Delayed Admin – Temporarily Drop Admin Privileges To Administrators
Today, I stumbled upon an interesting utility named “Delayed Admin”. As the name says it all, this utility will temporarily drop admin privileges to administrators. Delayed Admin will not remove the admin privileges of an administrative user account completely, but delays them for a particular time. In other words, the users will still have administrator access, but can’t use it at their whims. They must have to wait for some time to execute any command that requires “sudo” or “su” privileges. Please note that they still can run any commands which can be run as a normal user.
Why on the earth anyone would want this? Self-control! Allow me to explain. Have you ever used some self-control apps and/or addons that restrict you from visiting certain websites for a particular time? I do! Those apps will block some websites for a certain period of time to increase our productivity. So we can concentrate on our work without any distractions or the urge to visit the addictive sites. However, if you’re an administrator, you can uninstall or disable those apps at any time and visit the sites whenever you want, right? Indeed! In such cases, we need something powerful that won’t allow us to perform any administrative tasks even if we are the administrators. This is the principle Delayed Admin is based upon. So if ever wanted to delay the admin privileges to administrator account for some reason, Delayed Admin will definitely help.
Temporarily Drop Admin Privileges To Administrators Using Delayed Admin
Installing Delayed Admin
Install GIT if it is not installed already. Git is available in the default repositories, so we can install using the default package manager. For instance, to install git on any Debian-based systems, run:
sudo apt-get install git
Clone the “Delayed Admin” repository locally:
git clone https://github.com/miheerdew/delayed-admin.git
This will create a directory named “delayed-admin” in the current directory and download all contents. Cd to the directory:
Then, install it using command:
sudo ./setup.sh install
Sample output would be:
[✔] Created group delayed-admin [✔] Copied /usr/local/bin/delayed and /etc/delayed-admin.conf %delayed-admin ALL = /usr/local/bin/delayed [✔] Copied above to sudoers file /etc/sudoers.d/delayed-admin [✔] Install successful
Once installed, add the current user to the delayed-admin group:
sudo usermod -a -G delayed-admin "$USER"
Finally, remove the current user from the sudo group:
sudo gpasswd -d "$USER" sudo
Please note that from now on you can’t use “sudo”. Instead, you will have to use “sudo delayed” when you perform an administrative task.
Let us run a command with “sudo” privileges and see what happens.
sudo apt-get update
Sample output from my Ubuntu 16.04 desktop:
Sorry, user ostechnix is not allowed to execute '/usr/bin/apt-get update' as root on ostechnix.
See? Even if I entered the correct admin password, I can’t be able to perform any admin tasks.
Now let me run the same command “sudo delayed” prefix:
sudo delayed apt-get update
Sleeping for 30 seconds staring from 01/15/18 15:13:45 [...]
Did you notice? Delayed admin utility has put the given command under sleep for 30 seconds. That means your admin user privileges are dropped for 30 seconds by default. Therefore the given command will only execute after 30 seconds.
You can, of course, change the default time interval in /etc/delayed-admin.conf file. To do so, edit this file:
sudo delayed nano /etc/delayed-admin.conf
Then change the delayed time interval as per your wish. Remember you must run all administrative tasks with prefix “sudo delayed”.
If you find this annoying or unnecessary, simply uninstall it.
First, add your user back to the “sudo” group. I repeat – you must add the user to “sudo” group before uninstalling this utility. Otherwise, you will lose the sudo access permanently. Another good option is to have two administrator accounts.
To add the current user back to the “sudo” group, run:
sudo delayed usermod -a -G sudo "$USER"
sudo delayed gpasswd -d "$USER" delayed-admin
Finally, remove delayed-admin utility:
sudo ./setup.sh uninstall
Reboot your system if you still can’t use “sudo”.
And, that’s all for today. Hope this helps. We will be posting more good stuffs in the days to come. Keep visiting OSTechNix!