
User management is a foundational task in Linux system administration. As a system administrator, you must decide which users should be allowed to perform administrative actions and how to control their access. One of the most secure and flexible ways to grant administrative privileges is by adding users to the sudo group. The sudo (short for "superuser do") command enables specific users to execute commands with elevated privileges, typically those of the root user, without needing to log in as root.
This article explains how to grant users elevated privileges by adding them to the sudo
group or by configuring sudo
policies using the Linux Sudoers file.
Prerequisites
Before you begin, you need to:
- Have access to a Linux instance as a non-root sudo user.
Add Users to the Sudo Group
On most Linux systems, the sudo group grants users administrative privileges. While this provides full control over the system, it is safer than logging in directly as root, which increases the risk of critical mistakes. On RHEL-based systems (like CentOS, Rocky Linux), this group is typically called wheel
. Creating regular user accounts with sudo access is considered a best practice in production environments. Follow these steps to create users and add them to the sudo group.
Confirm that you are logged in as a normal user.
console$ whoami
Your output should be similar to the one below:
linuxuser
Check if the logged in user has
sudo
privileges.console$ sudo -l
Your output should be similar to the one below:
Matching Defaults entries for linuxuser on LinuxWorkstation: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User linuxuser may run the following commands on LinuxWorkstation: (ALL) NOPASSWD: ALL
In the above output, you can see that the user linuxuser is allowed to run any command as any user on the system without being prompted for a password. The line
(ALL) NOPASSWD: ALL
confirms this user has full administrative privileges.This command is useful for auditing and verifying the level of access granted to a specific user.
Add a new user to your system.
console$ sudo adduser john
You'll be prompted to set a password and enter additional information. Repeat the process for any additional users, such as jane.
info: Adding user `john' ... info: Selecting UID/GID from range 1000 to 59999 ... info: Adding new group `john' (1006) ... info: Adding new user `john' (1006) with group `john (1006)' ... info: Creating home directory `/home/john' ... info: Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for john Enter the new value, or press ENTER for the default Full Name []: john wick Room Number []: 1234 Work Phone []: 9876543210 Home Phone []: 1234567890 Other []: Is the information correct? [Y/n] Y info: Adding new user `john' to supplemental / extra groups `users' ... info: Adding user `john' to group `users' ...
NoteRun the following command to check whether a user is allowed to perform
sudo
operations. Replacejohn
with the username for which you wanted to checksudo
privileges.console$ sudo -U john -l
Your output should be similar to the one below:
User john is not allowed to run sudo on LinuxWorkstation.
This output shows that john does not currently have
sudo
access.Grant
sudo
privileges to the user by adding them to the sudo group.console$ sudo usermod -aG sudo john
This above command adds
john
user to the sudo group without modifying their existing group memberships.Switch to the user john and verify that the user now has
sudo
access.console$ sudo su - john
To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
The above message confirms that the user john is now recognized as a
sudo
user and can usesudo
to execute administrative commands.Confirm that john can run commands with
sudo
.console$ sudo whoami
Enter john's password when prompted as
sudo
requires authentication. Input the password forjohn
to proceed.Your output should be similar to the one below:
root
This confirms that john has full
sudo
privileges and can perform administrative tasks securely.
View Members of the Sudo Group
To confirm that users have been added to the sudo group, use the getent
or groups
commands. These tools allow you to query system group information directly from the administrative databases. Follow the steps below to verify group membership.
Check which users belong to the sudo group using
getent
.console$ getent group sudo
This command format breaks down as:
getent
: Retrieves entries from administrative databases in Linux.group
: Specifies that you want to query the system's group database.sudo
: The name of the group whose members you want to list.
Your output should be similar to the one below:
sudo:x:27:john,jane
sudo
: The name of the group.x
: A placeholder for the group password.27
: The group ID (GID).john,jane
: Members of the sudo group.
Check the group memberships of the user jane.
console$ groups jane
Your output should be similar to the one below:
jane : jane sudo users
Check the group memberships of the user john.
console$ groups john
Your output should be similar to the one below:
john : john sudo users
The
groups
command displays all the groups a user belongs to. In this example, both john and jane belong to their respective primary groups (john and jane), the sudo group (for administrative privileges), and the users group (typically assigned by default for standard permissions).
Limit Privileges with the Sudoers File
The sudoers file, which is located at /etc/sudoers
should only be edited with the visudo
command-line tool, which performs a syntax check before saving changes. This prevents any errors that could lock you out of the system. While users in the sudo group have elevated privileges to execute and perform administrative tasks, you can fine-tune these privileges using the sudoers file. This is useful in production environments where you want to limit the commands that specific users can run with sudo
.
Customize User Commands with the Sudoers File
You can control which commands a user can run with sudo
and whether they require a password by customizing their configuration in the sudoers file. This is useful when you want to grant limited administrative privileges without giving full root access.
Follow the steps below to create a sudoers configuration that allows a specific user to run selected commands with sudo
, without being prompted for a password.
Create a new sudoers file under /etc/sudoers.d/ for the user john using visudo. Replace john with the actual username.
console$ sudo visudo -f /etc/sudoers.d/john
Files under /etc/sudoers.d/ are automatically included by the main sudoers file using the
#includedir
directive.Define a command alias for one or more allowed commands.
iniCmnd_Alias UPDATE_AND_UPGRADE = /usr/bin/apt update, /usr/bin/apt upgrade
In the above configuration:
Cmnd_Alias
: Defines a shortcut name for a group of commands.UPDATE_AND_UPGRADE
: Set the name of the command alias you want to define./usr/bin/apt update, /usr/bin/apt upgrade
: Define absolute paths for each command.
