Managing user privileges is very important for system security and administration. In this comprehensive guide, you'll learn how to add, delete, and grant sudo privileges to users in Red Hat Enterprise Linux (RHEL) and its popular clones like AlmaLinux and Rocky Linux.
We'll cover everything from basic concepts to advanced user management techniques.
Table of Contents
What is Sudo?
Sudo stands for "Super User Do" or "Switch User Do". It's a powerful command-line utility that allows regular users to execute commands with elevated privileges.
Instead of logging in as the root user, sudo lets you run specific commands as another user, typically root.
When you use sudo, the system checks your permissions first. Then, if you have the right privileges, it runs the command with administrative access. This approach provides better security than using the root account directly.
The sudo system works through a configuration file called /etc/sudoers. This file contains rules that determine which users can run which commands. Furthermore, it logs all sudo activities for security auditing purposes.
Advantages of Sudo Users
Using sudo offers several important benefits for system administration:
1. Enhanced Security
First, sudo reduces security risks by limiting root access. Users only get administrative privileges when they specifically need them. Additionally, each command runs with elevated permissions for just that single operation.
2. Better Accountability
Every sudo command gets logged with timestamps and user information. This logging helps administrators track who performed which administrative tasks.
Consequently, you can easily audit system changes and investigate security issues.
3. Granular Control
Administrators can grant specific permissions to different users. For example, one user might only restart services, while another can install software. This flexibility allows precise control over user capabilities.
4. Reduced Human Error
Since users work with their regular accounts most of the time, they're less likely to make mistakes with administrative commands.
Moreover, the sudo prompt serves as a reminder that you're about to run a privileged command.
Add a New User in RHEL, AlmaLinux and Rocky Linux
Creating new users in RHEL-based systems is straightforward. Here's how to add a user step by step:
First, log in as root or use sudo to run administrative commands (If you already have another user with sudo privilege).
I already have a sudo user in my system, so I am going to prepend sudo before all commands. When you log in as the root user in RHEL, AlmaLinux, Rocky Linux, or any Linux distribution, you don’t need to do it.
Then, use the useradd command to create a new user (E.g. senthil):
sudo useradd -m senthil
The -m flag creates a home directory for the new user.
Please replace "senthil" with your actual username in this and the subsequent commands.
NOTE:
If you log in as the root user in RHEL, AlmaLinux, Rocky Linux, or any Linux distribution, you don’t need to prependsudobefore commands because you're already operating with full administrative privileges.
Next, set a password for the user:
sudo passwd senthil
You will be prompted to enter and confirm the new password. Choose a strong password that meets your organization's security requirements.
Alternatively, you can create a user with additional options:
sudo useradd -m -s /bin/bash -c "Senthilkumar Palani" senthil
This command creates a user with bash as the default shell and adds a comment with the full name. In this case, the full name is Senthilkumar Palani and the username is senthil.
3.1. Check Sudo Privileges for a Specific User
After creating a user, you might want to check their current sudo privileges. Here are a few methods to verify user permissions:
Method 1: Using the sudo -l command
To check the sudo privileges of an user, run:
sudo -lU senthil
This command lists all commands the current user can run with sudo.
If the user has no sudo privileges, you'll see an error message like below.
User senthil is not allowed to run sudo on Almalinux9CT.
Method 2: Check group membership
In RHEL and its clones, users in the wheel group typically have sudo access:
groups senthil
If the output includes "wheel", then the user has sudo privileges.
Method 3: Examine the sudoers file
You can also check the /etc/sudoers file directly:
sudo grep senthil /etc/sudoers
Please be careful when examining this file, as incorrect modifications can break sudo access.
Grant Sudo Privileges to Users in RHEL, AlmaLinux and Rocky Linux
There are several ways to grant sudo privileges to users. Let's explore the most common and recommended methods:
Method 1: Add User to the Wheel Group (Recommended)
The easiest way to grant sudo access is by adding the user to the wheel group:
sudo usermod -aG wheel senthil
Again, replace senthil with your actual username.
