This tutorial explains how to add, delete and grant Sudo privileges to users in Ubuntu Linux operating system. The guide is officially tested on Ubuntu 22.04 and 20.04 LTS editions. However, the steps provided below are same for other Ubuntu-based distributions such as Pop!_OS.
Before getting into the topic, let us see what is sudo and its benefits.
Table of Contents
1. What is Sudo?
In Linux and Unix operating systems, there is a special user called - root. The root
user can do anything and everything in a Unix-like system.
Using root user for the day to day activities can be dangerous and it is not recommended. One wrong command can destroy the whole system! This is where the "sudo" comes in help.
Sudo allows the authorized users to perform tasks with root-level privileges, even if they don't know the root user password.
This is why it is important to create a regular user and add him to sudo user group to perform administrative tasks. Hence, this user can act as both regular user and administrative user when running commands prefixed with sudo.
2. Benefits of Being Sudo
- You don't have to share the root password with other users.
- The users' need not to know the root user password to perform administrative tasks.
- When doing an administrative task, the users will be prompted for the sudo password before any changes can happen in the system. It should make the users to think about the consequences of what they are doing.
- The admin rights can be easily granted to the users and revoked at any time if they no longer required.
- Some Linux distributions, for example Ubuntu, disables the root user by default. So there is no way to launch brute-force attacks on the root user. Even if someone try, it would be pointless. Because there is no root password to crack.
- More importantly, the sudo session will be timed-out after a short period. Just in case if you left the terminal open after running some commands with sudo permission, the authentication automatically expires. Hence, the other users can't do any further administrative tasks. By default, the sudo password is remembered for 15 minutes in the current session. After that, you need to enter the password again.
- You can monitor the sudo users' command line activity. sudo adds a log entry of the commands run by the users in /var/log/auth.log file. If there is a problem, you can look into those commands and try to figure out what went wrong.
These are a few advantages of being a sudo user. Now, let us go ahead and see how to add, delete and grant Sudo privileges to users in Ubuntu Linux.
First, we will create a regular user.
3. Add New User in Ubuntu Linux
First, let us create a regular user, for example "senthil".
To do so, run:
$ sudo adduser senthil
Replace "senthil" with your own username.
Sample output:
Adding user `senthil' ... Adding new group `senthil' (1001) ... Adding new user `senthil' (1001) with group `senthil' ... Creating home directory `/home/senthil' ... Copying files from `/etc/skel' ... New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: password updated successfully Changing the user information for senthil Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
We just created a new user called "senthil". This user has not been given sudo access yet. So he can't perform any administrative tasks.
You can verify if an user has sudo access or not like below.
$ sudo -l -U senthil
Sample output:
User senthil is not allowed to run sudo on ubuntu2204.
4. Grant Sudo Privileges to Users in Ubuntu Linux
Add the newly created user to sudo group using the following command:
$ sudo adduser senthil sudo
Sample output:
Adding user `senthil' to group `sudo' ... Adding user senthil to group sudo Done.
We granted sudo permission to the user "senthil".
You can also the following command to add a user to sudo group.
$ sudo usermod -aG sudo senthil
To verify if the user is added in the sudo group, run:
$ sudo -l -U senthil
Sample output:
Matching Defaults entries for senthil on ubuntu2204: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User senthil may run the following commands on ubuntu2204: (ALL : ALL) ALL
Here, the "(ALL : ALL) ALL" line means that the user has unlimited privileges and can run any command on the system. In our case, the "senthil" user has been added to the sudo user group . From now on, he can perform all sort of administrative tasks.
If you open the contents of the sudoers file;
$ sudo cat /etc/sudoers
You would see some lines like below.
# User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "@include" directives: @includedir /etc/sudoers.d
As you can see in the above output, all members of the sudo group can execute any command.
- The first ALL is the users allowed.
- The second ALL is the hosts. If you distribute the same "sudoers" file to many host computers, the user can do administrative commands on all hosts.
- The third one is the user as you are running the command.
- The last one is the commands allowed.
Note: In some Linux systems, for example Arch Linux, you need to install "sudo" package before creating a new sudo user.
# pacman -S sudo
On Debian:
# apt install sudo
On Ubuntu desktop and server editions, "sudo" is installed by default.
5. Verify Sudo Users
To verify if the user can able to perform administrative tasks, log out and log back in as the new user.
Alternatively, you can instantly switch to another user, without having to log out from the current session, like below.
$ sudo -i -u <username>
Example:
$ sudo -i -u senthil
We switched to the user "senthil".
Now, run any commands with prefix "sudo" like below.
$ sudo apt update
Yes, the user "senthil can able to run administrative commands with sudo privileges.
6. Delete Sudo Access From Users
You can remove sudo permissions from a user without having to delete him/her completely.
Caution: You must be careful when doing this in Ubuntu systems. Do not remove the real administrator from the "sudo" group. There should be at least one sudo user in the system.
First, make sure you're logged out from the user "senthil" session and logged in as another sudo user.
To revoke sudo permissions from a user (E.g. senthil), the command would be:
$ sudo deluser senthil sudo
The above command will remove the user called "senthil" from the "sudo" group.
Sample output:
Removing user `senthil' from group `sudo' ... Done.
Please note that this command will only remove the user 'senthil' from the sudo group, but it will not delete the user permanently from the system.
Alternatively, run the following command to revoke the sudo permission from the user:
$ sudo gpasswd -d senthil sudo
Now, the user becomes a regular user and can't do any administrative tasks with sudo permission.
To verify if the user has really been removed from "sudo" group, run:
$ sudo -l -U senthil
Sample output:
User senthil is not allowed to run sudo on ubuntu2204.
The sudo permission has been removed from the user.
7. Delete Users Permanently
In the above step, we have only removed the users from the "sudo" group. But the user still exists in the system. To remove a user completely from a Linux system, log in as root or sudo user and run:
$ sudo deluser <username>
Example:
$ sudo deluser senthil
If you want to remove a user along with their home directory and mail spool, run:
$ sudo deluser --remove-home senthil
Sample output:
Looking for files to backup/remove ... Removing files ... Removing user `senthil' ... Warning: group `senthil' has no more members. Done.
For more details, check man pages for adduser
, deluser
and sudo
commands.
$ man adduser
$ man deluser
$ man sudo
This guide is also available for other Linux distributions. Check the following guides to add, delete and grant sudo privileges to users in Alpine Linux, Arch Linux, CentOS and Fedora Linux distributions.
8. Cheatsheet
Here is a cheatsheet for granting sudo privileges for users in Ubuntu Linux. Download it and keep it near your desk for quick reference.
9. Conclusion
In this detailed tutorial, we looked at several important things about sudo. First, we gave you a brief introduction to sudo and its benefits. Then we discussed how to add, delete and grant sudo privileges to users in Ubuntu 22.04 LTS operating system. Finally, we saw how to revoke the sudo permission and how to delete the user permanently.
Even though, it is specifically written for Ubuntu, this method is quite same for other Ubuntu-based and DEB-based systems.
.