Maximum performance at minimal cost. Start your server in seconds now!
    Vijona

    User Management and Granting Sudo Privileges in Linux

    User administration is a key responsibility in Linux system operations. Administrators must carefully decide which accounts receive elevated privileges and how that access is controlled. A secure and flexible way to assign such rights is by adding users to the sudo group. The sudo (short for “superuser do”) command lets selected users run commands with elevated permissions, typically those of root, without logging in as root.

    This guide explains how to grant elevated privileges by either assigning users to the sudo group or by adjusting sudo rules using the Linux Sudoers file.

    Prerequisites

    • Access to a Linux machine as a non-root sudo user.

    Adding Users to the Sudo Group

    On most Linux systems, users in the sudo group receive administrative rights. This approach is safer than logging in as root directly, as it reduces the risk of accidental system-wide issues. On RHEL-based distributions (CentOS, Rocky Linux), the equivalent group is usually called wheel. In production setups, giving normal user accounts sudo privileges is best practice.

    Administrators can add users to groups using the usermod command with the appropriate parameters. Follow the steps below to create and configure users with sudo rights.

    Verify Logged-in User

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ whoami

    [/dm_code_snippet]

    Sample output:

    linuxuser

    Check Current Sudo Privileges

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo -l

    [/dm_code_snippet]

    Example result:

    Matching Defaults entries for linuxuser on LinuxWorkstation:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty

User linuxuser may run the following commands on LinuxWorkstation:
    (ALL) NOPASSWD: ALL

    This indicates that the account linuxuser can run any command without being prompted for a password. The command is useful for auditing user permissions.

    Create a New User

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo adduser john

    [/dm_code_snippet]

    You will be asked to set a password and provide user details. Example system messages:

    info: Adding user `john' ...
info: Adding new group `john' ...
info: Creating home directory `/home/john' ...
passwd: password updated successfully
Changing the user information for john
Full Name []: john wick
Room Number []: 1234
Work Phone []: 9876543210
Home Phone []: 1234567890
Other []: 
Is the information correct? [Y/n] Y

    Note: By default, Linux assigns users to a primary group matching their username and sometimes a secondary users group. These defaults do not include sudo rights.

    Check if a User Has Sudo Rights

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo -U john -l

    [/dm_code_snippet]

    Typical result:

    User john is not allowed to run sudo on LinuxWorkstation.

    Grant Sudo Access

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo usermod -aG sudo john

    [/dm_code_snippet]

    Switch to the User and Test

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo su - john

    [/dm_code_snippet]

    Once logged in as john, test with:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo whoami

    [/dm_code_snippet]

    Expected output:

    root

    View Members of the Sudo Group

    Using getent

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ getent group sudo

    [/dm_code_snippet]

    Sample output:

    sudo:x:27:john,jane

    Using groups

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ groups jane

    [/dm_code_snippet]

    Output:

    jane : jane sudo users

    Similarly for john:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ groups john

    [/dm_code_snippet]

    Output:

    john : john sudo users

    Restricting Access with the Sudoers File

    The /etc/sudoers file should only be modified with visudo to avoid syntax errors. While sudo group membership grants wide privileges, the sudoers file lets administrators restrict or tailor commands available to each user.

    Define Allowed Commands

    Edit the sudoers configuration for a specific user:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo visudo -f /etc/sudoers.d/john

    [/dm_code_snippet]

    Define an alias for commands:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    Cmnd_Alias UPDATE_AND_UPGRADE = /usr/bin/apt update, /usr/bin/apt upgrade

    [/dm_code_snippet]

    Grant access without password prompts:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    john ALL=(ALL) NOPASSWD: UPDATE_AND_UPGRADE

    [/dm_code_snippet]

    Or grant access to a single command:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

    [/dm_code_snippet]

    Verify Custom Rules

    Switch to john and run update/upgrade commands without password prompts:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo apt update
$ sudo apt upgrade

    [/dm_code_snippet]

    Other commands will still require authentication or be denied based on configuration.

