{"id":25274585,"url":"https://github.com/boredsquirrel/unsudo","last_synced_at":"2025-04-06T09:16:25.715Z","repository":{"id":276150773,"uuid":"901337309","full_name":"boredsquirrel/unsudo","owner":"boredsquirrel","description":"Remove \"sudo\" access from your user to improve security","archived":false,"fork":false,"pushed_at":"2025-02-06T15:42:22.000Z","size":9,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-06T15:42:26.729Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/boredsquirrel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-10T13:27:36.000Z","updated_at":"2025-02-06T15:42:25.000Z","dependencies_parsed_at":"2025-02-06T15:42:28.985Z","dependency_job_id":"057b2431-f8e6-457a-8119-6fd97e7b60b0","html_url":"https://github.com/boredsquirrel/unsudo","commit_stats":null,"previous_names":["boredsquirrel/unsudo"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boredsquirrel%2Funsudo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boredsquirrel%2Funsudo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boredsquirrel%2Funsudo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boredsquirrel%2Funsudo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/boredsquirrel","download_url":"https://codeload.github.com/boredsquirrel/unsudo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247457796,"owners_count":20941907,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-12T14:31:11.632Z","updated_at":"2025-04-06T09:16:25.684Z","avatar_url":"https://github.com/boredsquirrel.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# unsudo\n\n![](https://raw.githubusercontent.com/boredsquirrel/unsudo/refs/heads/main/polkit-dialog.png)\n\nRemove \"sudo\" access from your user to improve security. Instead, a dedicated Admin account is created.\n\nThis script works on Distributions using the `sudo` group (like Debian, Ubuntu, Linux Mint) or the `wheel` group (like Fedora, OpenSUSE, Arch).\n\nWhen using systemd version 256 or higher, it automatically uses `run0` for privilege escalation. \n\nIf the creation of an admin user fails, the current user stays untouched.\n\n## What works\nAfter setting up such a dedicated admin user and removing this access from your main user, `sudo` will not work anymore.\n\n### Executing Commands\nInstead, you can use `run0` or `pkexec` for privilege escalation. Example:\n\n```\nrun0 cat /etc/shadow\n\npkexec nano /etc/fstab\n```\n\n\u003e [!NOTE]\n\u003e `pkexec` and `su` have [setuid](https://en.wikipedia.org/wiki/Setuid) set, to be able to escalate their privileges to root (the owner of the files). This is generally seen as dangerous.\n\u003e \n\u003e `run0` is part of `systemd`, a big and monolithic project that many people don't like for it's total lack of interoperability with other tools or operating systems.\n\u003e \n\u003e You have to decide what you want to use.\n\n#### Multiple commands\n\nFor executing multiple commands with a single authentication prompt, spawn an elevated shell:\n\n```\nrun0 sh -c '\n  command1\n  command2\n  command3\n'\n```\n\n\u003e [!NOTE]\n\u003e `run0` does not pass on variables from the user session like `sudo` does.\n\u003e \n\u003e This means you need to set variables from within the elevated shell, otherwise bad things can happen\n\n### Switching users\n\nAlternatively, you can switch to the admin user using `ru` or `run0`:\n\n```\nrun0 -u admin\n\nsu admin\n```\n\nIn here, you can escalate privileges using sudo, run0 or pkexec.\n\nIf some actions are not polkit-aware (they don't show a prompt to authenticate with a different user) but allow passwordless execution from a `wheel`/`sudo` user, you can switch to that user and execute them, without escalating to root.\n\n### Graphical Apps\nThese use polkit since basically forever, so they will work. A password prompt is shown and automatically asks you for the password of a user in the `wheel`/`sudo` group.\n\nExamples:\n- KDE Plasma\n  - Partitionmager\n  - Dolphin File Manager\n    - `kio-admin` (entering `admin:/` in the location bar)\n    - mounting, decrypting external drives\n  - Kate Editor\n- GNOME\n  - Nautilus File Manager\n    - privilege escalation (entering `admin:/` in the location bar)\n    - mounting, decrypting external drives\n  - Text editor\n- Other apps\n  - Fedora media writer\n  - Impression\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboredsquirrel%2Funsudo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fboredsquirrel%2Funsudo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboredsquirrel%2Funsudo/lists"}