The first thing to do after installing FreeBSD is to create a regular user with sudo access. Because, it is always a best security practice to use a non-root user to perform server administration. This brief tutorial explains how to add, delete and grant sudo privileges to users in FreeBSD operating systems.
All steps given below are tested on a freshly installed FreeBSD 13.2 server edition.
Table of Contents
Prerequisites
To follow along, make sure you have,
- Root access to your FreeBSD system,
- Password of the
root
user.
1. Install Sudo in FreeBSD
The sudo is a special program that allows you to elevate the ability of a normal user to run administrative tasks, without giving away the root
user's password in Linux and Unix operating systems.
In minimal FreeBSD installation, the sudo
program is not installed by default.
To install sudo
package on your FreeBSD system, run:
# pkg install sudo
You can also install sudo from the Ports Collection as well.
To install sudo from ports, run:
# cd /usr/ports/security/sudo/
# make install clean
2. Create a New User in FreeBSD
Log in as root
user:
# ssh root@<ip-address-of-freebsd>
Create a new regular user, for example ostechnix, using adduser
command:
# adduser
You will be prompted to answer a couple questions, such user name, full name, login group name, login class, default shell etc. Mostly the default values are just fine. Press ENTER key to accept the defaults values and type your password twice.
Username: ostechnix Full name: Ostechnix Uid (Leave empty for default): Login group [ostechnix]: Login group is ostechnix. Invite ostechnix into other groups? []: Login class [default]: Shell (sh csh tcsh nologin) [sh]: Home directory [/home/ostechnix]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username : ostechnix Password : ***** Full Name : Ostechnix Uid : 1001 Class : Groups : ostechnix Home : /home/ostechnix Home Mode : Shell : /bin/sh Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (ostechnix) to the user database. Add another user? (yes/no): no Goodbye!
We just created a normal user called "ostechnix". This is a non-root user, so we can't perform any administrative tasks using this user.
To verify if an user has sudo privilege, run:
# sudo -lU ostechnix User ostechnix is not allowed to run sudo on freebsd.
Replace "ostechnix" in the above command with your own username.
As you can see in the above output, the user "ostechnix" doesn't have sudo access. So let us go ahead and assign sudo access to this user.
3. Grant Sudo Privileges to Users in FreeBSD
You can grant sudo privileges to a single user or group of users at once.
3.1. Assign Sudo Privileges to a Single User
Edit sudoers
file using the following command as root
user:
# visudo
Scroll down till you find following entry:
root ALL=(ALL) ALL
Right after the above entry, add the following line:
ostechnix ALL=(ALL) ALL
In the above line, replace "ostechnix" with your own. Press ESC key and type :wq
and then press ENTER to save the file and close it. Log out and log back in to update the changes.
Congrats! The user "ostechnix" is given the sudo rights and he can now run any commands on any hosts.
3.2. Assign Sudo Privileges to a Group
In order to assign sudo access to a group of non-root users, simply add them to the wheel
group using the following command.
# pw group mod wheel -m ostechnix
Again, replace "ostechnix" with your own user name.
Next make sure the members of wheel group can able to run any commands.
To do so, run:
# visudo
Make sure the following line is present and uncommented.
%wheel ALL=(ALL:ALL) ALL
Press ESC and type :wq
and press ENTER to save the file and close it.
Now the members of the wheel group can run any command on any hosts.
4. Verify Sudo Access
Verify if the user is given the sudo access using the following command as root
user.
# sudo -lU ostechnix User ostechnix may run the following commands on freebsd: (ALL : ALL) ALL
If you see the line ALL=(ALL) ALL
in the above output, the user (i.e. "ostechnix") can perform any commands on any host.
5. Run Administrative Commands
Log out from the current session and log back in as the newly created sudo user.
Alternatively, you can directly switch to the other user, without having to log out from the current session, using the following command:
# sudo -i -u ostechnix
Now, verify if the user can able to perform any administrative task with sudo
permission:
As you can see in the above output, the user "ostechnix" can run an administrative command with sudo access.
5.1. View User's Privileges
You can verify what commands the users are allowed to run using the following command.
$ sudo -l
Or,
$ sudo -ll
Sample Output:
User ostechnix may run the following commands on freebsd: Sudoers entry: RunAsUsers: ALL RunAsGroups: ALL Commands: ALL
6. Delete Sudo Access from an User
Log out from the user whom you want to revoke the sudo privilege from and login as root
user.
If you have assigned sudo access to a single user, edit sudoers files:
# visudo
Remove the following entry from sudoers file:
ostechnix ALL=(ALL) ALL
Save the file and close it.
If you want to remove sudo access of a wheel group member, simply remove him/her from the group.
Log in as root user and run the following command to remove the sudo privilege from the user called "ostechnix".
# pw groupmod wheel -d ostechnix
Now the user "ostechnix" is no longer the member of the "wheel" group, so he can't perform any administrative tasks with sudo access.
You can verify it with command:
# sudo -lU ostechnix User ostechnix is not allowed to run sudo on freebsd.
Conclusion
In this guide, we discussed how to install Sudo program and how to create non-root user(s) with sudo permission in FreeBSD. We also looked at how to delete sudo access from an user or group of users in FreeBSD.
As stated in the introductory section, it is always a best practice to add a normal user with sudo rights and avoid performing administrative tasks as root user.