Creating sudo user linux

How to Create a New Sudo User & Manage Sudo Access on Ubuntu 20.04

You probably have heard of the concept “In Linux, everything is a file”. This sounds somewhat puzzling since the Linux system comprises various entities and not just files. We have directories, symbolic links, processes, pipes, and sockets just to mention a few. The oversimplification simply gives a high-level overview of the Linux architecture. It implies that in a Linux system, every single entity is considered a file. These entities are represented by a file descriptor which is a unique identifier for a file or other resources such as directories, network sockets, or processes – hence the concept “everything is a file”.

This oversimplification then leads us to the concept of file permissions and directories. By default, each file in Linux has its own permissions and directories. These permissions determine access rights or privileges that users have on the file. If you own a file or a directory, you can pretty much do anything you want with it – you can access it, edit it, rename and even delete it.

But not all users are the same. One unique user in the Linux system is the root user. The root user is an administrative user with the highest privileges and is not bound by any permission restrictions. The user can do pretty much anything. This includes installing and uninstalling programs, accessing and modifying system files, and customizing the system. The root user can also break the system, whether intentionally or accidentally – which is why it’s not recommended to log in and run the system as the root user. It only takes one wrong command to crash the system. For this reason, it’s always recommended to run commands as a sudo user.

Step 2: Create a new user

Once logged in, create a new regular user using the adduser command. Here, jumpcloud is our new user.

The command does a couple of things. First, It creates a new user and primary group called jumpcloud , and then adds the user to the group. Next, a home directory for the user is created and configuration files are copied into it. Thereafter, you will be prompted to type in the new user’s password. Be sure to provide a strong password and confirm it.

Once the user’s password is set, some additional information will be required of you. Fill in where necessary or leave it blank by hitting ENTER if the information is not applicable.

To confirm that the newly added user was created, view the /etc/passwd file using the cat command. This provides information such as the UID (User ID), GID (Group ID), and the path to the home directory.

# cat /etc/passwd | grep jumpcloud

Similarly, you can retrieve the user details using the id command.

Step 3: Add the new user to the sudo group

A sudo group is a group of superusers that have privileged access to root commands. With that in mind, proceed and add the new user to the sudo group using the usermod command as follows.

# usermod -aG sudo jumpcloud

To verify that the user has been added to the sudo group, use the id command.

From the output, we can see that the user now belongs to two groups: jumpcloud and sudo . Alternatively, you can also run the groups command to only display the groups that the user belongs to.

Perfect! The new user is now a sudo user and has unrestricted access to root privileges.

Step 4: Test sudo

With the sudo user already in place, we are going to proceed and test the user. So, switch to the sudo user using the su command.

The command places you in the user’s home directory path.The syntax for using sudo is indicated below

As an example, we are going to update the package lists of our system. So, invoke sudo followed by the command to be executed.

When prompted, type in the password of the user and hit ENTER. The command will execute successfully – a confirmation that the user has successfully been added to the sudo group and can now perform elevated system tasks.

Understanding the sudoers file

The sudo user that we have created assumes all the rights and privileges of the root user and can run virtually any command. However, good practice recommends that you employ the least privilege principle. This is a security concept whereby a user is only assigned minimum access rights or permissions to perform their role. Therefore, as a systems administrator, you should only grant the necessary permissions to the sudo user to allow them to perform their roles.

The sudoers file /etc/sudoers is a file that spells out which users can run what commands on the system. It comprises a set of rules that govern which users or groups can run elevated tasks. To grant or restrict root privileges to users, you need to edit this file.

You should never edit the sudoers file using a normal text editor like nano or vim as this could lead to a corrupted file which can potentially lock everyone out including the admin. As such, the sudoers file should be accessed by executing the command visudo as follows.

This opens the /etc/sudoers file using the nano editor as shown. All lines starting with a hash sign – # – are comments and do not have any effect or impact on the file.

By default, the file has 6 uncommented lines. Let’s skip to the user privilege line which is the fourth line.

• The first parameter points to the username – in this case root user.
• The first “ALL” indicates that the rule is applicable to all hosts.
• The second “ALL” indicates that the root user can execute all commands as all users.
• The third “ALL” shows that the root user can execute all commands as all the user groups.
• Finally, the last “ALL” indicates that the rules are applicable to all commands.

The next two lines define the sudo rules for groups. The “%” defines a group. Here, we have two groups that have been defined: admin and sudo groups.

The second line indicates that the admin group can run all commands as any user.

The third line indicates that the sudo user can run any command as any user and as any group.

