diff --git a/debian/postinst b/debian/postinst
index 639713c43..8f2c869cf 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -5,6 +5,12 @@ set -e
 daemonuser=plinth
 daemongroup=plinth
 
+# Due to a change in sudo, now it runs PAM modules even on password-less
+# invocations. This leads to plinth not being able to run root privileges. This
+# is because of our own restrictions in /etc/security/access.conf. Since Plinth
+# is locked out after upgrade, we need to do this in postinst.
+sed -ie 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL+' /etc/security/access.conf
+
 case "$1" in
 configure)
 	addgroup --system --quiet plinth
diff --git a/plinth/modules/security/__init__.py b/plinth/modules/security/__init__.py
index 693b9ee4c..d6e08a832 100644
--- a/plinth/modules/security/__init__.py
+++ b/plinth/modules/security/__init__.py
@@ -23,7 +23,7 @@ from django.utils.translation import ugettext_lazy as _
 from plinth import actions
 from plinth.menu import main_menu
 
-version = 3
+version = 4
 
 is_essential = True
 
@@ -50,7 +50,11 @@ def init():
 def setup(helper, old_version=None):
     """Install the required packages"""
     helper.install(managed_packages)
-    setup_fail2ban()
+    if not old_version:
+        setup_fail2ban()
+
+    if get_restricted_access_enabled():
+        set_restricted_access(True)
 
 
 def setup_fail2ban():