Create a New sudo-enabled User in Ubuntu 18.04/20.04/22.04 LTS & CentOS 7
Introduction
The sudo command is a cornerstone of Linux system administration, providing a controlled mechanism for users to execute commands with elevated privileges. It’s a safer alternative to directly logging in as the root user, minimizing the risk of accidental system-wide changes. This article details how to create a new user account and grant it sudo access on Ubuntu, CentOS, and Red Hat Enterprise Linux (RHEL) systems, without directly modifying the /etc/sudoers file. This method leverages group membership for privilege escalation. If you have an existing user and just want to grant sudo access, skip ahead to Step 3. We’ll also explore alternative methods for achieving the same result, offering flexibility in your approach to user management.
Step 1 : Access Your Server
Before you can create a new user with sudo privileges, you need to access your server. This is typically done through SSH (Secure Shell) as the root user or another user with sufficient privileges.
$ ssh root@your_server_ip_addressReplace your_server_ip_address with the actual IP address of your server.
Step 2 : Adding a new user
Once logged in, use the adduser command to create a new user account.
$ adduser bobReplace bob with your desired username. The system will prompt you for a password and other optional information.
Adding user `bob' ...
Adding new group `bob' (1001) ...
Adding new user `bob' (1001) with group `bob' ...
Creating home directory `/home/bob' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for bob
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] yYou can accept the defaults for the optional information by pressing Enter. Make sure to set a strong password.
Step 3 : Add user to sudo group
This is the crucial step that grants the new user sudo access. On Ubuntu, CentOS, and RHEL systems, members of the sudo group are typically granted full sudo privileges. Use the usermod command to add the new user to the sudo group.
$ usermod -aG sudo bobAgain, replace bob with the actual username. The -aG option ensures that the user is added to the specified group without being removed from any other groups they might already belong to.
Step 4 : Testing the access
To verify that the new user has sudo access, switch to the new user account using the su command.
$ su - bobThe - option ensures that you log in as the user, loading their environment variables and working directory. Now, try running a command that requires sudo privileges.
$ sudo commandFor example, you can try listing the contents of the /root directory, which is usually only accessible to the root user.
$ sudo ls -la /rootThe system will prompt you for the user’s password. If the command executes successfully, the user has sudo access.
[sudo] password for bob:
total 28
drwx------ 3 root root 4096 Aug 12 18:31 .
drwxr-xr-x 19 root root 4096 Aug 22 16:42 ..
-rw------- 1 root root 1068 Aug 22 15:29 .bash_history
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4096 Aug 12 17:23 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 0 Aug 12 18:23 .scmversion
-rw------- 1 root root 738 Aug 12 18:20 .viminfoConclusion
This article demonstrated the process of creating a new user and granting them sudo access by adding them to the sudo group. This method is generally preferred as it avoids directly modifying the /etc/sudoers file, which can be risky. However, there are alternative approaches to achieving the same goal. The importance of sudo cannot be overstated in Linux system administration, and understanding how to properly manage user privileges is essential for maintaining a secure and stable system.
Alternative Solutions for Creating a sudo-enabled User
While the method described above is common and recommended, there are alternative approaches to granting sudo access. These alternatives may be useful in specific situations or offer more granular control over user privileges.
1. Directly Editing the /etc/sudoers File (Using visudo)
The /etc/sudoers file controls sudo permissions. While directly editing this file is generally discouraged due to the risk of syntax errors that can lock you out of sudo access, the visudo command provides a safe way to modify it. visudo locks the file against simultaneous edits and performs syntax checking before saving changes.
Explanation:
Instead of adding the user to the sudo group, you can explicitly grant them sudo access by adding a line to the /etc/sudoers file. This allows for very specific control over which commands the user can execute with sudo.
Code Example:
First, run visudo:
$ visudoThis will open the /etc/sudoers file in a text editor (usually vi or nano, depending on your system’s configuration). Add a line similar to the following:
bob ALL=(ALL:ALL) ALLbob: The username.ALL: The hostname the rule applies to (in this case, all hosts).(ALL:ALL): The user and group the command will be run as (in this case, root user and root group).ALL: The commands the user can run withsudo(in this case, all commands).
To restrict the user to running only specific commands with sudo, you would replace the final ALL with the full paths to those commands. For example:
bob ALL=(ALL:ALL) /usr/bin/apt-get update, /usr/bin/apt-get upgradeThis would allow bob to only run apt-get update and apt-get upgrade with sudo.
Important Considerations:
- Syntax: Be extremely careful with the syntax. Incorrect syntax can render
sudounusable. - Security: Be mindful of the privileges you are granting. Avoid granting unnecessary privileges.
- Documentation: Refer to the
sudoersman page (man sudoers) for detailed information on the syntax and options.
2. Creating a Custom Group with sudo Privileges
Instead of using the default sudo group, you can create a custom group and grant that group sudo privileges in the /etc/sudoers file.
Explanation:
This approach offers a way to manage sudo access for a group of users independently of the default sudo group. It allows for more fine-grained control over permissions and can improve organization when managing multiple users with different sudo requirements.
Code Example:
First, create a new group:
$ groupadd adminsThen, add the desired users to the new group:
$ usermod -aG admins bob
$ usermod -aG admins aliceNext, use visudo to grant the admins group sudo privileges:
$ visudoAdd the following line to the /etc/sudoers file:
%admins ALL=(ALL:ALL) ALLThe % symbol indicates that this rule applies to a group rather than a user. Like the previous example, you can restrict the commands the group can run by replacing the final ALL with a comma-separated list of commands.
Benefits:
- Organization: Easier to manage
sudoprivileges for a group of users. - Flexibility: Allows for creating groups with specific
sudopermissions tailored to different roles. - Clarity: Makes it clear which users have specific
sudoprivileges based on their group membership.
In summary, while adding a user to the default sudo group is the most common and straightforward approach, understanding alternative methods like directly editing the /etc/sudoers file (using visudo) or creating custom groups with sudo privileges provides you with greater flexibility and control over user management on your Linux systems. Remember to always exercise caution and thoroughly understand the implications of any changes you make to the /etc/sudoers file.