Delayed Admin – Temporarily Drop Admin Privileges To Administrators
Today, I stumbled upon an interesting utility named “Delayed Admin”. As the name says it all, this utility will temporarily drop admin privileges to administrators. Delayed Admin will not remove the admin privileges of an administrative user account completely, but delays them for a particular time. In other words, the users will still have administrator access, but can’t use it at their whims. They must have to wait for some time to execute any command that requires “sudo” or “su” privileges. Please note that they still can run any commands which can be run as a normal user.
Why on the earth anyone would want this? Self-control! Allow me to explain. Have you ever used some self-control apps and/or addons that restrict you from visiting certain websites for a particular time? I do! Those apps will block some websites for a certain period of time to increase our productivity. So we can concentrate on our work without any distractions or the urge to visit the addictive sites. However, if you’re an administrator, you can uninstall or disable those apps at any time and visit the sites whenever you want, right? Indeed! In such cases, we need something powerful that won’t allow us to perform any administrative tasks even if we are the administrators. This is the principle Delayed Admin is based upon. So if ever wanted to delay the admin privileges to administrator account for some reason, Delayed Admin will definitely help.
WARNING – It is not for NOOBS!
Before trying Delayed Admin utility on your Linux system, please remember the following important points.
- After setting up Delayed Admin, you can not perform any administrative tasks using “sudo” or “su” privileges. So, it is recommended to setup two administrative accounts. Just in case you’re locked out of your system, you still can use another administrative account to gain the administrative access.
- Delayed Admin will make you wait for 30 seconds by default before running any administrative tasks with sudo privilege. Some of you might find this annoying. If you’re an impatient user, don’t install it.
Installing Delayed Admin
Install Git if it is not installed already. Git is available in the default repositories, so we can install using the default package manager. For instance, to install git on any Debian-based systems, run:
$ sudo apt-get install git
Clone the “Delayed Admin” repository locally:
$ git clone https://github.com/miheerdew/delayed-admin.git
This will create a directory named “delayed-admin” in the current directory and download all contents. Cd to the directory:
$ cd delayed-admin/
Then, install Delayed Admin using command:
$ sudo ./setup.sh install
Sample output would be:
[✔] Created group delayed-admin [✔] Copied /usr/local/bin/delayed and /etc/delayed-admin.conf %delayed-admin ALL = /usr/local/bin/delayed [✔] Copied above to sudoers file /etc/sudoers.d/delayed-admin [✔] Install successful
Once installed, add the current user to the delayed-admin group:
$ sudo usermod -a -G delayed-admin "$USER"
Finally, remove the current user from the sudo group:
$ sudo gpasswd -d "$USER" sudo
Log out and log in back or reboot the system to take effect the changes.
How to temporarily drop Admin privileges to Administrators using Delayed Admin
Please note that from now on you can’t use “sudo”. Instead, you will have to use “sudo delayed” when you perform an administrative task.
Let us run a command with “sudo” privileges and see what happens.
$ sudo apt-get update
Sample output from my Ubuntu 16.04 desktop:
Sorry, user ostechnix is not allowed to execute '/usr/bin/apt-get update' as root on ostechnix.
See? Even if I entered the correct admin password, I can’t be able to perform any admin tasks.
Now let me run the same command “sudo delayed” prefix:
$ sudo delayed apt-get update
Sleeping for 30 seconds staring from 01/15/18 15:13:45 [...]
Did you notice? Delayed admin utility has put the given command under sleep for 30 seconds. That means your admin user privileges are dropped for 30 seconds, by default. Therefore the given command will only execute after 30 seconds.
From now on, you have to wait for 30 seconds to execute any commands with sudo privileges. You can, of course, change the default time interval in /etc/delayed-admin.conf file. To do so, edit this file:
$ sudo delayed nano /etc/delayed-admin.conf
Then change the delayed time interval as per your wish. Remember you must run all administrative tasks with prefix “sudo delayed”.
Uninstall Delayed Admin
Waiting for 30 seconds to run an administrative tasks might be annoying or unnecessary. If so, simply uninstall it as described below.
First, add your user back to the “sudo” group. I repeat – you must add the user to “sudo” group before uninstalling this utility. Otherwise, you will lose the sudo access permanently. Another good option is to have two administrator accounts.
To add the current user back to the “sudo” group, run:
$ sudo delayed usermod -a -G sudo "$USER"
$ sudo delayed gpasswd -d "$USER" delayed-admin
Log out and log back in or reboot the system to run commands with sudo privileges.
Go to the directory where you cloned the Delayed Admin contents and remove delayed-admin utility using command:
$ cd delayed-admin/
$ sudo ./setup.sh uninstall
[✔] Deleted /usr/local/bin/delayed /etc/delayed-admin.conf [✔] Deleted sudoers file: /etc/sudoers.d/delayed-admin [✔] Deleted group delayed-admin [✔] Uninstall successful
Finally, delete “delayed admin” directory:
$ cd .. $ rm -r delayed-admin/
- How To Grant And Remove Sudo Privileges To Users On Ubuntu
- How To Restore Sudo Privileges To A User
- How To Find All Sudo Users In Linux
- How To Limit User’s Access To The Linux System
- Timekpr – Control The Computer Usage Of User Accounts
- How To Monitor User Activity In Linux
- How To Set Password Policies In Linux
- How To Auto Logout Inactive Users After A Period Of Time In Linux
Hope this helps.