- Add sudo user oracle linux
- About Administrative Access on Oracle Linux
- Using the sudo Command
- Using the visudo Command
- Adding User Authorizations in the sudoers.d Directory
- Adding User Authorizations in the sudoers File
- Using Groups to Manage User Authorizations
- Adding Users to an Instance
- Creating Additional Users on a Linux Instance
- Creating Additional Users on a Windows Instance
Add sudo user oracle linux
In Oracle Linux, only administrators can perform privileged tasks on the system.
To grant users additional privileges, an administrator can use the visudo command to either create a new configuration file in the /etc/sudoers.d directory or modify the /etc/sudoers file.
Privileges that an administrator assigns by using configuration files in the /etc/sudoers.d directory are preserved between system upgrades and skipped automatically by the sudo command if they are invalid. Administrators can also change file ownership and permissions for each configuration file. For more information, see Adding User Authorizations in the sudoers.d Directory.
Alternatively, an administrator can assign privileges directly in the /etc/sudoers file by using the visudo command. For more information, see Adding User Authorizations in the sudoers File.
About Administrative Access on Oracle Linux
By default, any user can elevate to a root shell by running the su command and provide the root user password:
Any user can also perform single administrative tasks in the same shell, but those commands cannot be executed until that user provides the root user password:
Elevating to a root shell by using the su command can work well for single user environments and workstations because only one person needs to administer the system and know the root user password. However, that does not scale well for shared systems with multiple users and administrators that require varying levels of access.
Oracle strongly recommends against sharing your root user password with anyone else or allowing remote users to sign in as the root user, both of which constitute poor and highly risky security practice.
The sudo command is better suited for shared systems because any user can supply their own credentials when they elevate to a root shell:
Users can subsequently terminate their root shell in the same way they would have if they had elevated directly with the su command and provided the root user password:
In addition, users can run the sudo command to perform single administrative tasks with elevated permissions:
For more information, see the su(1) , sudo(8) and sudoers(5) manual pages.
You can optionally disable the root user during the Oracle Linux 8 installation process and grant sudo administrator privileges to the first user. For more information, see Oracle Linux 8: Installing Oracle Linux.
Using the sudo Command
If your user has been granted sudo access then you can run administrative commands with elevated privileges:
Depending on your sudoer configuration, you may also be prompted for a password.
In some situations, you may have set environment variables that you want to reuse or preserve while running elevated commands, and you can do so by using the -E option.
For example, you may have connected your Oracle Linux system to an enterprise intranet or virtual private network (VPN) for which you also need proxy settings for outbound Internet access.
The environment variables on which terminal commands rely for proxy access are http_proxy , https_proxy and no_proxy , and you can set them in your ~/.bashrc configuration file:
export http_proxy=http://example.com export https_proxy=https://example.com export no_proxy=localhost,127.0.0.1
Run the source command to refresh your environment variables without signing out:
You can now safely pass those proxy settings to elevated commands. For example, to run the curl command with administrative privileges:
sudo -E curl https://docs.oracle.com
An administrator can optionally set system-wide proxy environment variables by configuring them in a shell script and then saving that file in the /etc/profile.d/ directory.
You can also use sudo access to start an elevated root shell. The -s option elevates your user to a root shell as the root user and the -i option to elevates your user to a root shell while preserving your user profile and shell configuration:
When you have finished running administrative commands, terminate the root shell and return to your usual privilege level by using the exit command.
For more information about configuring network settings, see Oracle Linux 8: Setting Up Networking.
Using the visudo Command
To edit the /etc/sudoers file in the vi text editor without risking any change conflicts from other users on the system, use the visudo command:
To learn more about how to configure the the /etc/sudoers file, see Adding User Authorizations in the sudoers File and the visudo(8) manual page.
Administrators can also use the visudo command to manage permission files for individual users in the /etc/sudoers.d/ directory. For more information, see Adding User Authorizations in the sudoers.d Directory.
Adding User Authorizations in the sudoers.d Directory
To set privileges for a specific user, add a file for them in the /etc/sudoers.d directory. For example, to set sudo permissions for the user alice :
sudo visudo -f /etc/sudoers.d/alice
You can append permissions to /etc/sudoers.d/alice in the following format:
username is the name of the user, hostname is the name of any hosts for which you are defining permissions, and command is the permitted command with full executable path and options. If you do not specify options, then the user can run the command with full options.
