The Ultimate Guide to Linux – Creating a Sudo User
If you‘re a Linux system administrator or power user, it‘s essential to understand how to manage permissions and delegate access on your systems. One of the most powerful tools at your disposal is sudo – the "superuser do" command.
Sudo allows you to grant limited root privileges to normal users, without giving them the keys to the entire kingdom. When used properly, sudo is a critical component of Linux security and administration.
However, with great power comes great responsibility! Improperly configured sudo can be a major vulnerability. In this ultimate guide, we‘ll cover everything you need to know to create sudo users the right way.
What is Sudo and How Does it Work?
Before we dive into the practical steps of creating sudo users, let‘s first discuss what sudo actually is and how it works under the hood.
Sudo is a program that allows users to run commands with the privileges of another user, by default the root/superuser account. When a user prefixes a command with sudo
, they are prompted to enter their own password. If authenticated, the command is then executed as the target user.
The sudo permissions for each user are controlled by the /etc/sudoers
file and optional config files in the /etc/sudoers.d/
directory. This file specifies which users or groups have access to run which commands on which hosts.
Here‘s an example of what a sudoers entry looks like:
alice ALL=(ALL) /usr/bin/apt
This line grants the user "alice" permission to run the command /usr/bin/apt
as root on any host. The ALL
keyword is used as a wildcard to match all hosts, users, or commands.
When a user invokes sudo, the program checks the sudoers file rules from top to bottom to find a match. If a matching rule is found that grants the requested access, the command is executed. If no matching rule is found, access is denied.
Sudo also logs every command executed to the /var/log/auth.log
file by default (on Debian-based distros, other distros may use a different log file). This creates an audit trail of all privileged commands.
Creating a New Sudo User – Step by Step
Now that you have a high-level understanding of how sudo works, let‘s walk through the process of creating a new sudo user from scratch.
Step 1 – Create a New Linux User Account
Before you can assign sudo permissions, you first need a regular user account to work with. If the user doesn‘t already exist, create them with the adduser
command:
sudo adduser johndoe
You will be prompted to enter a password and basic info for the new user. A home directory will be automatically created under /home/johndoe/
.
Step 2 – Add the User to the Sudo Group
Most Linux distros configure sudo to allow access to all members of a specific system group, usually either named "sudo" or "wheel". To grant the new user sudo access, you simply need to add them to this group.
On Debian-based distros like Ubuntu, use:
sudo usermod -aG sudo johndoe
On Red Hat-based distros like CentOS, the group is called "wheel" instead:
sudo usermod -aG wheel johndoe
The -aG
option tells usermod
to append (-a
) the user to the specified group (-G
). This preserves any existing group memberships the user has.
Step 3 – Test Sudo Access
Now let‘s verify that the user was granted sudo access correctly. Use su
to switch to the new user account:
su - johndoe
Then use sudo
to test running a command with root privileges:
sudo whoami
If everything is working, you should see the command output "root". You will be prompted for the user‘s password the first time, and by default sudo will remember the password for 15 minutes before prompting again.
Assigning Granular Sudo Permissions
In the example above, we granted the user access to run ALL commands with sudo just by virtue of their group membership. However, it‘s best practice to follow the principle of least privilege and only allow users to run the specific commands they need.
To assign more granular sudo permissions, you need to edit the /etc/sudoers
file. Always use the visudo
command for this, never edit the file directly!
sudo visudo
This ensures the file is locked while being edited and validates the file syntax before saving to prevent configuration errors that could lock you out of the system.
Once in visudo, you can assign specific command permissions using this format:
user host = (runas) command
For example, to allow the user "johndoe" to run only the apt update
and apt upgrade
commands with sudo:
johndoe ALL = (root) /usr/bin/apt update, /usr/bin/apt upgrade
You can also use wildcards and aliases to make the configs more readable. This example allows the user to run any systemctl
command:
Cmnd_Alias SERVICES = /bin/systemctl *
johndoe ALL = (root) SERVICES
The man sudoers
command has lots more details on the different options available.
