User management is a foundational task in Linux system administration. As a system administrator, you must decide which users should be allowed to perform administrative actions and how to control their access. One of the most secure and flexible ways to grant administrative privileges is by adding users to the sudo group. The sudo (short for "superuser do") command enables specific users to execute commands with elevated privileges, typically those of the root user, without needing to log in as root.
This article explains how to grant users elevated privileges by adding them to the sudo group or by configuring sudo policies using the Linux Sudoers file.
Prerequisites
Before you begin, you need to:
- Have access to a Linux instance as a non-root sudo user.
Add Users to the Sudo Group
On most Linux systems, the sudo group grants users administrative privileges. While this provides full control over the system, it is safer than logging in directly as root, which increases the risk of critical mistakes. On RHEL-based systems (like CentOS, Rocky Linux), this group is typically called wheel. Creating regular user accounts with sudo access is considered a best practice in production environments.
Admin can add users to a group in Linux by appending them to the sudo group using the usermod command with appropriate flags.
Follow these steps to create users and add them to the sudo group.
Confirm that you are logged in as a normal user.
console$ whoamiYour output should be similar to the one below:
linuxuserCheck if the logged in user has
sudoprivileges.console$ sudo -l
Your output should be similar to the one below:
Matching Defaults entries for linuxuser on LinuxWorkstation: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User linuxuser may run the following commands on LinuxWorkstation: (ALL) NOPASSWD: ALLIn the above output, you can see that the user linuxuser is allowed to run any command as any user on the system without being prompted for a password. The line
(ALL) NOPASSWD: ALLconfirms this user has full administrative privileges.This command is useful for auditing and verifying the level of access granted to a specific user.
Add a new user to your system.
console$ sudo adduser john
You'll be prompted to set a password and enter additional information. Repeat the process for any additional users, such as jane.
info: Adding user `john' ... info: Selecting UID/GID from range 1000 to 59999 ... info: Adding new group `john' (1006) ... info: Adding new user `john' (1006) with group `john (1006)' ... info: Creating home directory `/home/john' ... info: Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for john Enter the new value, or press ENTER for the default Full Name []: john wick Room Number []: 1234 Work Phone []: 9876543210 Home Phone []: 1234567890 Other []: Is the information correct? [Y/n] Y info: Adding new user `john' to supplemental / extra groups `users' ... info: Adding user `john' to group `users' ...By default, Linux assigns new users to a primary group with the same name and often a secondary users group. On systems like Ubuntu 24.04 and Debian 12, this group assignment helps organize user permissions without granting administrative access by default.NoteRun the following command to check whether a user is allowed to perform
sudooperations. Replacejohnwith the username for which you wanted to checksudoprivileges.console$ sudo -U john -l
Your output should be similar to the one below:
User john is not allowed to run sudo on LinuxWorkstation.This output shows that john does not currently have
sudoaccess.Grant
sudoprivileges to the user by adding them to the sudo group.console$ sudo usermod -aG sudo john
This above command adds
johnuser to the sudo group without modifying their existing group memberships.Switch to the user john and verify that the user now has
sudoaccess.console$ sudo su - john
To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.The above message confirms that the user john is now recognized as a
sudouser and can usesudoto execute administrative commands.Confirm that john can run commands with
sudo.console$ sudo whoami
Enter john's password when prompted as
sudorequires authentication. Input the password forjohnto proceed.Your output should be similar to the one below:
rootThis confirms that john has full
sudoprivileges and can perform administrative tasks securely.
View Members of the Sudo Group
To confirm that users have been added to the sudo group, use the getent or groups commands. These tools allow you to query system group information directly from the administrative databases. Follow the steps below to verify group membership.
Check which users belong to the sudo group using
getent.console$ getent group sudo
This command format breaks down as:
getent: Retrieves entries from administrative databases in Linux.group: Specifies that you want to query the system's group database.sudo: The name of the group whose members you want to list.
Your output should be similar to the one below:
sudo:x:27:john,janesudo: The name of the group.x: A placeholder for the group password.27: The group ID (GID).john,jane: Members of the sudo group.
Check the group memberships of the user jane.
console$ groups jane
Your output should be similar to the one below:
jane : jane sudo usersCheck the group memberships of the user john.
console$ groups john
Your output should be similar to the one below:
john : john sudo usersThe
groupscommand displays all the groups a user belongs to. In this example, both john and jane belong to their respective primary groups (john and jane), the sudo group (for administrative privileges), and the users group (typically assigned by default for standard permissions).
Limit Privileges with the Sudoers File
The sudoers file, which is located at /etc/sudoers should only be edited with the visudo command-line tool, which performs a syntax check before saving changes. This prevents any errors that could lock you out of the system. While users in the sudo group have elevated privileges to execute and perform administrative tasks, you can fine-tune these privileges using the sudoers file. This is useful in production environments where you want to limit the commands that specific users can run with sudo.
Customize User Commands with the Sudoers File
You can control which commands a user can run with sudo and whether they require a password by customizing their configuration in the sudoers file. This is useful when you want to grant limited administrative privileges without giving full root access.
Follow the steps below to create a sudoers configuration that allows a specific user to run selected commands with sudo, without being prompted for a password.
Create a new sudoers file under /etc/sudoers.d/ for the user john using visudo. Replace john with the actual username.
console$ sudo visudo -f /etc/sudoers.d/john
Files under /etc/sudoers.d/ are automatically included by the main sudoers file using the
#includedirdirective.Define a command alias for one or more allowed commands.
iniCmnd_Alias UPDATE_AND_UPGRADE = /usr/bin/apt update, /usr/bin/apt upgrade
In the above configuration:
Cmnd_Alias: Defines a shortcut name for a group of commands.UPDATE_AND_UPGRADE: Set the name of the command alias you want to define./usr/bin/apt update, /usr/bin/apt upgrade: Define absolute paths for each command.