For example, to grant the user alice permission to install packages with the sudo dnf command on all hosts:
You can also add several comma separated commands on the same line. To allow the user alice to run both the sudo dnf and sudo yum commands on all hosts:
alice ALL = /usr/bin/dnf, /usr/bin/yum
The alice user still needs to use sudo when they run privileged commands:
Adding User Authorizations in the sudoers File
To set user privileges directly in the /etc/sudoers file, run the visudo command without specifying a file location:
You can append permissions to the /etc/sudoers file in exactly the same format that you would if you were adding those permissions to user files in the /etc/sudoers.d/ directory.
In both cases, you can use aliases to permit broader permission categories instead of specifying each command individually. The ALL alias functions as a wildcard for all permissions, so to set the user bob to have sudo permission for all commands on all hosts:
Additional aliased categories are listed in the /etc/sudoers file and the sudoers(5) manual page. You can create your own aliases in the following format:
Cmnd_Alias ALIAS = command
In addition, you can also add several comma separated aliases on the same line. For example, to grant the user alice permission to manage system services and software packages:
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable alice ALL= SERVICES, SOFTWARE
Both users still need to use sudo when they run privileged commands:
sudo systemctl restart service
Using Groups to Manage User Authorizations
Instead of specifying different levels of sudo access for each individual user you can optionally manage sudo access at group level by adding the % symbol to the group name.
For example, to define permissions for an existing group called example in the /etc/sudoers.d/ directory and then add the user alice to that group:
- Create the /etc/sudoers.d/example file by using the visudo command:
sudo visudo /etc/sudoers.d/example
%example ALL= SERVICES, SOFTWARE
sudo usermod -aG example alice
Alternatively, you can set group permissions directly in the /etc/sudoers file. For example, to grant the user bob full sudo access on all hosts, enable the existing group wheel , and then add the user bob to it:
- Open the /etc/sudoers file by using the visudo command:
sudo usermod -aG wheel bob
Adding Users to an Instance
If you created your instance using a Linux or CentOS platform image, you can use SSH to access your instance from a remote host as the opc user. If you created your instance using an Ubuntu platform image, you can use SSH to access your instance from a remote host as the ubuntu user. After signing in, you can add users to the instance.
If you created your instance using a Windows platform image, you can create new users after you sign in to the instance through a Remote Desktop client.
Creating Additional Users on a Linux Instance
If you do not want to share your SSH key, you can create additional SSH-enabled users for a Linux instance. At a high level, you do the following things:
- Generate SSH key pairs for the users offline.
- Add the new users.
- Append a public key to the ~/.ssh/authorized_keys file for each new user.
The new users then can SSH to the instance using the appropriate private keys.
If you re-create an instance from a platform image, users and SSH public keys that you added or edited manually (that is, users that weren’t defined in the machine image) must be added again.
If you need to edit the ~/.ssh/authorized_keys file of a user on your instance, start a second SSH session before you make any changes to the file and ensure that it remains connected while you edit the file. If the ~/.ssh/authorized_keys file becomes corrupted or you inadvertently make changes that lock you out of the instance, you can use the backup SSH session to fix or revert the changes. Before closing the backup SSH session, test all changes you made by logging in with the new or updated SSH key.
To create an additional SSH-enabled user:
- Generate an SSH key pair for the new user.
- Copy the public key value to a text file for use later in this procedure.
- Sign in to the instance.
- Become the root user:
should be the SSH public key itself, not the name of the file containing the key.
echo >> /home/ /.ssh/authorized_keys
The new user can now sign in to the instance.
Creating Additional Users on a Windows Instance
For the most current steps, see Manage User Accounts in the Microsoft documentation.
- Sign in to the instance using a Remote Desktop client.
- On the Start menu, click Control Panel.
- Click User Accounts, and then click User Accounts again.
- Click Manage another account.
- Click Add a user account.
- Enter a User name and Password.
- Confirm the password, and then create a Password hint.
- Click Next.
- Verify the account, and then click Finish. The new user can now sign in to the instance.