The -aG flags add the user to the group without removing them from other groups. This method is preferred because it's simple and follows RHEL conventions.
After adding the user to the wheel group, they need to log out and log back in for the changes to take effect.
After logging in, check if the user has sudo privileges using command:
sudo -lU senthil
Sample Output:
Matching Defaults entries for senthil on Almalinux9CT:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User senthil may run the following commands on Almalinux9CT:
(ALL) ALL
Method 2: Edit the Sudoers File
For more granular control, you can edit the /etc/sudoers file directly. However, always use the visudo command for editing:
sudo visudo
This command opens the sudoers file in a safe editor that checks syntax before saving. Add the following line to grant full sudo access:
senthil ALL=(ALL) ALL
Alternatively, you can grant specific permissions. For example, to allow only service management:
senthil ALL=(ALL) /bin/systemctl
Method 3: Create a Custom Sudoers File
Instead of modifying the main sudoers file, you can create a custom file in /etc/sudoers.d/:
echo "senthil ALL=(ALL) ALL" | sudo tee /etc/sudoers.d/senthil
This approach keeps custom rules separate from the main configuration. Furthermore, it makes management easier and reduces the risk of conflicts.
How to Find All Sudo Users on the System
Identifying all users with sudo privileges is important for security auditing. Here are a few ways methods to find sudo users:
Method 1: List Wheel Group Members
Since wheel group members typically have sudo access, list them first:
getent group wheel
This command shows all users in the wheel group.
Sample Output:
wheel:x:10:ostechnix,senthil
Method 2: Parse the Sudoers File
You can search the main sudoers file for user entries:
sudo grep -E '^[^#]*ALL' /etc/sudoers
This command finds lines that grant permissions to users or groups.
Method 3: Check Sudoers Directory
Look for custom sudoers files in the /etc/sudoers.d/ directory:
sudo ls -la /etc/sudoers.d/ sudo cat /etc/sudoers.d/*
These commands list and display custom sudoers configurations.
Method 4: Use a Custom Bash Script
Here's a simple script that combines multiple methods:
#!/bin/bash
echo "=== Wheel Group Members ==="
getent group wheel | cut -d: -f4 | tr ',' '\n'
echo -e "\n=== Custom Sudoers Files ==="
sudo find /etc/sudoers.d -type f -exec basename {} \;
echo -e "\n=== Sudoers File Entries ==="
sudo grep -E '^[^#]*ALL' /etc/sudoersVerify Sudo Privilege of Users
After granting sudo privileges, it's important to verify that everything works correctly. Here are different ways to test sudo access:
Test 1: Use sudo -l Command
To verify sudo privilege of an user, run:
sudo -lU senthil
You will see an output like below:
Matching Defaults entries for senthil on Almalinux9CT:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User senthil may run the following commands on Almalinux9CT:
(ALL) ALL
As you can see, the user can run ALL commands in the system.
Test 2: Switch to the User and Test
First, switch to the user account:
sudo su - senthil
Then, try running a command that requires root privileges:
sudo whoami
If the output shows "root", then sudo is working correctly.
Test 3: Run a System Command
Test with a typical administrative command:
sudo systemctl status sshd
This command should run without errors if the user has proper sudo access.
Test 4: Check Sudo Logs
View recent sudo activity in the system logs:
sudo grep sudo /var/log/secure
This shows all recent sudo commands, including successful and failed attempts.
Test 5: Verify with sudo -v
The sudo -v command checks and updates the user's sudo timestamp:
sudo -v
If this runs without errors, the user has valid sudo privileges.
Remove Sudo Access from Users
Sometimes you need to revoke sudo privileges from users. Here's how to remove sudo access safely:
Method 1: Remove from Wheel Group
If the user got sudo access through wheel group membership, remove them:
sudo gpasswd -d senthil wheel
This command removes the user from the wheel group while keeping them in other groups.
