How to Add a User to the sudoers File in Linux

Configurare noua (How To)

Situatie

The people who can use the Linux sudo command are members of a small and select club, sometimes called the “sudoers” list. Each member has the same powers as root. So how do you join that club? We’ll walk through adding a person to sudoers as well as editing the sudoers file to limit permissions.

Solutie

sudo: Your Superpowered Alter-Ego

In Linux installations, the root user is the most highly-privileged user. They can perform any administrative task, access any file regardless of actually owns it, and they can create, manipulate, and even remove other users.

This level of power is dangerous. If root makes a mistake, the results can be catastrophic. They have the ability to mount and unmount file systems, and to over-write them entirely. A much safer way to work is to never log in as root.

Nominated users can use sudo to temporarily gain administrative powers, perform the action that is required, and then return to their normal, unprivileged state. This is safer because you consciously invoke your higher powers when you need them, and while you’re focused on doing whatever it is that requires them.

The sudo command is the Linux equivalent of shouting “Shazam.” When the scary stuff is over, you abandon your superpowered alter-ego and go back to your normal humdrum self.

Logging in as root is turned off by default on most modern distributions, but it can be reinstated. Using the root account for day-to-day work is inadvisable. Mistakes that would ordinarily impact a single user or that would be blocked altogether because of insufficient privileges, can run unhindered if root issues them.

Modern Linux distributions grant sudo privileges to the user account that’s created during the installation or post-installation configuration steps. If anyone else tries to use sudo , they’ll see a warning message like this:

mary is not in the sudoers file. This incident will be reported.

That seems plain enough. Our user mary can’t use sudo because she isn’t “in the sudoers file.” So let’s see how we can add her.

The sudoers File and visudo

Before someone can use the sudo command we need to work with the sudoers file. This lists the user groups of the users who can use sudo. If we need to make amendments to the file, we must edit it.

The sudoers file must be opened using the visudo command. This locks the sudoers file and prevents two people trying to make changes at the same time. It also performs some sanity checks before saving your edits, ensuring they parse correctly and are syntactically sound.

Note that visudo isn’t an editor, it launches one of your available editors. On Ubuntu 22.04, Fedora 37, and Manjaro 21, visudo launched nano. That might not be the case on your computer.

If we want to give someone access to full sudo privileges, we only need to reference some information from the sudoers file. If we want to be more granular and give our user some of the capabilities of root, we need to edit the file and save the changes.

Either way, we need to use visudo.

Add a New sudo User in Ubuntu and Other Linux Distros

We’ve got two users who need access to root privileges in order to carry out their job roles. They are Tom and Mary. Mary needs to have access to everything root can do. Tom only needs to install applications.

Let’s add Mary to the sudoers’ group first. We need to start visudo.

sudo visudo

Launching visudo on Ubuntu Linux

Scroll down in the editor until you see the “User Privilege Specification” section. Look for a comment that says something similar to “Allow members of this group to execute any command.”

The sudoers file open in the nano editor

We’re told that members of the sudo group can execute any command. All we need to know in Mary’s case is the name of that group. It isn’t always sudo ; it might be wheel or something else. Now that we know the name of the group, we can close the editor and add Mary to that group.

We’re using the usermod command with the -a (append) and -G (group name) options. The -G option allows us to name the group we’d like to add the user to, and the -a option tells usermod to add the new group to the list of existing groups this user is already in.

If you don’t use the -a option, the only group your user will be in is the newly added group. Double-check, and make sure you’ve included the -a option.

sudo usermod -aG sudo mary

Using usermod to add the user mary to the sudo group

The next time Mary logs in, she’ll have access to sudo. We’ve logged her in and we’re trying to edit the file system table file, “/etc/fstab.” This is a file that is out of bounds to everyone but root.

sudo nano /etc/fstab

Using usermod to add the user mary to the sudo group

The nano editor opens up with the “/etc/fstab” file loaded.

user mary editing the /etc/fstab file by using sudo

Without sudo privileges, you’d only be able to open this as a read-only file. Mary no longer has those restrictions. She can save any changes she makes. Close the editor and don’t save any changes you may have made.

Limit sudo Privileges by Editing the sudoers File

Our other user, Tom, is going to be granted permission to install software, but he isn’t going to receive all of the privileges that were awarded to Mary.

We need to edit the sudoers file.

sudo visudo

Launching visudo on Ubuntu Linux

Scroll down in the editor until you see the “User Privilege Specification” section. Look for a comment that says something similar to “Allow the members of this group to execute any command.” It’s the same point in the file where we found the name of the group we needed to add Mary to.

Add these lines below that section.

# user tom can install software
tom     ALL=(root) /usr/bin/apt

Adding new entries to the sudoers file

The first line is a simple comment. Note that there is a Tab between the user name “tom” and the word “All.”

This is what the items on the line mean.

  • tom: The name of the user’s default group. Usually this is the same as the name of their user account.
  • ALL=: This rule applies to all hosts on this network.
  • (root): Members of the “tom” group—that is, user Tom—can assume root privileges, for the listed commands.
  • /usr/bin/apt: This is the only command user Tom can run as root.

We’ve specified the apt package manager here because this computer uses Ubuntu Linux. You’d need to replace this with the appropriate command if you’re using a different distribution.

Let’s log Tom in and see if we get the expected behavior. We’ll try to edit the “/etc/fstab” file.

sudo nano /etc/fstab

Trying to edit the /etc/fstab file without sudo privileges

That command is rejected, and we’re told that “user tom isn’t allowed to execute ‘/usr/bin/nano /etc/fstab’ as root …”

That’s what we wanted. User Tom is only supposed to be able to use the apt package manager. Let’s make sure they can do that.

sudo apt install neofetch

User Tom using the apt command with sudo

The command is successfully executed for Tom.

Whosoever Holds This Command

If all your users can use sudo, you’ll have chaos on your hands. But it is worth promoting other users so they can share your administrative burden. Just make sure they’re worthy, and keep an eye on them.

Even if you’re the only user on your computer, It’s worth considering creating another user account and giving it full access to sudo. That way, if you ever find yourself locked out of your main account, you have another account you can log in with to try to remedy the situation.

Tip solutie

Permanent

Voteaza

(6 din 12 persoane apreciaza acest articol)

Despre Autor

Leave A Comment?