How to use Sudo on a Vultr Cloud Server
Introduction
In this guide, you will learn about root access, the sudo command, how to run commands using sudo, and the differences between sudo access and root. You'll also find instructions below that explain how to add user to sudoers in Arch Linux and create a sudo user for popular operating systems.
What is Root?
root
refers to the superuser account in Unix-like systems such as Linux. It is a privileged account with the highest access rights on the system used for system administration. This root/superuser account has a user identifier (UID) of zero, regardless of the name of the account.
The root user has full permissions (root privileges) to the entire system. It can do things like modifying core parts of the system, upgrading the system, changing system configuration, and starting, stopping, and restarting all running system services.
When logged in as root, the terminal command prompt symbol changes from $
to #
. For example:
$ echo 'This is a normal user shell'
# echo 'This is a root shell'
What is Sudo?
The sudo
(superuser do) command is a command-line utility that allows a user to execute commands as the root or a different user. It provides an efficient way to grant certain users the appropriate permissions to use specific system commands or run scripts as the root user.
Although a bit similar to the su
command, sudo
requires the logged-in user's password for authentication, rather than the target user's password that su
requires. Sudo also doesn't spawn a root shell like su
; rather it runs the program or command with elevated privileges.
With sudo, a system administrator can carry out the following actions:
- Grant users or groups of users the ability to run certain commands with elevated or root privileges.
- View a log of the user ID of each user that uses sudo.
- Control what command a user can use on a host system.
Sudo keeps a log of all commands and arguments executed in the /var/log/auth.log
file, which can be analyzed in the event something breaks.
Run Commands as Sudo
To run commands as sudo, prepend the command with sudo
:
$ sudo command
It will prompt you for a password, enter your account password, and click ENTER:
$ sudo command
[sudo] password for user:
Now, command
is going to run with elevated privileges.
Sudo Vs. Root
The principle of least privilege is an information and computer security concept that holds the idea of granting programs and users the least or bare minimum privileges required to perform a task.
When logged in as root, every command entered into the terminal runs with the highest privileges on the system, which violates the principle of least privilege. A simple command like rm could be used to delete core root directories or files without prompting the user when unintended. For instance, if you tried to delete a root directory like /etc using:
$ rm -rf /etc
You will be denied permission as you are logged in as a normal user. When logged in as root, no prompts will be shown, and the entire folder will be deleted - which may most likely break your system as special configuration files needed for running the system are stored in the /etc directory. You could also end up formatting a disk wrongly, and the system won't prompt you.
This flaw also extends to running code or applications as root; a small bug in the application could erase some system files because the application is running under the highest privileges.
Sudo provides fine-grained access control. It grants elevated permissions to only a particular program that requires it. You know which program is running with elevated privileges, rather than working with a root shell (running every command with root privileges). Sudo can also be configured to run commands as another user, specify which users and groups are allowed to run commands using sudo, or set timeouts for running programs with root privileges by editing your sudoers file.
Consequently, running commands with the root shell is not advised as the chances of you breaking your system are much higher. If you require higher or root privileges to run a command, use sudo to be sure only that command is running with root privileges. For more information, check out the sudo man page.
Create a Sudo User on AlmaLinux, CentOS, Fedora, Rocky Linux, and VzLinux
This section applies to:
- AlmaLinux
- CentOS 7 and later
- Fedora 31 and later
- Rocky Linux
- VzLinux
Procedure:
Create a new user account with the
adduser
command.# adduser example_user
Set a strong password for the new user with
passwd
.# passwd example_user Changing password for user example_user. New password: Retype new password: passwd: all authentication tokens updated successfully.
Add the new user to the wheel group with
usermod
.# usermod -aG wheel example_user
Check the sudoers file with
visudo
.# visudo
Look for the wheel group. Remove the comment if the line is disabled. It should look like this when you are ready to save the file.
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
Save and exit vi. Type Esc, then ColonWQ, then Enter.
Note: Never edit
/etc/sudoers
directly, always usevisudo
. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.visudo: >>> /etc/sudoers: syntax error near line 64 <<< What now? Options are: (e)dit sudoers file again e(x)it without saving changes to sudoers file (Q)uit and save changes to sudoers file (DANGER!)
Switch to the new user.
# su - example_user
Verify you are the new user with
whoami
, then test sudo access withsudo whoami
, which should return root.$ whoami example_user $ sudo whoami [sudo] password for example_user: root
Create and Add a Sudo User on Arch Linux
To grant administrative privileges to a user in Arch Linux, you must add the user to the sudoers group securely. This section shows how to add a user to sudoers in Arch, ensuring proper configuration with Visudo to avoid system errors.
Procedure:
Install
sudo
, because it's not included as part of the base installation. If you haven't done an update for a while, remember to update your local repository databases first.# pacman --sync sudo
Create a new user account with
useradd
.# useradd --create-home example_user
Set a strong password for the new user with
passwd
.# passwd example_user
Add the new user to the wheel group with
usermod
.# usermod --append --groups wheel example_user
Edit the sudoers file with
visudo
.# visudo
Look for the wheel group in the 'User privilege specification' section at the bottom of the file. Remove the comment from the beginning of the line, so this it looks like this:
## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL) ALL
Save and exit visudo. Type Esc, then ColonWQ (lowercase), then Enter.