    Add Sudo User Restrictions with the Sudoers File

    To strengthen security, you can apply rules on how members of the sudo group interact with the sudo command. For example, you can control the number of failed password attempts and the duration that sudo remembers authentication. Use the passwd_tries and timestamp_timeout directives in the sudoers file to set these restrictions.

    Create a Sudoers Configuration for the Group

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo visudo -f /etc/sudoers.d/sudogroup

    [/dm_code_snippet]

    Limit Password Retry Attempts

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    Defaults:%sudo passwd_tries=1

    [/dm_code_snippet]

    This rule means:

    • Defaults:%sudo: Applies to all sudo group members.
    • passwd_tries=1: Only one failed password attempt is allowed.

    To apply this to a single user instead of the group, use:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    Defaults:john passwd_tries=1

    [/dm_code_snippet]

    Force Password Prompt Every Time

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    Defaults:%sudo timestamp_timeout=0

    [/dm_code_snippet]

    Explanation:

    • timestamp_timeout=0: No grace period. The user must re-enter the password for every sudo command.
    • Default value: 15, which means 15 minutes of reuse per terminal session.

    Test the Restriction

    Try installing a package with an incorrect password:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo apt install nginx

    [/dm_code_snippet]

    Output:

    sudo: 1 incorrect password attempt

    Retry with the correct password:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo apt install nginx

    [/dm_code_snippet]

    Since timestamp_timeout is set to 0, you will be asked for the password again. Once entered correctly, the package installs.

    Note: By default, timestamp_timeout is set to 15 minutes, meaning sudo commands can be reused within that time window without re-entering the password.

    Remove Users from the Sudo Group

    If a user no longer requires administrative rights, you can revoke their sudo privileges by removing them from the group. The example below uses john.

    Switch to Another Privileged User

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo su - linuxuser

    [/dm_code_snippet]

    Remove Custom Sudoers Configuration

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo rm /etc/sudoers.d/john

    [/dm_code_snippet]

    Warning: Ensure you still have access to another sudo-capable account before removing the only administrative user.

    Remove the User from the Group

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo deluser john sudo

    [/dm_code_snippet]

    Sample system output:

    info: Removing user `john' from group `sudo' ...

    Verify Removal

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ groups john

    [/dm_code_snippet]

    Example output:

    john : john users

    Switch to john and test sudo:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo apt update

    [/dm_code_snippet]

    Expected result:

    Sorry, user john is not allowed to execute '/usr/bin/apt update' as root on LinuxWorkstation.

    Note: Group membership updates take effect in new terminal sessions only.

    Grant Users Sudo Access with the Sudoers File

    You can also give sudo rights without adding the user to the sudo group. This is possible because sudo checks permissions defined in the sudoers file. Typically, group access is granted by this line in the main sudoers file:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    %sudo   ALL=(ALL:ALL) ALL

    [/dm_code_snippet]

    This rule gives all members of the sudo group full access. You can still create custom rules for individual users.

    Create a New User

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo adduser joe

    [/dm_code_snippet]

    Create a Custom Sudoers File

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo visudo -f /etc/sudoers.d/joe

    [/dm_code_snippet]

    Add this line for full sudo access:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    joe ALL=(ALL) ALL

    [/dm_code_snippet]

    Verify Group Membership

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ groups joe

    [/dm_code_snippet]

    Output:

    joe : joe users

    Switch and Test

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo su - joe

    [/dm_code_snippet]

    Now test:

    [pdm_code_snippet background=”no” background-mobile=”no” slim=”yes” line-numbers=”yes” bg-color=”#abb8c3″ theme=”dark” language=”php” wrapped=”yes” height=”” copy-text=”Copy Code” copy-confirmed=”Copied”]

    $ sudo whoami

    [/dm_code_snippet]

    Expected output:

    root

    Conclusion

    You have seen how to manage sudo privileges either by assigning users to the sudo group or by defining rules directly in the sudoers file. Using the sudo group is convenient, while custom sudoers configurations provide fine-grained control over which commands can be executed and under what conditions.

    Source: vultr.com

    Create a Free Account

    Register now and get access to our Cloud Services.

    Try now

    Posts you might be interested in: