges to perform a specific task, you can allow them to run only a specific command with sudo.

If you want to give someone broad privileges, give them on a virtual machine or virtual environment that you do not care about, and keep your account outside that virtual machine (in another VM or on the host system).

answered Dec 24 '11 at 15:58

Gilles 'SO- stop being evil'

829,060

As for which virtualization technology: heavyweight virtualization such as KVM or VirtualBox will do. So will User mode Linux. I don't know about lightweight Linux-on-Linux solutions. – Gilles 'SO- stop being evil' Dec 24 '11 at 16:24
that's a shame. I expected the OS to have such capability. – simpatico Dec 24 '11 at 17:37
If the OP had asked for more restricted privileges, such as just being allowed to run apt commands for example, the sudoers file could do it: https://unix.stackexchange.com/questions/215412/allow-certain-guests-to-execute-certain-commands#215419 – PlasmaBinturong Oct 22 '23 at 16:42
@Gilles'SO-stopbeingevil' and I just saw that you commented below that post about how this is still unsafe... – PlasmaBinturong Oct 22 '23 at 16:51

How to create a sudo user that cannot delete me?

1 Answers1