Note: Never edit
/etc/sudoers
directly, always usevisudo
. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.visudo: >>> /etc/sudoers: syntax error near line 64 <<< What now? Options are: (e)dit sudoers file again e(x)it without saving changes to sudoers file (Q)uit and save changes to sudoers file (DANGER!)
Switch to the new user.
# su - example_user
Verify you are the new user with
whoami
, then test access withsudo whoami
, which should return root.$ whoami example_user $ sudo whoami We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for example_user: root
Create a Sudo User on Debian & Ubuntu
This section applies to:
- Debian 9 "Stretch" and later
- Ubuntu 16.04 and later
Procedure:
Install sudo. Some installations do not come with sudo installed. If your does not, install sudo with apt.
# apt install sudo
Create a new user account with the
adduser
command. Use a strong password for the new user. You can enter values for the user information, or press Enter to leave those fields blank.# adduser example_user Adding user `example_user' ... Adding new group `example_user' (1001) ... Adding new user `example_user' (1001) with group `example_user' ... Creating home directory `/home/example_user' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for example_user Enter the new value, or press ENTER for the default Full Name []: Example User Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
Add the new user to the sudo group.
# adduser example_user sudo
Test by switching to the new user.
# su - example_user
Verify you are the new user with
whoami
, then test sudo access withsudo whoami
, which should return root.$ whoami example_user $ sudo whoami [sudo] password for example_user: root
Create a Sudo User on FreeBSD
This section applies to FreeBSD 11 and later.
Procedure:
Install
sudo
from the ports collection if it's installed on your system. To install sudo from ports:# cd /usr/ports/security/sudo/ # make install clean
You can also install the binary
sudo
package using pkg:# pkg install sudo
Create a new user account for use with sudo:
# adduser
Answer the questions in the dialog to create the user. We'll use example_user in this guide.
Add the user to the wheel group, which limits who can use
su
to become root.# pw group mod wheel -m example_user
Edit the sudoers file with
visudo
.# visudo
Look for the wheel group. Remove the comment if the line is disabled. It should look like this when you are ready to save the file.
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
Save and exit vi. Type Esc, then ColonWQ, then Enter.
Note: Never edit
/etc/sudoers
directly, always usevisudo
. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.visudo: >>> /etc/sudoers: syntax error near line 64 <<< What now? Options are: (e)dit sudoers file again e(x)it without saving changes to sudoers file (Q)uit and save changes to sudoers file (DANGER!)
Switch to the new user.
# su - example_user
Verify you are the new user with
whoami
, then test sudo access withsudo whoami
, which should return root.$ whoami example_user $ sudo whoami [sudo] password for example_user: root
Create a Sudo User on OpenBSD
This section applies to OpenBSD 6.6 and later.
Please see Introduction to doas on OpenBSD if you prefer to use
doas
instead ofsudo
.
Install the binary
sudo
package. Choose option 1 unless you know why you need another package.# pkg_add sudo quirks-3.187 signed on 2020-05-19T14:41:48Z Ambiguous: choose package for sudo a 0: <None> 1: sudo-1.8.31 2: sudo-1.8.31-gettext 3: sudo-1.8.31-gettext-ldap Your choice: 1 sudo-1.8.31: ok
Create a new user account for use with sudo, and set the password.
# useradd -m example_user # passwd example_user Changing password for example_user. New password: Retype new password:
Add the user to the wheel group, which limits who can use
su
to become root.# user mod -G wheel example_user
Check the sudoers file with
visudo
.# visudo
Look for the wheel group. Remove the comment if the line is disabled. It should look like this when you are ready to save the file.
# Uncomment to allow people in group wheel to run all commands # and set environment variables. %wheel ALL=(ALL) SETENV: ALL
Save and exit vi. Type Esc, then ColonWQ, then Enter.
Note: Never edit
/etc/sudoers
directly, always usevisudo
. The visudo utility performs syntax checking before committing your edits to the file, because a malformed sudoers file can break your system. If you make an error, you'll see this when exiting visudo.visudo: >>> /etc/sudoers: syntax error near line 64 <<< What now? Options are: (e)dit sudoers file again e(x)it without saving changes to sudoers file (Q)uit and save changes to sudoers file (DANGER!)
Switch to the new user.
# su - example_user
Verify you are the new user with
whoami
, then test sudo access withsudo whoami
, which should return root.$ whoami example_user
$ sudo whoami [sudo] password for example_user: root
More about the sudoers
File
Sudo uses the default sudoers
security policy and keeps a special configuration file /etc/sudoers
. This file can be used to control access rights and password prompt timeouts.
Note: You must have elevated privileges to view the sudoers file
Open the /etc/sudoers
file; it should look like this:
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/
sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
The line:
root ALL=(ALL:ALL)ALL
means that the root user has unlimited privileges and is capable of running any command on the system.
%sudo ALL=(ALL:ALL)ALL
Allows all members of group sudo to execute any command.
Note: '%' in the sudoers file represents a group
As you can see from the first line in the /etc/sudoers
file:
# This file MUST be edited with the 'visudo' command as root
Do not attempt to edit the sudoers file directly. Use the visudo
command with root privileges.