The Ultimate Guide to Linux – Creating a Sudo User

If you‘re a Linux system administrator or power user, it‘s essential to understand how to manage permissions and delegate access on your systems. One of the most powerful tools at your disposal is sudo – the "superuser do" command.

Sudo allows you to grant limited root privileges to normal users, without giving them the keys to the entire kingdom. When used properly, sudo is a critical component of Linux security and administration.

However, with great power comes great responsibility! Improperly configured sudo can be a major vulnerability. In this ultimate guide, we‘ll cover everything you need to know to create sudo users the right way.

What is Sudo and How Does it Work?

Before we dive into the practical steps of creating sudo users, let‘s first discuss what sudo actually is and how it works under the hood.

Sudo is a program that allows users to run commands with the privileges of another user, by default the root/superuser account. When a user prefixes a command with sudo, they are prompted to enter their own password. If authenticated, the command is then executed as the target user.

The sudo permissions for each user are controlled by the /etc/sudoers file and optional config files in the /etc/sudoers.d/ directory. This file specifies which users or groups have access to run which commands on which hosts.

Here‘s an example of what a sudoers entry looks like:

alice  ALL=(ALL)  /usr/bin/apt

This line grants the user "alice" permission to run the command /usr/bin/apt as root on any host. The ALL keyword is used as a wildcard to match all hosts, users, or commands.

When a user invokes sudo, the program checks the sudoers file rules from top to bottom to find a match. If a matching rule is found that grants the requested access, the command is executed. If no matching rule is found, access is denied.

Sudo also logs every command executed to the /var/log/auth.log file by default (on Debian-based distros, other distros may use a different log file). This creates an audit trail of all privileged commands.

Creating a New Sudo User – Step by Step

Now that you have a high-level understanding of how sudo works, let‘s walk through the process of creating a new sudo user from scratch.

Step 1 – Create a New Linux User Account

Before you can assign sudo permissions, you first need a regular user account to work with. If the user doesn‘t already exist, create them with the adduser command:

sudo adduser johndoe

You will be prompted to enter a password and basic info for the new user. A home directory will be automatically created under /home/johndoe/.

Step 2 – Add the User to the Sudo Group

Most Linux distros configure sudo to allow access to all members of a specific system group, usually either named "sudo" or "wheel". To grant the new user sudo access, you simply need to add them to this group.

On Debian-based distros like Ubuntu, use:

sudo usermod -aG sudo johndoe

On Red Hat-based distros like CentOS, the group is called "wheel" instead:

sudo usermod -aG wheel johndoe

The -aG option tells usermod to append (-a) the user to the specified group (-G). This preserves any existing group memberships the user has.

Step 3 – Test Sudo Access

Now let‘s verify that the user was granted sudo access correctly. Use su to switch to the new user account:

su - johndoe

Then use sudo to test running a command with root privileges:

sudo whoami

If everything is working, you should see the command output "root". You will be prompted for the user‘s password the first time, and by default sudo will remember the password for 15 minutes before prompting again.

Assigning Granular Sudo Permissions

In the example above, we granted the user access to run ALL commands with sudo just by virtue of their group membership. However, it‘s best practice to follow the principle of least privilege and only allow users to run the specific commands they need.

To assign more granular sudo permissions, you need to edit the /etc/sudoers file. Always use the visudo command for this, never edit the file directly!

sudo visudo

This ensures the file is locked while being edited and validates the file syntax before saving to prevent configuration errors that could lock you out of the system.

Once in visudo, you can assign specific command permissions using this format:

user  host = (runas) command

For example, to allow the user "johndoe" to run only the apt update and apt upgrade commands with sudo:

johndoe  ALL = (root) /usr/bin/apt update, /usr/bin/apt upgrade

You can also use wildcards and aliases to make the configs more readable. This example allows the user to run any systemctl command:

Cmnd_Alias SERVICES = /bin/systemctl *
johndoe  ALL = (root) SERVICES

The man sudoers command has lots more details on the different options available.

Important Sudo Security Considerations

While sudo is designed to enhance security over direct root access, it can still be abused if not configured carefully. Here are some important sudo security best practices:

Use Least Privilege

As mentioned above, only grant users the bare minimum sudo permissions they require for their role. Regularly audit the sudoers configs to ensure old permissions are cleaned up.

Restrict Risky Commands

Be very careful allowing sudo access to any commands that can modify the sudoers file itself, change system files, or open an unrestricted shell. Examples include visudo, su, bash, nano, vi, etc. It‘s best to explicitly deny access to these.

Consider Requiring a TTY

By default, sudo does not require a TTY (terminal) to be present. This means sudo commands can be run non-interactively, such as from a script or SSH connection without a full terminal allocated. For extra security, you can require a TTY for all sudo commands with this option in sudoers:

Defaults requiretty

Implement Password Policies

The sudo password prompt is an important security control. Do not disable it by allowing passwordless sudo access unless you have a very good reason. You can set a custom password timeout with:

Defaults timestamp_timeout=30

To require a password every time instead of caching it, use:

Defaults timestamp_timeout=0

Centralize Sudo Logging and Alerting

As mentioned earlier, sudo logs every command executed to the system log files. However, these logs can be hard to sift through and consolidate across multiple servers. Consider setting up centralized logging with a tool like rsyslog, syslog-ng, Splunk, ELK stack, etc. This gives you a single dashboard to monitor sudo usage across your fleet.

You can also configure sudo to send email alerts on specific events, such as failed sudo attempts or root-level command execution. For example:

Defaults mail_always
Defaults mail_badpass
Defaults mailto="[email protected]"

Sudo vs Other Privilege Escalation Methods

Sudo is the most common privilege escalation tool on Linux, but there are some alternatives worth mentioning.

su

The traditional su command allows you to switch to any user account on the system by providing their password. While useful for system maintenance, su doesn‘t provide the same level of logging and control as sudo.

PolicyKit

PolicyKit is a newer privilege escalation framework used heavily in Linux desktop environments. It has some advantages over sudo like more fine-grained control and better desktop integration. However, it is less commonly used on servers.

doas

The doas command is a simpler alternative to sudo used mainly on BSD systems, but also available in some Linux distros. It has a more minimal feature set but may be sufficient for basic needs.

Commercial Sudo Alternatives

For large enterprise environments, there are some commercial alternatives to sudo that provide additional features like Active Directory integration, centralized management, and advanced reporting. Some examples include Quest One Privilege Manager for Unix (QPMU), BeyondTrust PowerBroker, and CyberArk Endpoint Privilege Manager.

Other Useful Sudo Tips and Tricks

Here are a few more sudo tips to supercharge your command line skills:

• Use sudo !! to quickly re-run the last command with sudo privileges
• Use sudo -i to open an interactive root shell (similar to su - but uses sudo config)
• Use sudo -e to edit a file with root privileges using the default editor ($EDITOR)
• Use sudo -u otheruser command to run a command as a different user than root
• Use sudo -k to clear the cached sudo credentials and force a fresh password prompt
• Use sudoedit as a safer alternative to sudo vim to edit root-owned files

Conclusion

Sudo is an essential tool for any Linux admin or power user. When used properly, it allows you to delegate permissions, enforce least privilege, and maintain a secure audit trail.

However, with sudo‘s power comes great responsibility. It‘s crucial to understand sudo‘s inner workings, follow security best practices, and keep a watchful eye on sudo usage across your systems.

By following this guide, you should now have a solid foundation in creating and managing sudo users. But don‘t stop here – dive into the man pages, experiment in a test environment, and keep leveling up your sudo skills. You‘ll be a Linux security guru in no time!