Grant the user permission to run the specified command(s) without a password.
inijohn ALL=(ALL) NOPASSWD: UPDATE_AND_UPGRADE
In the above configuration:
john: The user this rule applies to.ALL: Refers to any host.(ALL): Run commands as any user, including root.NOPASSWD: Skip password prompt for the specified command(s).UPDATE_AND_UPGRADE: A command alias that is already defined.
Grant the user permission to run a single command without an alias.
inijohn ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
Save and exit visudo.
In the above configuration, the john user is allowed to restart the nginx web server service without being prompted for a password.
Switch to
johnuser.console$ sudo su - john
Update the server, this should run without prompting for a password.
console$ sudo apt update
Upgrade the server, this should run without prompting for a password.
console$ sudo apt upgrade
Any other commands not explicitly allowed will still require a password (or be denied), depending on the user's sudo privileges.
Add Sudo User Restrictions with the Sudoers File
To enhance security, you can enforce restrictions on how users in the sudo group interact with the sudo command. For example, you can limit the number of incorrect password attempts and control how long sudo remembers a user's authentication. Follow the steps below to apply the restrictions using the passwd_tries and timestamp_timeout directives in the sudoers configuration.
Create a new sudoers configuration file to apply settings for all members of the
sudogroup.console$ sudo visudo -f /etc/sudoers.d/sudogroup
Limit the password retries by setting
passwd_triesdirective to1for all members in the sudo group.iniDefaults:%sudo passwd_tries=1
In the above configuration:
Defaults:%sudo: Refers to all users in the sudo group.passwd_tries=1: Allows only one incorrect password attempt.To target a specific user instead of a group, use:
iniDefaults:john passwd_tries=1
Set
timestamp_timeoutto0to force a password prompt every timesudois used.iniDefaults:%sudo timestamp_timeout=0
The above configuration:
- A value of
0means there is no grace period; the user must re-enter the password for everysudocommand. - The default value is
15, which grants a 15-minute window per terminal session.
- A value of
Test the restriction by attempting to install a package with an invalid password and verifying that access is denied after one attempt.
console$ sudo apt install nginx
Your output should be similar to the one below:
sudo: 1 incorrect password attemptRetry the command and enter the correct password.
console$ sudo apt install nginx
You will be prompted to enter a password again because
timestamp_timeoutis set to0. After entering the correct password, thenginxpackage will be installed.By default, theNotetimestamp_timeoutvalue is set to15minutes. This means users in thesudogroup are not prompted to re-enter their password for anysudocommand executed within that time window in the same terminal session.
Remove Users From the Sudo Group
You can remove users who no longer need administrative privileges by removing them from the sudo group. Follow the steps below to revoke sudo privileges for unwanted users, using john as an example user.
If you're logged in as the user you plan to remove from the sudo group, switch to a different user with administrative privileges. Replace
linuxuserwith a sudo privileged user or root user.console$ sudo su - linuxuser
Remove any custom sudoers configuration specific to any user.
console$ sudo rm /etc/sudoers.d/john
Replace
johnwith your any of the custom configuration sudoers file having in your server.It's important to ensure you have access to another user with sudo privileges. Removing sudo access from the only administrative user could lock you out of elevated privileges.WarningRemove
johnfrom thesudogroup.console$ sudo deluser john sudo
Your output should be similar to the one below:
info: Removing user `john' from group `sudo' ...Verify that john is no longer a member of the sudo group.
console$ groups john
Your output should be similar to the one below:
john : john usersSwitch to
johnuser.console$ sudo su - john
Try to run a command with
sudoto confirm thatjohnhas no longer access tosudocommands.console$ sudo apt update
Enter the password for
johnwhen prompted.Your output should be similar to the one below:
Sorry, user john is not allowed to execute '/usr/bin/apt update' as root on LinuxWorkstation.Group membership changes take effect in new terminal sessions. Existing sessions may still have the old group permissions until restarted.Note
Grant Users Sudo Access with the Sudoers File
You can grant sudo privileges without technically adding them to the sudo group. This is because, sudo doesn't check group membership directly but instead, checks for permissions defined in the sudoers file. When you add a users in the sudo group have administrative access because the main sudoers file includes the following line:
%sudo ALL=(ALL:ALL) ALL
This line grants full sudo privileges to all users in the sudo group. However, you can define custom permissions for individual users or groups by editing the sudoers configuration.
Log in as a user with sudo privileges or root user.
Create a new user named joe.
console$ sudo adduser joe
Create a custom sudoers file for joe.
console$ sudo visudo -f /etc/sudoers.d/joe
Grant full sudo access to joe by adding the following line inside the file.
inijoe ALL=(ALL) ALL
Save and exit the visudo.
Verify that joe is not in the sudo group.
console$ groups joe
Your output should be similar to the one below:
joe: joe usersSwitch to the joe user.
console$ sudo su - joe
Test
sudofor joe.console$ sudo whoami
When prompted, enter the password for joe.
Your output should be similar to the one below:
rootThis confirms that joe has full
sudoprivileges despite not being a member of the sudo group.
Conclusion
You have learned how to manage sudo privileges for users by adding them to the sudo group and by configuring the sudoers file directly. While using the sudo group is quick and convenient, managing permissions through the sudoers file provides more granular control over which commands users can execute and under what conditions.
No comments yet.