How to Add Users to the Sudoers Group in Linux

Updated on 06 May, 2025
How to Add Users to the Sudoers Group in Linux header image

User management is a foundational task in Linux system administration. As a system administrator, you must decide which users should be allowed to perform administrative actions and how to control their access. One of the most secure and flexible ways to grant administrative privileges is by adding users to the sudo group. The sudo (short for "superuser do") command enables specific users to execute commands with elevated privileges, typically those of the root user, without needing to log in as root.

This article explains how to grant users elevated privileges by adding them to the sudo group or by configuring sudo policies using the Linux Sudoers file.

Prerequisites

Before you begin, you need to:

Add Users to the Sudo Group

On most Linux systems, the sudo group grants users administrative privileges. While this provides full control over the system, it is safer than logging in directly as root, which increases the risk of critical mistakes. On RHEL-based systems (like CentOS, Rocky Linux), this group is typically called wheel. Creating regular user accounts with sudo access is considered a best practice in production environments. Follow these steps to create users and add them to the sudo group.

  1. Confirm that you are logged in as a normal user.

    console
    $ whoami
    

    Your output should be similar to the one below:

    linuxuser
  2. Check if the logged in user has sudo privileges.

    console
    $ sudo -l
    

    Your output should be similar to the one below:

    Matching Defaults entries for linuxuser on LinuxWorkstation:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
    
    User linuxuser may run the following commands on LinuxWorkstation:
        (ALL) NOPASSWD: ALL

    In the above output, you can see that the user linuxuser is allowed to run any command as any user on the system without being prompted for a password. The line (ALL) NOPASSWD: ALL confirms this user has full administrative privileges.

    This command is useful for auditing and verifying the level of access granted to a specific user.

  3. Add a new user to your system.

    console
    $ sudo adduser john
    

    You'll be prompted to set a password and enter additional information. Repeat the process for any additional users, such as jane.

    info: Adding user `john' ...
    info: Selecting UID/GID from range 1000 to 59999 ...
    info: Adding new group `john' (1006) ...
    info: Adding new user `john' (1006) with group `john (1006)' ...
    info: Creating home directory `/home/john' ...
    info: Copying files from `/etc/skel' ...
    New password: 
    Retype new password: 
    passwd: password updated successfully
    Changing the user information for john
    Enter the new value, or press ENTER for the default
            Full Name []: john wick
            Room Number []: 1234
            Work Phone []: 9876543210
            Home Phone []: 1234567890
            Other []: 
    Is the information correct? [Y/n] Y
    info: Adding new user `john' to supplemental / extra groups `users' ...
    info: Adding user `john' to group `users' ...
    Note
    By default, Linux assigns new users to a primary group with the same name and often a secondary users group. On systems like Ubuntu 24.04 and Debian 12, this group assignment helps organize user permissions without granting administrative access by default.
  4. Run the following command to check whether a user is allowed to perform sudo operations. Replace john with the username for which you wanted to check sudo privileges.

    console
    $ sudo -U john -l
    

    Your output should be similar to the one below:

    User john is not allowed to run sudo on LinuxWorkstation.

    This output shows that john does not currently have sudo access.

  5. Grant sudo privileges to the user by adding them to the sudo group.

    console
    $ sudo usermod -aG sudo john
    

    This above command adds john user to the sudo group without modifying their existing group memberships.

  6. Switch to the user john and verify that the user now has sudo access.

    console
    $ sudo su - john
    
    To run a command as administrator (user "root"), use "sudo <command>".
    See "man sudo_root" for details.

    The above message confirms that the user john is now recognized as a sudo user and can use sudo to execute administrative commands.

  7. Confirm that john can run commands with sudo.

    console
    $ sudo whoami
    

    Enter john's password when prompted as sudo requires authentication. Input the password for john to proceed.

    Your output should be similar to the one below:

    root

    This confirms that john has full sudo privileges and can perform administrative tasks securely.

View Members of the Sudo Group

To confirm that users have been added to the sudo group, use the getent or groups commands. These tools allow you to query system group information directly from the administrative databases. Follow the steps below to verify group membership.

