Sudo is a command-line tool for Linux OS that enables users to run programs as other users. You have seen when we run commands in Linux (Ubuntu, Centos, etc) sometimes we add sudo in front of the command and if we don’t use the sudo it gives use permission denied error. Basically, sudo stands for superuser do (action), adding sudo in front of command provides superuser users rights to the simple users if they are allowed. This article shows you how we can allow a user to run sudo commands.
There are two ways to add a user into sudoers list
- adding user to sudo/wheel group
- adding user directly to /etc/sudoers file
In this article we will create a new user and allow sudo access to him also allow this user to runn sudo command with out password.
Adding user to sudo/wheel group
This is the best and cleanest way to add a user to the sudoers list we use usermod command to perform this action but keep in mind there are different groups in different distributions here we will discuss for Ubuntu/Debian or CentOS/fedora/RHEL. Use the following command
For Ubuntu/Debian distribution:
usermod -aG sudo username
Where -a flag stands for the Append operation, and -G specifies the sudo Group
The below-mentioned code section is before adding a user into a sudoers list or before running the above command
ubuntu@ubuntu-exp:~$ sudo su foofunc $ groups foofunc $ sudo service sshd status [sudo] password for foofunc: foofunc is not in the sudoers file. This incident will be reported. $
The below code section is after running the usermod command.
ubuntu@ubuntu-exp:~$ sudo usermod -aG sudo foofunc ubuntu@ubuntu-exp:~$ ubuntu@ubuntu-exp:~$ sudo su foofunc $ $ groups foofunc sudo $ $ sudo service sshd status [sudo] password for foofunc: ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-10-05 07:20:47 UTC; 1 weeks 6 days ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 834 (sshd) Tasks: 1 (limit: 19173) Memory: 19.5M CGroup: /system.slice/ssh.service └─834 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Similarly, For CentOS/fedora/RHEL we will use the usermod command but the only difference is that instead of sudo group centos has wheel group. Use the following command:
usermod -aG wheel username
Below code, section shows the status of groups before and after running above command:
[centos@test ~]$ groups foofunc foofunc : foofunc [foofunc@test centos]$ sudo su foofunc [centos@test ~]$ sudo usermod -aG wheel foofunc [centos@test ~]$ [centos@test ~]$ groups foofunc foofunc : foofunc wheel
Adding user directly to /etc/sudoers file
Main configuration file to add sudo users or groups are /etc/sudoers. In this file, you can customize user or groups sudo rights and assign to them. Through this file, we will also show in later section how to make sudo access password less.
There are multiple ways to add users to the sudoers file. First, we will discuss the recommended way to customize users rights in sudoers or adding a user in the sudoers list.
Creating a newfile in /etc/sudoers.d
If you look into the /etc/sudoers file you will find the below-mentioned code section. This means it also includes all files present in /etc/sudoers.d directory.
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d
Therefore, Create a new file with a username inside the /etc/sudoers.d directory. See the following code section as an example where we have created a file with foofunc name which contains sudo rights.
[centos@test ~]$ sudo cat /etc/sudoers.d/foofunc foofunc ALL=(ALL) NOPASSWD:ALL [centos@test ~]$
Adding entry into /etc/sudoers file
You can also add the user entry in this file directly at the end but it is recommended that keep your configuration separate from system’s configuration. Sometimes due to even small syntax issues can lead to major issues.
To edit the sudoers file you have to open the file with the following command and drag down the end of your file and add your entry at the end.
Sudoers files policy parameters
Customizing users’ rights with the sudoers file provide great flexibility but with great flexibility also comes great responsibility. Therefore, in this section, we will discuss parameters that are used in the sudoers file to draft a user sudo policy. To understand these parameters lets breakdown the above rule :
foofunc ALL=(ALL) NOPASSWD:ALL
- 1st column foofunc:
- This is username or groupname on which rule will be applied.
- To mention the group name use % sign infrom of group name.
- 2nd Column ALL=(ALL):
- First ALL is usefull when you have multiple systems’ environment this parameter is used to mention the host. For single host you can also change to localhost or the hostname you are using.
- The later (ALL) defines the user, which as which user you will run the command ALL means you can run command all the users present in the system or if you want to run command only as a root user you can mention root.
- 3rd Column NOPASSWD:ALL
- NOPASSWD means that to run the command as sudo you don’t need to enter the password at all.
- ALL signifies the command you can run as sudo with the mentioned user in 1st coloumn, here you can run all the command which root user or any user can run. You can also specifiy those commands which the user can run as a sudo user.
For more information regarding sudoers, you can refer to the manual.
In the following section we have drafted a policy to foofunc user only run chown and chmod command:
foofunc ALL=(root) /usr/bin/chown,/usr/bin/chmod
Adding users into sudoers is really easy, in this article we discussed how to add users to the sudoers list so that they can run commands as another user. We mentioned two different ways to do that.