Home FreeBSD Add, Delete And Grant Sudo Privileges To Users In FreeBSD 13

Add, Delete And Grant Sudo Privileges To Users In FreeBSD 13

Create sudo user in FreeBSD

By sk
223 views

The first thing after installing FreeBSD is to create a regular user with sudo access. Because, it is always a best security practice to use a non-root user to perform server administration. This brief tutorial explains how to add, delete and grant sudo privileges to users in FreeBSD operating systems.

All steps given below are tested on a freshly installed FreeBSD 13 server edition.

Prerequisites

To follow along, make sure you have,

  • Root access to your FreeBSD system,
  • Password of the root user.

1. Install Sudo In FreeBSD

The sudo is a special program that allows you to elevate the ability of a normal user to run administrative tasks, without giving away the root user's password in Linux and Unix operating systems.

In minimal FreeBSD installation, the sudo program is not installed by default.

To install sudo package on your FreeBSD system, run:

# pkg install sudo

You can also install sudo from the Ports Collection as well.

To install sudo from ports, run:

# cd /usr/ports/security/sudo/
# make install clean

2. Create A New User In FreeBSD

Log in as root user:

# ssh root@<ip-address-of-freebsd>

Create a new regular user, for example ostechnix, using adduser command:

# adduser

You will be prompted to answer a couple questions, such user name, full name, login group name, login class, default shell etc. Mostly the default values are just fine. Press ENTER key to accept the defaults values and type your password twice.

Username: ostechnix
Full name: Ostechnix
Uid (Leave empty for default): 
Login group [ostechnix]: 
Login group is ostechnix. Invite ostechnix into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: 
Home directory [/home/ostechnix]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: 
Enter password: 
Enter password again: 
Lock out the account after creation? [no]: 
Username : ostechnix
Password : *****
Full Name : Ostechnix
Uid : 1001
Class : 
Groups : ostechnix 
Home : /home/ostechnix
Home Mode : 
Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (ostechnix) to the user database.
Add another user? (yes/no): no
Goodbye!
Create An User In FreeBSD
Create An User In FreeBSD

We just created a normal user called "ostechnix". This is a non-root user, so we can't perform any administrative tasks using this user.

To verify if an user has sudo privilege, run:

# sudo -lU ostechnix
User ostechnix is not allowed to run sudo on freebsd.

Replace "ostechnix" in the above command with your own username.

As you can see in the above output, the user "ostechnix" doesn't have sudo access. So let us go ahead and assign sudo access to this user.

3. Grant Sudo Privileges To Users In FreeBSD

You can grant sudo privileges to a single user or group of users at once.

3.1. Assign Sudo Privileges To A Single User

Edit sudoers file using the following command as root user:

# visudo

Scroll down till you find following entry:

root    ALL=(ALL)       ALL

Right after the above entry, add the following line:

ostechnix ALL=(ALL)       ALL

In the above line, replace "ostechnix" with your own. Press ESC key and type :wq and then press ENTER to save the file and close it. Log out and log back in to update the changes.

Congrats! The user "ostechnix" is given the sudo rights and he can now run any commands on any hosts.

3.2. Assign Sudo Privileges To A Group

In order to assign sudo access to a group of non-root users, simply add them to the wheel group using the following command.

# pw group mod wheel -m ostechnix

Again, replace "ostechnix" with your own user name.

Next make sure the members of wheel group can able to run any commands.

To do so, run:

# visudo

Make sure the following line is present and uncommented.

%wheel ALL=(ALL:ALL) ALL
Allow Wheel Group Members To Run Any Commands
Allow Wheel Group Members To Run Any Commands

Press ESC and type :wq and press ENTER to save the file and close it.

Now the members of the wheel group can run any command on any hosts.

4. Verify Sudo Access

Verify if the user is given the sudo access using the following command as root user.

# sudo -lU ostechnix
User ostechnix may run the following commands on freebsd:
    (ALL : ALL) ALL

If you see the line ALL=(ALL) ALL in the above output, the user (i.e. "ostechnix") can perform any commands on any host.

5. Run Administrative Commands

Log out from the current session and log back in as the newly created sudo user.

Alternatively, you can directly switch to the other user, without having to log out from the current session, using the following command:

# sudo -i -u ostechnix
Switch To A New User In FreeBSD
Switch To A New User In FreeBSD

Now, verify if the user can able to perform any administrative task with sudo permission:

Run Pkg Command With Sudo
Run Pkg Command With Sudo

As you can see in the above output, the user "ostechnix" can run an administrative command with sudo access.

5.1. View User's Privileges

You can verify what commands the users are allowed to run using the following command.

$ sudo -l

Or,

$ sudo -ll

Sample Output:

User ostechnix may run the following commands on freebsd:

Sudoers entry:
    RunAsUsers: ALL
    RunAsGroups: ALL
    Commands:
	ALL

6. Delete Sudo Access From An User

Log out from the user whom you want to revoke the sudo privilege from and login as root user.

If you have assigned sudo access to a single user, edit sudoers files:

# visudo

Remove the following entry from sudoers file:

ostechnix ALL=(ALL)       ALL
Remove Sudo Access From An User
Remove Sudo Access From An User

Save the file and close it.

If you want to remove sudo access of a wheel group member, simply remove him/her from the group.

Log in as root user and run the following command to remove the sudo privilege from the user called "ostechnix".

# pw groupmod wheel -d ostechnix

Now the user "ostechnix" is no longer the member of the "wheel" group, so he can't perform any administrative tasks with sudo access.

You can verify it with command:

# sudo -lU ostechnix
User ostechnix is not allowed to run sudo on freebsd.

Conclusion

In this guide, we discussed how to install Sudo program and how to create non-root user(s) with sudo permission in FreeBSD. We also looked at how to delete sudo access from an user or group of users in FreeBSD.

As stated in the introductory section, it is always a best practice to add a normal user with sudo rights and avoid performing administrative tasks as root user.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More