Grant the user permission to run the specified command(s) without a password.
inijohn ALL=(ALL) NOPASSWD: UPDATE_AND_UPGRADE
In the above configuration:
john
: The user this rule applies to.ALL
: Refers to any host.(ALL)
: Run commands as any user, including root.NOPASSWD
: Skip password prompt for the specified command(s).UPDATE_AND_UPGRADE
: A command alias that is already defined.
Grant the user permission to run a single command without an alias.
inijohn ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
Save and exit visudo.
In the above configuration, the john user is allowed to restart the nginx web server service without being prompted for a password.
Switch to
john
user.console$ sudo su - john
Update the server, this should run without prompting for a password.
console$ sudo apt update
Upgrade the server, this should run without prompting for a password.
console$ sudo apt upgrade
Any other commands not explicitly allowed will still require a password (or be denied), depending on the user's sudo privileges.
Add Sudo User Restrictions with the Sudoers File
To enhance security, you can enforce restrictions on how users in the sudo group interact with the sudo
command. For example, you can limit the number of incorrect password attempts and control how long sudo remembers a user's authentication. Follow the steps below to apply the restrictions using the passwd_tries and timestamp_timeout directives in the sudoers configuration.
Create a new sudoers configuration file to apply settings for all members of the
sudo
group.console$ sudo visudo -f /etc/sudoers.d/sudogroup
Limit the password retries by setting
passwd_tries
directive to1
for all members in the sudo group.iniDefaults:%sudo passwd_tries=1
In the above configuration:
Defaults:%sudo
: Refers to all users in the sudo group.passwd_tries=1
: Allows only one incorrect password attempt.To target a specific user instead of a group, use:
iniDefaults:john passwd_tries=1
Set
timestamp_timeout
to0
to force a password prompt every timesudo
is used.iniDefaults:%sudo timestamp_timeout=0
The above configuration:
- A value of
0
means there is no grace period; the user must re-enter the password for everysudo
command. - The default value is
15
, which grants a 15-minute window per terminal session.
- A value of
Test the restriction by attempting to install a package with an invalid password and verifying that access is denied after one attempt.
console$ sudo apt install nginx
Your output should be similar to the one below:
sudo: 1 incorrect password attempt
Retry the command and enter the correct password.
console$ sudo apt install nginx
You will be prompted to enter a password again because
timestamp_timeout
is set to0
. After entering the correct password, thenginx
package will be installed.Notetimestamp_timeout
value is set to15
minutes. This means users in thesudo
group are not prompted to re-enter their password for anysudo
command executed within that time window in the same terminal session.
Remove Users From the Sudo Group
You can remove users who no longer need administrative privileges by removing them from the sudo group. Follow the steps below to revoke sudo privileges for unwanted users, using john as an example user.
If you're logged in as the user you plan to remove from the sudo group, switch to a different user with administrative privileges. Replace
linuxuser
with a sudo privileged user or root user.console$ sudo su - linuxuser
Remove any custom sudoers configuration specific to any user.
console$ sudo rm /etc/sudoers.d/john
Replace
john
with your any of the custom configuration sudoers file having in your server.WarningRemove
john
from thesudo
group.console$ sudo deluser john sudo
Your output should be similar to the one below:
info: Removing user `john' from group `sudo' ...
Verify that john is no longer a member of the sudo group.
console$ groups john
Your output should be similar to the one below:
john : john users
Switch to
john
user.console$ sudo su - john
Try to run a command with
sudo
to confirm thatjohn
has no longer access tosudo
commands.console$ sudo apt update
Enter the password for
john
when prompted.Your output should be similar to the one below:
Sorry, user john is not allowed to execute '/usr/bin/apt update' as root on LinuxWorkstation.
Note
Grant Users Sudo Access with the Sudoers File
You can grant sudo
privileges without technically adding them to the sudo
group. This is because, sudo
doesn't check group membership directly but instead, checks for permissions defined in the sudoers file. When you add a users in the sudo group have administrative access because the main sudoers file includes the following line:
%sudo ALL=(ALL:ALL) ALL
This line grants full sudo privileges to all users in the sudo group. However, you can define custom permissions for individual users or groups by editing the sudoers configuration.
Log in as a user with sudo privileges or root user.
Create a new user named joe.
console$ sudo adduser joe
Create a custom sudoers file for joe.
console$ sudo visudo -f /etc/sudoers.d/joe
Grant full sudo access to joe by adding the following line inside the file.
inijoe ALL=(ALL) ALL
Save and exit the visudo.
Verify that joe is not in the sudo group.
console$ groups joe
Your output should be similar to the one below:
joe: joe users
Switch to the joe user.
console$ sudo su - joe
Test
sudo
for joe.console$ sudo whoami
When prompted, enter the password for joe.
Your output should be similar to the one below:
root
This confirms that joe has full
sudo
privileges despite not being a member of the sudo group.
Conclusion
You have learned how to manage sudo privileges for users by adding them to the sudo group and by configuring the sudoers file directly. While using the sudo group is quick and convenient, managing permissions through the sudoers file provides more granular control over which commands users can execute and under what conditions.
No comments yet.