- Enable sudo on linux
- Notes for new Debian users
- Why not sudo?
- Why sudo?
- Users and sudo
- Verifying sudo membership
- Add existing user from commandline
- Creating users with sudo
- Creating new user while installing OS
- Creating new user from commandline
- Configuration overview
- Problems and tips
- Sorry, user jdoe is not allowed to execute .
- The include directive
- sudoers is read-only
- Require root password
- No password prompt for sudo user
- Customize credentials cache timeout
- See also
- How to enable sudo on Debian 11/ 10?
- Introduction – What is sudo?
- Enable sudo on Debian 11 / 10
- 5 COMMENTS
Enable sudo on linux
Sudo (sometimes considered as short for Super-user do) is a program designed to let system administrators allow some users to execute some commands as root (or another user). The basic philosophy is to give as few privileges as possible but still allow people to get their work done. Sudo is also an effective way to log who ran which command and when.
Notes for new Debian users
Some new Debian users, usually coming from Ubuntu, are shocked by problems like «sudo not working in Debian». However, this situation only happens if you have set a root password during your Debian installation.
If you like sudo and you want to install it (even if you skipped it during your Debian installation), you can, but in the way without sudo, so, becoming root with the su command, installing it, and adding yourself in the sudo group and doing a full logout/login.
$ su - Password: (enter here the password of the root user that you specified during your Debian installation, and press Enter) # apt install sudo # adduser jhon-smith sudo
(Obviously just replace «jhon-smith» with your personal username)
Then please do a full logout and login again.
Why not sudo?
Note that, historically, all Unix-like systems worked perfectly even before «sudo» was invented. Moreover, having a system without sudo could still give security benefits, since the sudo package could be affected by security bugs, as any additional part of the system.
Lot of Debian users do not install sudo. Instead, they open a terminal as root (for example with su - from a normal user). So you do not have to put «sudo» in front of any command.
Why sudo?
- Nobody needs to know the root password (sudo prompts for the current user’s password). Extra privileges can be granted to individual users temporarily, and then taken away without the need for a password change.
- It’s easy to run only the commands that require special privileges via sudo; the rest of the time, you work as an unprivileged user, which reduces the damage that mistakes can cause.
- Auditing/logging: when a sudo command is executed, the original username and the command are logged.
For the reasons above, switching to root using sudo -i (or sudo su) is usually deprecated because it cancels most of the above features.
Users and sudo
Debian’s default configuration allows users in the sudo group to run any command via sudo.
Verifying sudo membership
uid=1001(foo) gid=1001(foo) groups=1001(foo),27(sudo)
Add existing user from commandline
# adduser foo # adduser foo sudo
After being added to a new group the user must log out and then log back in again for the new group to take effect. Groups are only assigned to users at login time. A most common source of confusion is that people add themselves to a new group but then do not log out and back in again and then have problems because the group is not assigned; be sure to verify group membership.
Creating users with sudo
You can also create new users with sudo membership:
Creating new user while installing OS
As of DebianSqueeze, if you give root an empty password during installation, sudo will be installed and the first user will be able to use it to gain root access (currently, the user will be added to the sudo group). The system will also configure gksu and aptitude to use sudo. You should still verify group membership after logging in as the installed user.
Creating new user from commandline
(or first get root as in previous section). You should then login as the new user and verify group membership.
Configuration overview
Now, if you want to allow certain users to execute certain programs, here’s a quick example (for more information, read the fine manual), which you can put in a file in /etc/sudoers.d, probably using visudo -f /etc/sudoers.d/myfile.
User_Alias MYADMINS = jdoe Cmnd_Alias SHUTDOWN = /sbin/reboot, /sbin/poweroff Cmnd_Alias PKGMGMT = /usr/bin/dpkg, /usr/bin/apt-get, /usr/bin/aptitude # Users listed above (MYADMINS) can run package managers and reboot the system. MYADMINS ALL = PKGMGMT, SHUTDOWN
Problems and tips
Sorry, user jdoe is not allowed to execute .
$ sudo test We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for jdoe: Sorry, user jdoe is not allowed to execute '/usr/bin/test' as root on localhost.
This message means what it says: the user you’re running as isn’t allowed to execute the given command on the given machine. One confusing possible reason for this is that the administrator has just added user jdoe to a privileged group — but you’re still using the old login, which doesn’t have that new group information, and therefore has no new sudo-ing rights. People in this situation are usually advised to log out completely and back in again, though you can sometimes get away with just performing a «re-login on the spot» with su - $USER or changing group with newgrp sudo.
The include directive
This makes it possible for other packages to provide snippets in /etc/sudoers.d/ which modify the configuration of sudo. It may look as if it needs to be edited to take out the leading numbersign (a.k.a. "hash" or "pound"), but no, the '#' is part of the directive!