Method 2: Comment Out Sudoers Entries
If you added the user directly to the sudoers file, comment out their entry:
sudo visudo
Find the user's line and add a # at the beginning:
# senthil ALL=(ALL) ALL
Method 3: Remove Custom Sudoers Files
If you created a custom sudoers file for the user, delete it:
sudo rm /etc/sudoers.d/senthil
Method 4: Verify Removal
After removing sudo access, verify that the user can no longer use sudo:
sudo su - senthil sudo whoami
The second command should fail with a permission denied error.
Remove Users Permanently
When you no longer need a user account, you should remove it completely. Here's the proper way to delete users:
Step 1: Check User Processes
First, check if the user has any running processes:
sudo ps -u senthil
If processes are running, either wait for them to finish or terminate them:
sudo pkill -u senthil
Step 2: Remove the User Account
Use the userdel command to remove the user:
sudo userdel senthil
This removes the user account but keeps their home directory.
Step 3: Remove Home Directory and Files
To completely remove all user files, use the -r flag:
sudo userdel -r senthil
Be very careful with this command, as it permanently deletes all user data.
Step 4: Clean Up Remaining Files
Sometimes files owned by the deleted user remain on the system. Find and handle them:
sudo find / -user senthil -exec ls -l {} \; 2>/dev/nullYou can then decide whether to delete these files or change their ownership.
Step 5: Remove from Groups
Check if the user was removed from all groups:
getent group | grep senthil
If the user still appears in groups, remove them manually:
sudo gpasswd -d senthil <groupname>
Frequently Asked Questions (FAQ)
A: Su switches you to another user account (usually root) and keeps you there until you exit. Sudo runs individual commands with elevated privileges and returns you to your regular account immediately.
Additionally, sudo provides better logging and more granular control.
A: Yes, but you might need to set up X11 forwarding properly. Use sudo -H to set the HOME environment variable correctly: sudo -H gedit /etc/hosts
However, running GUI applications as root can be a security risk.
A: Edit the sudoers file and add NOPASSWD: to the user's entry: username ALL=(ALL) NOPASSWD: ALL
Be careful with this setting, as it reduces security significantly.
A: If you have physical access to the machine, you can boot into single-user mode or use a rescue disk. For remote systems, you'll need another user with sudo access or console access through your hosting provider.
A: Review sudo users at least monthly, or whenever someone leaves your organization. Regular auditing helps maintain security and ensures only authorized users have elevated privileges.
A: Yes, you can specify exact commands in the sudoers file: username ALL=(ALL) /bin/systemctl restart httpd, /bin/systemctl status httpd
This gives the user permission to only restart and check the status of the Apache web server.
Conclusion
Managing sudo privileges properly is essential for maintaining a secure RHEL system and well-organized Linux environment.
Throughout this comprehensive guide, we've covered how to add users in RHEL, grant them sudo access, verify their privileges, and remove access when necessary in RHEL, AlmaLinux, and Rocky Linux.
Remember these key RHEL best practices: First, always use the wheel group method for granting sudo access in RHEL and its clones, as it follows industry standards. Second, regularly audit your sudo users to maintain security. Third, use the visudo command when editing sudoers files to prevent syntax errors. Finally, always test sudo access after making changes to ensure everything works correctly.
By following these Linux system administration practices, you'll maintain a secure RHEL environment while giving users the access they need to do their jobs effectively.
Whether you're managing a single server or a large enterprise environment, these RHEL user management techniques will serve you well in your Linux administration tasks.
Found this guide helpful? Have questions or suggestions? Leave a comment below or contact us through our support channels.
Similar Read:
- Add, Delete And Grant Sudo Privileges To Users In Debian
- Add, Delete And Grant Sudo Privileges To Users In Alpine Linux
- Add, Delete And Grant Sudo Privileges To Users In Arch Linux
- Add, Delete And Grant Sudo Privileges To Users In CentOS
- Add, Delete And Grant Sudo Privileges To Users In Fedora
- Add, Delete And Grant Sudo Privileges To Users In Ubuntu
- How To Allow Or Deny Sudo Access To A Group In Linux
