
Creating a sudo
user allows a non-root user to perform administrative tasks with elevated privileges. Instead of logging in as root, the user authenticates with their password, and the system securely logs each command they run. This approach improves system security by limiting root access and providing better accountability. Most Linux distributions follow a similar process for adding sudo
users, with slight group names or package requirements variations.
This article explains how to create a sudo
user on major Linux distributions, verify their privileges, and apply optional security settings to control sudo
behavior.
Prerequisites
Before you begin, you need to:
- Have access to a Linux instance as a non-root sudo user.
Create a Sudo User
In this section, you will create a new user and grant them sudo
privileges. While the exact steps may vary slightly between distributions, most follow a similar process. Start by choosing the section that matches your Linux distribution.
On Red Hat-based systems, users gain sudo
access by being added to the wheel
group, which is predefined in the instance sudoers configuration. This group based approach helps centralize administrative permissions and improve security by controlling who can execute privileged commands.
Create a new user.
console$ sudo useradd -m example_user
In the above command, the
-m
option ensures a home directory is created at/home/example_user
. Replaceexample_user
with your desired username.Set a password for the user.
console$ sudo passwd example_user
You'll be prompted to enter and confirm a secure password. The system stores this encrypted password in
/etc/shadow
, which is readable only by privileged users.Add the user to the
wheel
group.console$ sudo usermod -aG wheel example_user
The above command grants
sudo
access by adding the user to thewheel
group.- The
-a
option appends the user to the group without removing them from any existing groups. - The
-G
flag specifies the group name.
- The
Open the
/etc/sudoers
file withvisudo
to verify that thewheel
group hassudo
privileges.console$ sudo visudo
Unlike a regular text editor,
visudo
performs syntax validation before saving changes. This helps prevent configuration errors that could lock you out of the system.Locate the following line and make sure it is uncommented.
ini... ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ...
The above directive allows users in the
wheel
group to run any command withsudo
. Its components mean:%wheel
: Applies to the wheel group (% indicates a group).First ALL
: Applies to all hosts.(ALL)
: Allows running commands as any user.Last ALL
: Allows running any command.
Notevisudo
to edit the sudoers file. Editing it directly with a standard text editor can result in syntax errors that breaksudo
functionality.Switch to the newly created user account.
console$ sudo su - example_user
The hyphen (
-
) ensures that the user’s full environment is loaded, including updated PATH variables.Run the
whoami
command withsudo
to verify administrative access.console$ sudo whoami
Output:
root
The output
root
confirms that the configuration is correct and the user hassudo
privileges.
Debian-based systems, such as Ubuntu and its derivatives, manage administrative privileges using the sudo
group rather than wheel
. In this section, you will create a new user, assign sudo
access, and verify that the configuration works as expected.
Create a new user.
console$ sudo adduser example_user
The
adduser
utility is interactive and user-friendly. It creates the home directory, prompts for a password, and optionally collects user metadata like full name and contact information.Add the user to the
sudo
group.console$ sudo usermod -aG sudo example_user
By default, members of the
sudo
group have administrative privileges on Debian and Ubuntu systems. This configuration is defined in the/etc/sudoers
file and included by default.Switch to the newly created user account.
console$ sudo su - example_user
The
-
flag ensures the new user environment is fully loaded, including the updated group membership.Run the
whoami
utility usingsudo
to print the effective user name.console$ sudo whoami
Output:
root
If the output returns
root
, the user has successfully been grantedsudo
privileges.
Arch Linux's environment requires manual configuration of administrative access. In this section, you'll create a new user, assign them to the wheel
group, and configure the sudoers
file to enable sudo
privileges.
Create a new user.
console$ sudo useradd --create-home example_user
In the above command, the
--create-home
flag ensures the system creates a home directory for the user. Replaceexample_user
.Set a password for the user.
console$ sudo passwd example_user
When prompted, enter and confirm a strong password. The system securely stores the password in encrypted form in the
/etc/shadow
file, which is readable only by theroot
user.Add the user to the
wheel
group.console$ sudo usermod --append --groups wheel example_user
Arch Linux uses the
wheel
group to controlsudo
access, similar to Red Hat-based systems.Install the
vi
editor, which thevisudo
utility requires.console$ sudo pacman --sync vi
Update the
sudoers
file.console$ sudo visudo
Find the following line and ensure it is uncommented.
ini... %wheel ALL=(ALL) ALL ...
