100

Every time I execute a command with sudo, a file called .sudo_as_admin_successful is created in my home directory. As far as I can tell, this exists for the sole purpose of disabling this message that bash prints on startup:

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

It's possible to stop that message by commenting out the relevant section in /etc/bash.bashrc, but sudo still creates an annoying file in my home directory.

This webpage suggests that you can stop the file being created by removing yourself from the admin group, but I'm not in any such group, and admin isn't in /etc/group.

Is there a way to stop this file being created?

I believe this is not a duplicate of this question, as that was asking if it was possible to make the notice printed by bash go away, rather than if it's possible to stop the file being created by sudo.

ash
  • 2,207

4 Answers4

66

Based on the following section of the plugins/sudoers/sudoers.c source code file, it doesn't look like it's possible without recompiling sudo, undefining the USE_ADMIN_FLAG pre-processor macro.

Also, note that it's checking for group membership of both admin and sudo. I haven't checked the changelog, but I suspect the latter check was added when sudo became the default group for privileged users - perhaps the filename still refers to admin for compatibility.

1229 #ifdef USE_ADMIN_FLAG
1230 static int
1231 create_admin_success_flag(void)
1232 {
1233     struct stat statbuf;
1234     char flagfile[PATH_MAX];
1235     int len, fd = -1;
1236     debug_decl(create_admin_success_flag, SUDOERS_DEBUG_PLUGIN)
1237
1238     /* Check whether the user is in the admin group. */
1239     if (!user_in_group(sudo_user.pw, "admin") &&
1240         !user_in_group(sudo_user.pw, "sudo"))
1241         debug_return_int(true);
1242
1243     /* Build path to flag file. */
1244     len = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful",
1245         user_dir);
1246     if (len <= 0 || (size_t)len >= sizeof(flagfile))
1247         debug_return_int(false);
1248
1249     /* Create admin flag file if it doesn't already exist. */
1250     if (set_perms(PERM_USER)) {
1251         if (stat(flagfile, &statbuf) != 0) {
1252             fd = open(flagfile, O_CREAT|O_WRONLY|O_EXCL, 0644);
1253             if (fd != -1)
1254                 close(fd);
1255         }
1256         if (!restore_perms())
1257             debug_return_int(-1);
1258     }
1259     debug_return_int(fd != -1);
1260 }
1261 #else /* !USE_ADMIN_FLAG */
1262 static int
1263 create_admin_success_flag(void)
1264 {
1265     /* STUB */
1266     return true;
1267 }
1268 #endif /* USE_ADMIN_FLAG */
Pablo Bianchi
  • 17,371
steeldriver
  • 142,475
17

It looks like this issue is being dealt with right now: https://github.com/sudo-project/sudo/issues/56

From a sudo-project collaborator:

In sudo 1.9.6 the path can be changed or the feature disabled by using the admin_flag setting in the sudoers file.

That message comes from the /etc/bash.bashrc file which looks for $HOME/.sudo_as_admin_successful and displays a message if it doesn't exist. If you tell sudo not to create the admin flag file (and it doesn't already exist) then you will always receive that message from bash unless you modify /etc/bash.bashrc.

Pablo Bianchi
  • 17,371
YorSubs
  • 343
3

One could create a different group for accounts other than admin or sudo. For example, one could use the classic administrative group name of wheel. Does the group already exist?

getent group wheel

If not, create the group as a system group. (A system group is a group that has a GID within a range specified in /etc/login.defs.)

 sudo groupadd -r wheel

When the group exists, group your account with the wheel group.

sudo usermod -aG wheel your_username

Then modify the file /etc/sudoers with the program, visudo.

visudo

Add a line for the members of the wheel group.

%wheel ALL=(ALL:ALL) ALL

Save the file. Log out. Log back in so that your account is now in the wheel group. Make sure that your account is in the wheel group.

id

If your account is indeed in the wheel group, remove your account from the sudo or admin group - whichever applies to your system.

gpasswd --delete your_username sudo

Or...

gpasswd --delete your_username admin

Log out. Log back in so that your account is no longer a member of the sudo or admin group. Remove the file, .sudo_as_admin_successful.

rm ~/.sudo_as_admin_successful

Try another command with sudo and note that the file no longer appears.

Christopher
  • 131
2

In currently supported Ubuntu versions (22.04 LTS[1, 2, 3] and newer), you can add a configuration file to stop the file from being created:

echo 'Defaults !admin_flag' | sudo tee /etc/sudoers.d/disable_admin_file_in_home
Melebius
  • 11,750