Important Sudo Security Considerations
While sudo is designed to enhance security over direct root access, it can still be abused if not configured carefully. Here are some important sudo security best practices:
Use Least Privilege
As mentioned above, only grant users the bare minimum sudo permissions they require for their role. Regularly audit the sudoers configs to ensure old permissions are cleaned up.
Restrict Risky Commands
Be very careful allowing sudo access to any commands that can modify the sudoers file itself, change system files, or open an unrestricted shell. Examples include visudo
, su
, bash
, nano
, vi
, etc. It‘s best to explicitly deny access to these.
Consider Requiring a TTY
By default, sudo does not require a TTY (terminal) to be present. This means sudo commands can be run non-interactively, such as from a script or SSH connection without a full terminal allocated. For extra security, you can require a TTY for all sudo commands with this option in sudoers:
Defaults requiretty
Implement Password Policies
The sudo password prompt is an important security control. Do not disable it by allowing passwordless sudo access unless you have a very good reason. You can set a custom password timeout with:
Defaults timestamp_timeout=30
To require a password every time instead of caching it, use:
Defaults timestamp_timeout=0
Centralize Sudo Logging and Alerting
As mentioned earlier, sudo logs every command executed to the system log files. However, these logs can be hard to sift through and consolidate across multiple servers. Consider setting up centralized logging with a tool like rsyslog, syslog-ng, Splunk, ELK stack, etc. This gives you a single dashboard to monitor sudo usage across your fleet.
You can also configure sudo to send email alerts on specific events, such as failed sudo attempts or root-level command execution. For example:
Defaults mail_always
Defaults mail_badpass
Defaults mailto="[email protected]"
Sudo vs Other Privilege Escalation Methods
Sudo is the most common privilege escalation tool on Linux, but there are some alternatives worth mentioning.
su
The traditional su
command allows you to switch to any user account on the system by providing their password. While useful for system maintenance, su
doesn‘t provide the same level of logging and control as sudo.
PolicyKit
PolicyKit is a newer privilege escalation framework used heavily in Linux desktop environments. It has some advantages over sudo like more fine-grained control and better desktop integration. However, it is less commonly used on servers.
doas
The doas
command is a simpler alternative to sudo used mainly on BSD systems, but also available in some Linux distros. It has a more minimal feature set but may be sufficient for basic needs.
Commercial Sudo Alternatives
For large enterprise environments, there are some commercial alternatives to sudo that provide additional features like Active Directory integration, centralized management, and advanced reporting. Some examples include Quest One Privilege Manager for Unix (QPMU), BeyondTrust PowerBroker, and CyberArk Endpoint Privilege Manager.
Other Useful Sudo Tips and Tricks
Here are a few more sudo tips to supercharge your command line skills:
- Use
sudo !!
to quickly re-run the last command with sudo privileges - Use
sudo -i
to open an interactive root shell (similar tosu -
but uses sudo config) - Use
sudo -e
to edit a file with root privileges using the default editor ($EDITOR) - Use
sudo -u otheruser command
to run a command as a different user than root - Use
sudo -k
to clear the cached sudo credentials and force a fresh password prompt - Use
sudoedit
as a safer alternative tosudo vim
to edit root-owned files
Conclusion
Sudo is an essential tool for any Linux admin or power user. When used properly, it allows you to delegate permissions, enforce least privilege, and maintain a secure audit trail.
However, with sudo‘s power comes great responsibility. It‘s crucial to understand sudo‘s inner workings, follow security best practices, and keep a watchful eye on sudo usage across your systems.
By following this guide, you should now have a solid foundation in creating and managing sudo users. But don‘t stop here – dive into the man pages, experiment in a test environment, and keep leveling up your sudo skills. You‘ll be a Linux security guru in no time!