Category filter
How to Revoke Sudo Access Remotely via Bash Script?
Maintaining a robust security posture across an enterprise fleet requires strict adherence to the Principle of Least Privilege (PoLP). On Linux systems, administrative accounts possess the authority to bypass security controls, modify system kernels, and access sensitive data. By downgrading unnecessary administrator accounts to Standard User status, IT teams can significantly reduce the “blast radius” of potential security breaches or accidental system damage.
When an account is demoted, the user retains their personal files, applications, and settings but loses the ability to perform high-risk actions—such as installing unauthorized software or disabling security agents—without explicit, authorized credentials. To streamline this transition across a distributed fleet, IT administrators can leverage the Execute Custom Script remote action in Hexnode UEM to revoke privileges silently and at scale.
Technical Implementation: Linux Privilege Revocation
In Linux, administrative access is governed by membership in specific system groups: sudo (predominantly Debian/Ubuntu) or wheel (RHEL/CentOS/Fedora). The following script automates the removal of a target user from these privileged groups.
The Privilege De-escalation Script
Configuration: Before deployment, replace ‘username’ in the script below with the actual username you intend to downgrade.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
#!/bin/bash # ============================================================== # SCRIPT: Privileged Account De-escalation # FUNCTION: Revokes sudo/wheel access to enforce Standard User status. # ============================================================== TARGET_USER="username" # Ensure script runs with root authority if [[ $EUID -ne 0 ]]; then echo "Error: Root privileges required to modify system groups." exit 1 fi echo "Initiating privilege revocation for: $TARGET_USER" # Target Debian/Ubuntu-based groups if getent group sudo | grep -q "\b$TARGET_USER\b"; then gpasswd -d "$TARGET_USER" sudo echo "Success: Removed from 'sudo' group." fi # Target RHEL/CentOS/Fedora-based groups if getent group wheel | grep -q "\b$TARGET_USER\b"; then gpasswd -d "$TARGET_USER" wheel echo "Success: Removed from 'wheel' group." fi # Audit Verification echo "Current Account Status for $TARGET_USER:" id "$TARGET_USER" |
Visual Verification: Device State Transition
- Before Execution: Administrative Access Active
- Status: The user belongs to the sudo or wheel group.
- Capabilities: The user can unlock system settings and execute elevated commands using their own password.
- UI Indicator: In Settings > System > Users, the “Administrator” toggle is switched ON.
- After Execution: Standard User Status Enforced
- Status: The user is successfully removed from privileged groups.
- Capabilities: The user can no longer run restricted commands. Any attempt to modify system-wide settings will prompt for a separate administrator’s credentials.
- UI Indicator: The “Administrator” toggle automatically switches OFF and is greyed out, confirming the account is now a Standard User.
Strategic Governance: Scalable Privilege Management
Automated Offboarding & Role Transitions
In dynamic organizations, employees frequently shift from technical to management roles. Hexnode UEM allows IT to push the downgrade script to specific Device Groups instantly. This ensures that role-based access control (RBAC) is reflected across all hardware without requiring physical access to the machines.
Just-In-Time (JIT) Privilege Cleanup
Enterprises often grant temporary root access for specific troubleshooting tasks. Hexnode’s remote action capability allows IT to run the downgrade script as a “cleanup” task once a support ticket is resolved. This prevents “privilege creep,” where users retain high-level access indefinitely after the initial need has passed.