  1. Check which users belong to the sudo group using getent.

    console
    $ getent group sudo
    

    This command format breaks down as:

    • getent: Retrieves entries from administrative databases in Linux.
    • group: Specifies that you want to query the system's group database.
    • sudo: The name of the group whose members you want to list.

    Your output should be similar to the one below:

    sudo:x:27:john,jane
    • sudo: The name of the group.
    • x: A placeholder for the group password.
    • 27: The group ID (GID).
    • john,jane: Members of the sudo group.
  2. Check the group memberships of the user jane.

    console
    $ groups jane
    

    Your output should be similar to the one below:

    jane : jane sudo users
  3. Check the group memberships of the user john.

    console
    $ groups john
    

    Your output should be similar to the one below:

    john : john sudo users

    The groups command displays all the groups a user belongs to. In this example, both john and jane belong to their respective primary groups (john and jane), the sudo group (for administrative privileges), and the users group (typically assigned by default for standard permissions).

Limit Privileges with the Sudoers File

The sudoers file, which is located at /etc/sudoers should only be edited with the visudo command-line tool, which performs a syntax check before saving changes. This prevents any errors that could lock you out of the system. While users in the sudo group have elevated privileges to execute and perform administrative tasks, you can fine-tune these privileges using the sudoers file. This is useful in production environments where you want to limit the commands that specific users can run with sudo.

Customize User Commands with the Sudoers File

You can control which commands a user can run with sudo and whether they require a password by customizing their configuration in the sudoers file. This is useful when you want to grant limited administrative privileges without giving full root access.

Follow the steps below to create a sudoers configuration that allows a specific user to run selected commands with sudo, without being prompted for a password.

  1. Create a new sudoers file under /etc/sudoers.d/ for the user john using visudo. Replace john with the actual username.

    console
    $ sudo visudo -f /etc/sudoers.d/john
    

    Files under /etc/sudoers.d/ are automatically included by the main sudoers file using the #includedir directive.

  2. Define a command alias for one or more allowed commands.

    ini
    Cmnd_Alias UPDATE_AND_UPGRADE = /usr/bin/apt update, /usr/bin/apt upgrade
    

    In the above configuration:

    • Cmnd_Alias: Defines a shortcut name for a group of commands.
    • UPDATE_AND_UPGRADE: Set the name of the command alias you want to define.
    • /usr/bin/apt update, /usr/bin/apt upgrade: Define absolute paths for each command.
  3. Grant the user permission to run the specified command(s) without a password.

    ini
    john ALL=(ALL) NOPASSWD: UPDATE_AND_UPGRADE
    

    In the above configuration:

    • john: The user this rule applies to.
    • ALL: Refers to any host.
    • (ALL): Run commands as any user, including root.
    • NOPASSWD: Skip password prompt for the specified command(s).
    • UPDATE_AND_UPGRADE: A command alias that is already defined.
  4. Grant the user permission to run a single command without an alias.

    ini
    john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
    

    Save and exit visudo.

    In the above configuration, the john user is allowed to restart the nginx web server service without being prompted for a password.

  5. Switch to john user.

    console
    $ sudo su - john
    
  6. Update the server, this should run without prompting for a password.

    console
    $ sudo apt update
    
  7. Upgrade the server, this should run without prompting for a password.

    console
    $ sudo apt upgrade
    

    Any other commands not explicitly allowed will still require a password (or be denied), depending on the user's sudo privileges.

Add Sudo User Restrictions with the Sudoers File

To enhance security, you can enforce restrictions on how users in the sudo group interact with the sudo command. For example, you can limit the number of incorrect password attempts and control how long sudo remembers a user's authentication. Follow the steps below to apply the restrictions using the passwd_tries and timestamp_timeout directives in the sudoers configuration.

  1. Create a new sudoers configuration file to apply settings for all members of the sudo group.

    console
    $ sudo visudo -f /etc/sudoers.d/sudogroup
    
  2. Limit the password retries by setting passwd_tries directive to 1 for all members in the sudo group.

    ini
    Defaults:%sudo passwd_tries=1
    

    In the above configuration:

    • Defaults:%sudo: Refers to all users in the sudo group.