This enables all users in the
wheel
group to use thesudo
utility.Switch to the newly created user.
console$ sudo su - example_user
Then verify
sudo
access:console$ sudo whoami
Output:
root
This confirms that
sudo
is configured for the new user.
Test Sudo User Privileges in Linux
After setting up a sudo
user, verify that the account has administrative privileges. This section walks you through several tests to confirm proper sudo
functionality.
Run Basic Commands with Sudo
Run these commands to ensure the user can perform administrative tasks.
View the
root
user's home directory.console$ sudo ls -la /root
This command displays hidden and regular files in
/root
, which onlyroot
or users withsudo
privileges can access.Update the server package lists.
On Debian-based systems (Ubuntu, Debian):
console$ sudo apt update
On Red Hat-based systems (RHEL, CentOS, Fedora):
console$ sudo dnf makecache
On Arch Linux:
console$ sudo pacman -Sy
Package management commands require
root
privileges because they modify system files and packages. If these commands work without errors, yoursudo
setup is functioning.
Verify Access to Protected Files
Confirm that your sudo
user can access sensitive files restricted to root
.
$ sudo cat /etc/shadow
The /etc/shadow
file contains encrypted user passwords and is critical for system security. It's only readable by root
or users with sudo
privileges, so viewing it confirms your sudo
privileges are working.
Check Sudo Logs
sudo
maintains detailed logs of all activity, which is crucial for security auditing and accountability.
On Debian-based systems, run:
console$ sudo grep sudo /var/log/auth.log
On Red Hat systems, run:
console$ sudo grep sudo /var/log/secure
These logs record when users run sudo
, who ran it, and which commands they executed. This audit trail is a key security advantage of using sudo
instead of directly operating as the root
user.
Manage Password Prompts for a Sudo User
In this section, you will configure how and when sudo
prompts for a password, allowing you to fine-tune the balance between security and convenience.
Configure Password Timeout
By default, sudo
caches your credentials for 15 minutes. Follow the steps below to customize this timeout to suit your workflow.
Open the
sudoers
file using thevisudo
utility.console$ sudo visudo
Add or modify the following line.
iniDefaults timestamp_timeout=30
This example sets the timeout to 30 minutes. This value determines how long sudo remembers your authentication after a successful password entry.
Special values for
timestamp_timeout
:0
: Require the password for everysudo
command.-1
: Never prompt again during the session.- Positive integers (for example,
5
,15
,30
): Define the authentication timeout in minutes.
Behind the scenes,
sudo
creates timestamp files in/var/run/sudo/
or/var/lib/sudo/
to track when users last authenticated.
Set Up Passwordless Sudo
For automation tasks or controlled environments, you can allow specific users or groups to execute sudo
commands without being prompted for a password.
Open the
sudoers
file.console$ sudo visudo
Add a rule for the user.
iniexample_user ALL=(ALL) NOPASSWD: ALL
Or configure it for an entire group:
ini%wheel ALL=(ALL) NOPASSWD: ALL
Warningsudo
reduces security by eliminating authentication prompts. Use it only in secure environments with fully trusted users.
Limit Command Execution
Following the principle of least privilege, restrict which commands users can execute with sudo
.
Edit the
sudoers
file.console$ sudo visudo
Define explicit command permissions.
iniexample_user ALL=(ALL) /usr/bin/apt update, /usr/bin/apt upgrade
This configuration allows the user to run only the specified commands with
sudo
. Use absolute paths, assudo
does not resolve commands through$PATH
.To locate a command's full path, run:
console$ which <command>
For example:
console$ which mkdir
Output:
/usr/bin/mkdir
Create Command Aliases
In multi-user environments, command aliases can simplify the privilege definitions.
Open the
sudoers
file.console$ sudo visudo
Define command groups and assign them.
ini# Command Aliases Cmnd_Alias UPDATES = /usr/bin/apt update, /usr/bin/apt upgrade Cmnd_Alias SERVICES = /usr/bin/systemctl restart apache2 # User Privileges example_user ALL=(ALL) UPDATES, SERVICES
Command aliases let you group related commands under a single name, making the sudoers
file more organized and maintainable as it grows.
Conclusion
You have successfully created and configured a sudo
user across major Linux distributions. You granted administrative privileges by assigning the user to the appropriate group (wheel
or sudo
) and verified access through protected commands. You also reviewed ways to enforce secure privilege escalation by customizing the sudoers file, such as restricting commands, enabling password-less access, and setting timeout and retry limits. With these configurations, your system now has properly managed sudo
access, enhancing usability and security.
No comments yet.