Create a Sudo User on Linux Distributions
Setting up a sudo user lets someone who is not root carry out administrative tasks with elevated rights. Instead of signing in as root, the user authenticates with their own password, while the system securely logs each command. This enhances security by limiting direct root access and providing better accountability. Most Linux distributions follow a comparable process for adding sudo users, with only small differences in group names or package requirements.
This guide explains how to create a sudo user on major Linux distributions, verify their privileges, and apply optional security measures to fine-tune sudo behavior.
Prerequisites
Before starting, make sure you have:
- Access to a Linux system as a non-root sudo user.
Create a Sudo User
In this section, you will create a new user and give them sudo rights. While the details differ slightly depending on the distribution, the general steps are very similar. Choose the section that matches your Linux distribution.
Red Hat-Based Systems
On Red Hat-based systems, users get sudo access by joining the wheel group, which is already defined in the sudoers configuration. Using groups centralizes permissions and helps improve security.
Create a new user
$ sudo useradd -m example_user
The -m option creates a home directory at /home/example_user. Replace example_user with your chosen username.
Set a password for the user
$ sudo passwd example_user
Enter and confirm a secure password. The system stores the encrypted password in /etc/shadow, accessible only by privileged accounts.
Add the user to the wheel group
$ sudo usermod -aG wheel example_user
The command grants sudo rights by appending the user to the wheel group. The -a option appends the group, and -G specifies which group.
Edit the sudoers file with visudo
$ sudo visudo
visudo validates syntax before saving, reducing the risk of configuration errors. Locate the following and make sure it is uncommented:
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
This directive allows all wheel group members to execute any command with sudo.
%wheel: applies to the wheel group.- First
ALL: applies to all hosts. (ALL): allows acting as any user.- Last
ALL: allows running all commands.
Note: Always use visudo to edit sudoers. Regular editors can cause syntax errors and break sudo.
Switch to the new user
$ sudo su - example_user
Verify sudo access
$ sudo whoami
Output:
root
This confirms the configuration works correctly.
Debian-Based Systems (Ubuntu, etc.)
Debian and Ubuntu manage administrative rights using the sudo group instead of wheel. Follow these steps:
Create a new user
$ sudo adduser example_user
Add user to sudo group
$ sudo usermod -aG sudo example_user
Switch to new user
$ sudo su - example_user
Check privileges
$ sudo whoami
Output:
root
If you see root, the setup is correct.
Arch Linux
On Arch Linux, sudo access requires more manual setup.
Create a new user
$ sudo useradd --create-home example_user
Set a password
$ sudo passwd example_user
Add the user to wheel group
$ sudo usermod --append --groups wheel example_user
Install vi editor
$ sudo pacman --sync vi
Edit sudoers file
$ sudo visudo
Uncomment the following line:
%wheel ALL=(ALL) ALL
Switch to the new account
$ sudo su - example_user
Verify access
$ sudo whoami
Output:
root
This confirms sudo privileges are working correctly for the new user.
Test Sudo User Privileges in Linux
Once you set up a sudo user, you should confirm that the account truly has administrative privileges. The following steps will guide you through tests to ensure sudo is working correctly.
Run Basic Commands with Sudo
Test that the user can run administrative commands.
View the root home directory
$ sudo ls -la /root
This command lists hidden and regular files in /root, accessible only to root or sudo users.
Update package lists
On Debian-based systems (Ubuntu, Debian):
$ sudo apt update
On Red Hat-based systems (RHEL, CentOS, Fedora):
$ sudo dnf makecache
On Arch Linux:
$ sudo pacman -Sy
Package management requires root privileges since these commands alter system files. Successful execution indicates sudo is configured properly.
Verify Access to Protected Files
Check if the sudo user can access sensitive files restricted to root.
$ sudo cat /etc/shadow
The /etc/shadow file contains encrypted user credentials. Being able to read it confirms sudo works.
Check Sudo Logs
sudo keeps logs of executed commands for auditing and accountability.
On Debian-based systems:
$ sudo grep sudo /var/log/auth.log
On Red Hat-based systems:
$ sudo grep sudo /var/log/secure
These logs track who used sudo, when, and which commands they executed.
Manage Password Prompts for a Sudo User
Control how often sudo requests a password to balance convenience with security.
Configure Password Timeout
By default, sudo caches authentication for 15 minutes. Adjust this timeout by editing the sudoers file:
$ sudo visudo
Add or modify the following line:
Defaults timestamp_timeout=30
This example sets the timeout to 30 minutes. Values include:
0: Prompt for a password on every command.-1: Never prompt again during the session.- Positive integers (5, 15, 30, etc.): Timeout in minutes.
Set Up Passwordless Sudo
In automation or restricted environments, you can allow sudo without requiring a password.
$ sudo visudo
Add for a specific user:
example_user ALL=(ALL) NOPASSWD: ALL
Or for a group:
%wheel ALL=(ALL) NOPASSWD: ALL
Warning: Using passwordless sudo reduces security. Only enable it in secure setups with trusted users.
Limit Command Execution
Apply the principle of least privilege by restricting which commands users can run.
$ sudo visudo
Define explicit command permissions:
example_user ALL=(ALL) /usr/bin/apt update, /usr/bin/apt upgrade
Use absolute paths, since sudo does not resolve commands via $PATH. To find a path:
$ which mkdir
Output:
/usr/bin/mkdir
Create Command Aliases
In environments with many users, aliases simplify permissions.
$ sudo visudo
Define aliases:
# Command Aliases
Cmnd_Alias UPDATES = /usr/bin/apt update, /usr/bin/apt upgrade
Cmnd_Alias SERVICES = /usr/bin/systemctl restart apache2
# User Privileges
example_user ALL=(ALL) UPDATES, SERVICES
Aliases let you group related commands, making sudoers more readable and easier to manage.
Conclusion
You now know how to create and configure a sudo user on major Linux distributions. You granted administrative rights by assigning the user to the correct group (wheel or sudo) and confirmed access through test commands. Additionally, you explored customizing sudo security by restricting commands, enabling passwordless access, and managing timeouts. With these adjustments, your system maintains secure and efficient sudo access.