    • passwd_tries=1: Allows only one incorrect password attempt.

      • To target a specific user instead of a group, use:

        ini
        Defaults:john passwd_tries=1
        
  3. Set timestamp_timeout to 0 to force a password prompt every time sudo is used.

    ini
    Defaults:%sudo timestamp_timeout=0
    

    The above configuration:

    • A value of 0 means there is no grace period; the user must re-enter the password for every sudo command.
    • The default value is 15, which grants a 15-minute window per terminal session.
  4. Test the restriction by attempting to install a package with an invalid password and verifying that access is denied after one attempt.

    console
    $ sudo apt install nginx
    

    Your output should be similar to the one below:

    sudo: 1 incorrect password attempt
  5. Retry the command and enter the correct password.

    console
    $ sudo apt install nginx
    

    You will be prompted to enter a password again because timestamp_timeout is set to 0. After entering the correct password, the nginx package will be installed.

    Note
    By default, the timestamp_timeout value is set to 15 minutes. This means users in the sudo group are not prompted to re-enter their password for any sudo command executed within that time window in the same terminal session.

Remove Users From the Sudo Group

You can remove users who no longer need administrative privileges by removing them from the sudo group. Follow the steps below to revoke sudo privileges for unwanted users, using john as an example user.

  1. If you're logged in as the user you plan to remove from the sudo group, switch to a different user with administrative privileges. Replace linuxuser with a sudo privileged user or root user.

    console
    $ sudo su - linuxuser
    
  2. Remove any custom sudoers configuration specific to any user.

    console
    $ sudo rm /etc/sudoers.d/john
    

    Replace john with your any of the custom configuration sudoers file having in your server.

    Warning
    It's important to ensure you have access to another user with sudo privileges. Removing sudo access from the only administrative user could lock you out of elevated privileges.
  3. Remove john from the sudo group.

    console
    $ sudo deluser john sudo
    

    Your output should be similar to the one below:

    info: Removing user `john' from group `sudo' ...
  4. Verify that john is no longer a member of the sudo group.

    console
    $ groups john
    

    Your output should be similar to the one below:

    john : john users
  5. Switch to john user.

    console
    $ sudo su - john
    
  6. Try to run a command with sudo to confirm that john has no longer access to sudo commands.

    console
    $ sudo apt update
    

    Enter the password for john when prompted.

    Your output should be similar to the one below:

    Sorry, user john is not allowed to execute '/usr/bin/apt update' as root on LinuxWorkstation.
    Note
    Group membership changes take effect in new terminal sessions. Existing sessions may still have the old group permissions until restarted.

Grant Users Sudo Access with the Sudoers File

You can grant sudo privileges without technically adding them to the sudo group. This is because, sudo doesn't check group membership directly but instead, checks for permissions defined in the sudoers file. When you add a users in the sudo group have administrative access because the main sudoers file includes the following line:

ini
%sudo   ALL=(ALL:ALL) ALL

This line grants full sudo privileges to all users in the sudo group. However, you can define custom permissions for individual users or groups by editing the sudoers configuration.

  1. Log in as a user with sudo privileges or root user.

  2. Create a new user named joe.

    console
    $ sudo adduser joe
    
  3. Create a custom sudoers file for joe.

    console
    $ sudo visudo -f /etc/sudoers.d/joe
    
  4. Grant full sudo access to joe by adding the following line inside the file.

    ini
    joe ALL=(ALL) ALL
    

    Save and exit the visudo.

  5. Verify that joe is not in the sudo group.

    console
    $ groups joe
    

    Your output should be similar to the one below:

    joe: joe users
  6. Switch to the joe user.

    console
    $ sudo su - joe
    
  7. Test sudo for joe.

    console
    $ sudo whoami
    

    When prompted, enter the password for joe.

    Your output should be similar to the one below:

    root

    This confirms that joe has full sudo privileges despite not being a member of the sudo group.

Conclusion

You have learned how to manage sudo privileges for users by adding them to the sudo group and by configuring the sudoers file directly. While using the sudo group is quick and convenient, managing permissions through the sudoers file provides more granular control over which commands users can execute and under what conditions.

Comments

No comments yet.