How to Create a Sudo User in Linux

Updated on 02 July, 2025
Learn how to create a sudo user on Linux, manage permissions, and customize sudo behavior securely.
How to Create a Sudo User in Linux header image

Creating a sudo user allows a non-root user to perform administrative tasks with elevated privileges. Instead of logging in as root, the user authenticates with their password, and the system securely logs each command they run. This approach improves system security by limiting root access and providing better accountability. Most Linux distributions follow a similar process for adding sudo users, with slight group names or package requirements variations.

This article explains how to create a sudo user on major Linux distributions, verify their privileges, and apply optional security settings to control sudo behavior.

Prerequisites

Before you begin, you need to:

Create a Sudo User

In this section, you will create a new user and grant them sudo privileges. While the exact steps may vary slightly between distributions, most follow a similar process. Start by choosing the section that matches your Linux distribution.

Create a Sudo User on Red Hat-Based Distributions (AlmaLinux, Rocky Linux, CentOS)

On Red Hat-based systems, users gain sudo access by being added to the wheel group, which is predefined in the instance sudoers configuration. This group based approach helps centralize administrative permissions and improve security by controlling who can execute privileged commands.

  1. Create a new user.

    console
    $ sudo useradd -m example_user
    

    In the above command, the -m option ensures a home directory is created at /home/example_user. Replace example_user with your desired username.

  2. Set a password for the user.

    console
    $ sudo passwd example_user
    

    You'll be prompted to enter and confirm a secure password. The system stores this encrypted password in /etc/shadow, which is readable only by privileged users.

  3. Add the user to the wheel group.

    console
    $ sudo usermod -aG wheel example_user
    

    The above command grants sudo access by adding the user to the wheel group.

    • The -a option appends the user to the group without removing them from any existing groups.
    • The -G flag specifies the group name.
  4. Open the /etc/sudoers file with visudo to verify that the wheel group has sudo privileges.

    console
    $ sudo visudo
    

    Unlike a regular text editor, visudo performs syntax validation before saving changes. This helps prevent configuration errors that could lock you out of the system.

  5. Locate the following line and make sure it is uncommented.

    ini
    ...
    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL
    ...
    

    The above directive allows users in the wheel group to run any command with sudo. Its components mean:

    • %wheel: Applies to the wheel group (% indicates a group).
    • First ALL: Applies to all hosts.
    • (ALL): Allows running commands as any user.
    • Last ALL: Allows running any command.
    Note
    Always use visudo to edit the sudoers file. Editing it directly with a standard text editor can result in syntax errors that break sudo functionality.
  6. Switch to the newly created user account.

    console
    $ sudo su - example_user
    

    The hyphen (-) ensures that the user’s full environment is loaded, including updated PATH variables.

  7. Run the whoami command with sudo to verify administrative access.

    console
    $ sudo whoami
    

    Output:

    root

    The output root confirms that the configuration is correct and the user has sudo privileges.

Test Sudo User Privileges in Linux

After setting up a sudo user, verify that the account has administrative privileges. This section walks you through several tests to confirm proper sudo functionality.

Run Basic Commands with Sudo

Run these commands to ensure the user can perform administrative tasks.

  1. View the root user's home directory.

    console
    $ sudo ls -la /root
    

    This command displays hidden and regular files in /root, which only root or users with sudo privileges can access.

  2. Update the server package lists.

    • On Debian-based systems (Ubuntu, Debian):

      console
      $ sudo apt update
      
    • On Red Hat-based systems (RHEL, CentOS, Fedora):

      console
      $ sudo dnf makecache
      
    • On Arch Linux:

      console
      $ sudo pacman -Sy
      

    Package management commands require root privileges because they modify system files and packages. If these commands work without errors, your sudo setup is functioning.

Verify Access to Protected Files

Confirm that your sudo user can access sensitive files restricted to root.

console
$ sudo cat /etc/shadow

The /etc/shadow file contains encrypted user passwords and is critical for system security. It's only readable by root or users with sudo privileges, so viewing it confirms your sudo privileges are working.

Check Sudo Logs

sudo maintains detailed logs of all activity, which is crucial for security auditing and accountability.

  • On Debian-based systems, run:

    console
    $ sudo grep sudo /var/log/auth.log
    
  • On Red Hat systems, run:

    console
    $ sudo grep sudo /var/log/secure
    

These logs record when users run sudo, who ran it, and which commands they executed. This audit trail is a key security advantage of using sudo instead of directly operating as the root user.

Manage Password Prompts for a Sudo User

In this section, you will configure how and when sudo prompts for a password, allowing you to fine-tune the balance between security and convenience.

Configure Password Timeout

By default, sudo caches your credentials for 15 minutes. Follow the steps below to customize this timeout to suit your workflow.

  1. Open the sudoers file using the visudo utility.

    console
    $ sudo visudo
    
  2. Add or modify the following line.

    ini
    Defaults        timestamp_timeout=30
    

    This example sets the timeout to 30 minutes. This value determines how long sudo remembers your authentication after a successful password entry.

    Special values for timestamp_timeout:

    • 0: Require the password for every sudo command.
    • -1: Never prompt again during the session.
    • Positive integers (for example, 5, 15, 30): Define the authentication timeout in minutes.

    Behind the scenes, sudo creates timestamp files in /var/run/sudo/ or /var/lib/sudo/ to track when users last authenticated.

Set Up Passwordless Sudo

For automation tasks or controlled environments, you can allow specific users or groups to execute sudo commands without being prompted for a password.

  1. Open the sudoers file.

    console
    $ sudo visudo
    
  2. Add a rule for the user.

    ini
    example_user ALL=(ALL) NOPASSWD: ALL
    

    Or configure it for an entire group:

    ini
    %wheel  ALL=(ALL) NOPASSWD: ALL
    
    Warning
    Enabling password-less sudo reduces security by eliminating authentication prompts. Use it only in secure environments with fully trusted users.

Limit Command Execution

Following the principle of least privilege, restrict which commands users can execute with sudo.

  1. Edit the sudoers file.

    console
    $ sudo visudo
    
  2. Define explicit command permissions.

    ini
    example_user ALL=(ALL) /usr/bin/apt update, /usr/bin/apt upgrade
    

    This configuration allows the user to run only the specified commands with sudo. Use absolute paths, as sudo does not resolve commands through $PATH.

    To locate a command's full path, run:

    console
    $ which <command>
    

    For example:

    console
    $ which mkdir
    

    Output:

    /usr/bin/mkdir

Create Command Aliases

In multi-user environments, command aliases can simplify the privilege definitions.

  1. Open the sudoers file.

    console
    $ sudo visudo
    
  2. Define command groups and assign them.

    ini
    # Command Aliases
    Cmnd_Alias UPDATES = /usr/bin/apt update, /usr/bin/apt upgrade
    Cmnd_Alias SERVICES = /usr/bin/systemctl restart apache2
    
    # User Privileges
    example_user ALL=(ALL) UPDATES, SERVICES
    

Command aliases let you group related commands under a single name, making the sudoers file more organized and maintainable as it grows.

Conclusion

You have successfully created and configured a sudo user across major Linux distributions. You granted administrative privileges by assigning the user to the appropriate group (wheel or sudo) and verified access through protected commands. You also reviewed ways to enforce secure privilege escalation by customizing the sudoers file, such as restricting commands, enabling password-less access, and setting timeout and retry limits. With these configurations, your system now has properly managed sudo access, enhancing usability and security.

Comments

No comments yet.

How to Create a Sudo User in Linux | Vultr Docs