This tutorial explains how to add, delete and grant Sudo privileges to users in Linux operating systems. The steps provided below are tested in Ubuntu 20.04 LTS edition. However, the steps are same on other distributions such as Arch Linux, Debian, Fedora, CentOS, RHEL, openSUSE etc. Before getting into the topic, let us see what is sudo and its benefits.
What is sudo user?
In Linux and Unix operating systems, there is a special user named root. The root user can do anything and everything in a Unix-like system. Using root user for the day to day activities can be dangerous and not recommended. One wrong command can destroy the whole system! This is where the “sudo” comes in help. It allows the authorized users to perform tasks with root-level privileges, even if they don’t know the root user password. This is why it is important to create a regular user and add him to sudo user group to perform administrative tasks whenever necessary. Hence, this user can act as both regular user and administrative user when running commands prefixed with sudo.
Benefits of being sudo
- The root password need not to be shared with other users.
- The users’ need not to know the root user password to perform administrative tasks.
- When doing an administrative task, the users will be prompted for the sudo password before any changes can happen in the system. It should make the users to think about the consequences of what they are doing.
- The admin rights can be easily granted to the users and revoked at any time if they no longer required.
- Some Linux distributions, for example Ubuntu, disables the root user by default. So there is no way to launch brute-force attacks on the root user. Even if someone try, it would be pointless. Because there is no root password to crack.
- More importantly, the sudo session will be timed-out after a short period. Just in case if you left the terminal open after running commands as root user with sudo permission, the authentication automatically expires. Hence, the other users can’t do any further administrative tasks. By default, the password is stored for 15 minutes in the current session. After that, you need to enter the password again.
- Monitor the sudo users’ command line activity. sudo adds a log entry of the commands run by the users in /var/log/auth.log file. If there is any problem, you can look into those commands and try to figure out what went wrong.
These are a few advantages of being a sudo user. Now, let us go ahead and see how to add, delete and grant Sudo privileges to users in Linux
Add, Delete and Grant Sudo Privileges To Users In Linux
First, we will create a regular user.
1. Add New User In Linux
First, create a regular user, for example “ubuntuserver”. To do so, run:
$ sudo adduser ubuntuserver
Adding user `ubuntuserver' ... Adding new group `ubuntuserver' (1001) ... Adding new user `ubuntuserver' (1001) with group `ubuntuserver' ... Creating home directory `/home/ubuntuserver' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for ubuntuserver Enter the new value, or press ENTER for the default Full Name : ubuntu 20.04 server Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y
A new user named “ubuntuserver” has been created.
2. Grant Sudo Privileges To Users In Linux
In some Linux systems, for example Arch Linux, you need to install “sudo” package before creating a new sudo user.
# pacman -S sudo
# apt install sudo
On Ubuntu server and desktops, “sudo” is installed by default.
Now add the newly created user to sudo group using the following command:
$ sudo adduser ubuntuserver sudo
Adding user `ubuntuserver' to group `sudo' ... Adding user ubuntuserver to group sudo Done.
The user called “ubuntuserver” has been granted sudo permissions.
You can also the following command to add a user to sudo group.
$ sudo usermod -aG sudo ubuntuserver
To verify if the user is in the sudo group, run:
$ sudo -l -U ubuntuserver
Matching Defaults entries for ubuntuserver on ostechnix: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User ubuntuserver may run the following commands on ostechnix: (ALL : ALL) ALL
Here, the “(ALL : ALL) ALL” line means that the user has unlimited privileges and can run any command on the system. In this case, the “ubuntuserver” user is in the sudo user group and he can now perform all sort of administrative tasks.
If you open the contents of the sudoers file;
$ sudo cat /etc/sudoers
You would see some lines like below.
[...] # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
As you can see in the above output, all members of the sudo group can execute any command.
- The first ALL is the users allowed.
- The second ALL is the hosts. If you distribute the same “sudoers” file to many host computers, the user can do administrative commands on all hosts.
- The third one is the user as you are running the command.
- The last one is the commands allowed.
2.1. Verify Sudo Users
To verify, if the user can be able to perform administrative tasks, log out and log back in as the new user.
Alternatively, you can immediately log in as other user with sudo privilege, without having to log out from the current session, like below.
$ sudo -i -u <username>
$ sudo -i -u ubuntuserver
Now, run any commands with prefix “sudo” like below.
$ sudo apt update
3. Delete Sudo Users
You can remove sudo permissions from a user without having to delete him/her completely. You must be careful when doing this in Ubuntu systems. Do not remove the real administrator from the “sudo” group. There should be at least one sudo user in the system.
To revoke sudo permissions from a user, the command would be:
$ sudo deluser ubuntuserver sudo
The above command will remove the user named “ubuntuserver” from “sudo” group.
Removing user `ubuntuserver' from group `sudo' ... Done.
Please note that this command will only remove the user ‘ubuntuserver’ from the sudo group, but it will not delete the user permanently from the system.
Alternatively, run the following command to revoke the sudo permission from the user:
$ sudo gpasswd -d ubuntuserver sudo
Now, the user becomes a regular user and can’t do any administrative tasks with sudo permission.
To verify if the user has really been removed from “sudo” group, run:
$ sudo -l -U ubuntuserver
User ubuntuserver is not allowed to run sudo on ostechnix.
The sudo permission has been removed from the user.
4. Delete Users Permanently
In the above step, we have only removed the users from the “sudo” group. But the user still exists in the system. To remove a user completely from a Linux system, log in as root or sudo user and run:
$ sudo deluser <username>
$ sudo deluser ubuntuserver
If you want to remove a user along with their home directory and mail spool, run:
$ sudo deluser --remove-home ubuntuserver
Looking for files to backup/remove ... Removing files ... Removing user `ubuntuserver' ... Warning: group `ubuntuserver' has no more members. Done.
For more details, check man pages.
$ man adduser
$ man deluser
$ man sudo