Most of the Linux Distributions don’t allow ‘root’ user also known as superuser by default as a security measure to prevent accidental or intentional changes that could harm the system. Especially in an enterprise setup this would mean disaster.
Instead, it uses a feature called sudo, which allows authorized users to perform administrative tasks without logging in as root. This way, users can still perform system-level tasks without the risks associated with being logged in as the root user. In this article we will explore how to grant sudo privileges to a user or a group of users.
What is a Sudoers file?
The sudoers file is a configuration file in Unix-based operating systems, including Ubuntu, that determines which users or groups have the permission to use the sudo command to perform privileged tasks. The sudoers file defines a list of rules that specify what commands a user can run and as what user, and also controls the level of access they have to the system. The sudoers file is typically located at ‘
Adding users to Sudoers file in Linux either done by manually editing the sudoers file or with the use of the usermod command. Either of the methods is fine, the latter being more “clean”. In this tutorial, we’ll go over both the methods of granting the sudo access to a user or users in a step-by-step manner.
Note: To add a user to the sudoers file or sudo group, you need a user with elevated privileges.
Steps for Adding Users to Sudoers
Let’s go over the first method which is manually adding the user to the sudoers file. For this, you’ll need a text editor and a user with sudo or root privileges.
If a user you’re working with isn’t added to the sudoers file, you’ll see this message. I’ve created a user for demonstrating within the entire tutorial.
Adding Users to Sudoers File Manually
Adding the user to the sudoers file is very easy. All you do is open the /etc/sudoers file and add the username to the list. If you haven’t already read through our tutorial explaining the sudo command and the sudoers file in detail.
Let’s first open the file:
We use the visudo command since it performs sanity checks before the file is saved so as to avoid breaking the sudoers file. Traditionally, the visudo command uses the vi editor. But on Ubuntu, the default editor is changed to nano.
You should still be good if you use any other editor of your choice, as long as you don’t go overboard and change a lot of things that you do not know the formatting for. You’ll see contents within the file similar to the screenshot below.
The place where you see
root ALL=(ALL:ALL) ALL, that’s where we’ll be amending our user name. In my case, I want to add the user “lfd” to the sudoers. I’ll add the following line just below the root line.
lfd ALL=(ALL:ALL) ALL
As you can see in the below image, our lfd user is now sudo-capable! Awesome!
Adding a Group to Sudoers File Manually
Now that we have figured out how to add users to the sudoers file manually lets go ahead and add an entire group to sudoers file. Adding each individual user one by one would be quite time consuming and inefficient at best. Hence, we add groups directly in place of the individual users.
we use ‘visudo’ as detailed above to open the sudoers file located in /etc/sudoers using the sudo command.
Scroll down to the line that starts with
%sudo. This line grants sudo privileges to the
sudo group. Alternatively, you can create a new line to add a new group. For example, if you want to grant sudo privileges to the
lfdusrs group, add the following line:
%lfdusrs ALL=(ALL) ALL
This line grants all members of the
lfdusrs group the ability to execute any command with administrative privileges. Finally, Save and close the file.
visudo, you can save and close the file by pressing
Now let’s move on to the cleaner method of using usermod.
Adding Users to Sudoers using usermod Command
Editing the sudoers file is not the “cleanest” way of doing things when we have a utility created for helping us perform those actions. The usermod command allows us to add/edit groups that a user is in.
Before we start
For adding users to sudoers with the usermod command, we simply need to add the user to the sudo group. Let’s see how we can perform the same.
sudo usermod -a -G sudo <username>
- -a Amend the changes to the existing configuration
- -G The name of the group the user should be added to
- <username> The username of the user that needs to be modified
For this demonstration, I deleted the line from the sudoers file so our user is back to non-sudo. In the below image, I’ve added the user to the sudo group.
Adding User to Sudoers in Ubuntu or Debian
Here are the steps to add a user to sudoers using
usermod command in Ubuntu or Debian:
- Log in as a Ubuntu or Debian user with sudo privileges.
- Open a terminal window.
- Use the following command to add the user to the sudo group
sudo usermod -aG sudo username
- Replace username with the actual username of the user you want to add to the sudo group.
For example, If you want to add a user named ‘Roger’ to the sudoers,
sudo usermod -aG sudo Roger
Adding user to sudoers in CentOS or Fedora
The steps involved for adding a user to the sudoers file in CentOS or Fedora is just the same, with the exception of the ‘wheel’ group. In CentOS and Fedora, the
wheel group grants sudo privileges, instead of the
sudo group used in Ubuntu and Debian.
Here are the steps to add a user to sudoers using usermod command in CentOS or Fedora:
- Log in as a user with sudo privileges
- Open a terminal window
- Use the following command to add the user to the wheel group:
sudo usermod -aG wheel username
usernamewith the actual username of the user you want to add to the wheel
Adding Linux users to sudoers via GUI
To add Linux users to sudoers via GUI in Ubuntu, you can follow these steps:
- Click on the “Applications” icon in the Ubuntu taskbar and select “Settings” from the menu.
- In the “Settings” window, click on “Users” on the left-hand side menu.
- Click on the user that you want to add to the sudoers group.
- Click on the “Account Type” dropdown menu and select “Administrator”.
- Close the “Settings” window.
Checking whether adding users to sudoers was successful
Using ‘whoami’ command to check if the user has been added to the sudoers
- Log in as the user you added to the sudoers group.
- Open a terminal window.
- Run the following command:
whoami command requires administrative privileges to run. If the user is successfully added to the sudoers group, the output should be
root, which is the username of the superuser account. If the output is the username of the regular user account, then the user is not added to the sudoers group or the group membership has not taken effect yet.
Checking the user’s group membership using ‘groups’ command
username with the actual username of the user you want to check. This command lists all the groups that the user is a member of, including the
wheel group if the user has been added to the sudoers group.
Note – If the user is not able to execute administrative commands using
sudo or their group membership doesn’t show the
wheel group, you may need to log out and log back in or restart the system for the changes to take effect.
Now when the user logs in for the first time after this new group is added, they’ll get a message like the one below notifying them of the change in privileges. You now know both the ways of adding users to sudoers! Great job.
Why Do We Need sudo?
This is a common question among new users who’ve been using Windows and have recently switched to Linux. In Windows, we’re used to logging into the administrator account and using things directly as an administrator.
User Access Control (UAC) was introduced in Windows because staying logged in as an Administrator posed a very obvious security risk. The fact that any software running under the user has full privileges to perform any action on the system. With UAC, most applications run with limited access and only when a system file needs to be modified, Windows prompts the user asking for permission.
This is exactly why we need sudo and root users to be different. If you use root as your user regularly, you’ll be exposing yourself to the risk of giving a malicious application full access to your system. As a root user, you can perform
rm -rf / and delete the entire system without any obstacles. And that’s more than enough to give you an idea of how devastating root access in the wrong hands can be.
So unless you really need to, there’s no point in using the root account. UAC is like sudo, where you only escalate privileges when you need to, and at other times, you stay put with limited access.
We hope that this tutorial has helped you understand the process of adding users to sudoers in Linux and if you’ve followed through, you probably have added your user to the sudo group too.
Do checkout this article on how to configure the sudoers file by the linux foundation!