It is recommended that you make local changes in a snippet as well.
sudoers is read-only
Yes, the file /etc/sudoers is intentionally set read-only, even for root!
The explanation is that it was set up this way to motivate admins to only ever edit it via the command visudo, which provides additional checking before leaving the new file in place. You might think that the fix for a mangled /etc/sudoers, the fix may be as simple as su -c visudo, but sudo is often used in a place where simply su'ing to root is not possible since you simply don't know the root password.
Beware, most text editors will let you edit the file without complaining about the read-only bit, so you might not automatically get this additional protection.
Require root password
If you want to require the root password for use of sudo, rather than the user password, add the line:
No password prompt for sudo user
If you want sudo group members to execute commands without password, add the line:
Customize credentials cache timeout
As default, after asking a password, your credentials are cached by sudo and last for 15 minutes. You can change this behavior using the command visudo and customizing the timeout for a specific user:
Defaults:foobar timestamp_timeout=30
See also
- Manpages: sudoers(5), sudo(8), visudo(8), sudoedit(8), sudoreplay(8)
- Doas - A lighter and more minimalistic tool for the same purpose, with simpler configuration.
How to enable sudo on Debian 11/ 10?
Debian 11 has come out of the oven. It is great news for all users of this great Linux distribution. However, it is also great for all of us who use Linux. If like me, you have just installed it, you will notice that your regular user cannot use sudo . And if you come from using Ubuntu or Linux Mint, then surely you miss it. So this post will show you how to enable sudo on Debian 11 /10.
Introduction – What is sudo?
In a PC that runs some Linux distribution, there are different users. Each of them has defined roles and permits. For example, to install a package in Debian it is necessary to do it with root user privileges. Then, not all users can do all things.
The sudo program is part of the GNU suite. It is a small application that allows the execution of commands with the security privileges of another user. Normally, this “other” user is root.
By Debian security policy, this program is not enabled for your regular user. And the truth is that if you use Debian on your personal computer we can enable it and it would not be a problem. However, if you install Debian to be used on a server, you should not do it.
In any case, sudo allows you to execute commands that your user can not. In addition, the commands that are applied with sudo are not registered in the system log.
Enable sudo on Debian 11 / 10
Depending on how you installed Debian 11 / 10, sudo may not have been installed by default. This is normal, actually. So first you have to install it and for that, you need to have access to the root user of the system. This is vital.
So, open a terminal or connect to your server using SSH.
Then, you will have to enter the root user key. If you did the installation, there should be no problem.
After that, you can install sudo from the Debian repositories.
Sudo is quite light so the installation is quite fast.
Now you have to modify the file /etc/sudoers which is where all the sudo configuration is located. You can use the nano editor for this.
The file does not have too many lines. In the user privilege specification section, you will find a line like this.
Under it, add your user and leave the rest the same. Something like that.
Next, press CTRL + O to save the changes and CTRL +X to close it.
After that, you can use sudo.
So, share this post with your friends and join our Telegram Channel.
5 COMMENTS
Thank you …this was the only working tutorial i found in the web …a big shame on debian forums because they making bashing against each other …but no useful information.
it seems Debian is on a wrong way…they like to be like ubuntu or some other “userfriedly” distribution
now in debian buster they use clear the wrong way ….they force the user to change their habits
Before i found your tutorial i was close to remove debian 10 from the hard drive and install free bsd because its much simpler as the modern garbage in debian 10.
in a car i like to crank the window per hand ..its simple and useful …no electronics can fail and in a operating system i like also the simple and stupid methodes to administrate everything. But what should i do when they remove the god old simple things ?…throw the computer out of the window ?
sorry for my emotional comment,but i work the whole evening on this silly ..sudo problem…wastig time
and sorry for my bad english
thank you again an good bye
Well, first of all you don’t need to install and configure sudo if you actually *read* what the Debian Installer tells you. When asking to set root password it explicitly says that you can leave it blank, and then the root account will be locked, and the user you add later on will be configured to use sudo by default. Then, manually editing /etc/sudoers is not needed – just add your user to the ‘sudo’ group with:
# adduser sudo Finally, *DO NOT* edit /etc/sudoers strait with an editor! One mistake – and you may be locked out of using sudo, and if the root account is already locked, you’re screwed. Use ‘visudo’ – it checks if your edits are correct before applying them.
The problem with is it’s best practice not to do anything as root directly – so if we did elect to have a different root password, it still makes sense to configure the user in the sudoers automatically. Similar to the best practice of NOT editing important configuration files in a normal editor. You know the joke, don’t drink and root: rm -rf /