Editing the sudoers file directly is not recommended. Instead, it is preferred to place the associated sudo rules in the /etc/sudoers.d directory. This makes it easy for sysadmins to keep track of which rules apply to which user accounts. Files placed in this directory will follow the same rules as the sudoers file.

How to restrict sudo users from executing certain commands

As we pointed out earlier, you might need to limit sudo users from running certain system commands. To accomplish this, you need to create a sudo rule in the /etc/sudoers.d directory.

For demonstration, we will create a rule called jumpcloud which restricts the sudo user from upgrading the packages to their latest versions.

Next, copy and paste the line shown and save the changes.

jumpcloud ALL=(ALL) !/usr/bin/apt upgrade

The rule indicates that the jumpcloud user can execute all commands as the root user with the exception of the apt upgrade command. Note that you need to provide the full path of the command prefixed by an exclamation mark.

To find the full path of a command, use the which command syntax as shown.

When the user tries to upgrade the packages, an error is splashed on the screen indicating that the user is not allowed to do so.

Where multiple commands are involved, list them in a single line separated by a comma. In the example below, the sudo user has been limited from shutting down and rebooting the system. Notably, there are multiple ways of shutting down or rebooting a Linux system, and the associated commands have been listed in a single line below.

jumpcloud ALL=(ALL) !/usr/sbin/shutdown,!/usr/sbin/poweroff, !/usr/sbin/reboot,!/usr/sbin/init,!/usr/sbin/halt

Any attempt to power off or reboot the system by the user will be thwarted by the system.

How to run specific sudo commands without a password

Sometimes, you might need to run some commands without being prompted for a password. This is particularly helpful if you are running a script containing a sudo command.

To achieve this, use the directive NOPASSWD followed by the full path to the command. In the example below, the user can update the package lists without a password prompt.

jumpcloud ALL=(ALL) NOPASSWD: /usr/bin/apt update

Conclusion

Managing user privileges is usually one of the top-of-mind tasks that every system administrator has to undertake. Sudo privileges should only be granted to trusted users such as support or operation teams.

It’s always recommended to restrict sudo users to a subset of system commands. By doing so, you provide them with the basic privileges that they need to perform their roles. Unrestricted sudo access can be detrimental as this can lead to the sudo user performing some unauthorized operations which can wreak havoc on the system. Or worse, unrestricted sudo access privileges can make it that much easier for a malicious actor to take over the system.

That being said, managing the process to assign specific permissions to specific users can be overly time consuming and quickly overwhelm your priorities, especially if you are facing a growing environment and a growing team. JumpCloud’s Linux device management capabilities make it easier to manage sudo access across entire fleets through its user security settings and permissions. To see how this works, along with a number of other device security and management features, sign up for a free demo today.

Источник

The Ultimate Guide to Linux — Creating a Sudo User

sudo stands for either «superuser do» or «switch user do», and sudo users can execute commands with root/administrative permissions, even malicious ones. Be careful who you grant sudo permissions to – you are quite literally handing them the key your house.

Before creating a new sudo user, you must first create a new user.

How to Create a New User

Use adduser or useradd to add a new user

Be sure to replace username with the user that you want to create. Also, note that to create a new user, you must also be a sudo user yourself.

Use passwd to update the new user’s password

A strong password is highly recommended!

Give the New User Sudo Permissions

After creating a new user, add them to the appropriate group using the usermod command.

On Debian systems (Ubuntu / Linux Mint / ElementryOS), add users to the sudo group

sudo usermod -aG sudo username

On RHEL based systems (Fedora / CentOS), add users to the wheel group

sudo usermod -aG wheel username

How to Delete a User

To delete a user, use the following commands.

Debian based systems (Ubuntu / Linux Mint / ElementryOS)

RHEL based systems (Fedora / CentOS)

That’s all you need to know about creating a new sudo user in Linux. And remember, «With great power comes great responsibility.»

If this article was helpful, tweet it .

Learn to code for free. freeCodeCamp’s open source curriculum has helped more than 40,000 people get jobs as developers. Get started

freeCodeCamp is a donor-supported tax-exempt 501(c)(3) charity organization (United States Federal Tax Identification Number: 82-0779546)

Our mission: to help people learn to code for free. We accomplish this by creating thousands of videos, articles, and interactive coding lessons — all freely available to the public. We also have thousands of freeCodeCamp study groups around the world.

Donations to freeCodeCamp go toward our education initiatives, and help pay for servers, services, and staff.

Источник