First, what is a sudo user or a sudoer?

When a normal Linux user is move to that special group that turns the wheel, "sudoer" right is granted, he or she gains immense powers and can make system-wide changes.

These changes can wreck or uplift the experience of everyone using the system.

Using sudo is better (safer) than opening a session as root for a number of reasons, including:

  • nobody needs to know the root password (sudo prompts for the current user's password). Extra privileges can be granted to individual users temporarily and then taken away without the need for a password change.
  • it's easy to run only the commands that require special privileges via sudo; the rest of the time, you work as an unprivileged user, which reduces the damage that mistakes can cause.
  • auditing/logging: when a sudo command is executed, the original username and the command are logged.

How to create sudo user on Ubuntu and Debian-based Linux distribution

This guide will show you the easiest way to create a new user with sudo access on Ubuntu and Debian-based Linux distribution without having to modify your server's sudoers file.

The commands used here are standard Linux commands and these should be installed on most Linux distributions by default.

The guide is not by any stretch of imagination exhaustive but whatever is not clear or if you wish to extend what you intend to do, the man pages and search engines will be great sources of light.

Step 1: Log in to your server as the root user.

# ssh root@server_ip_address

Verifying sudo membership

It is always a good practice to verify before you run any command on a production system.

So, once logged in as a user, you can verify whether or not the user belongs to group=sudo using either the id or group commands.

$ groups

Step 2: Create a new user if it doesn’t exist already.

The first step in creating a sudo user is to create a normal user. Linux will set up necessary permissions for the user to read, write files and execute programs.

If you are interested, I advise reading our article on Linux file permissions for a better understanding of this subject.

Note: Adding a new user will also create a user group named the same as the user.

To create a user, you must be a "sudo" user or the almighty "root".

This is to ensure that only people who are having rights over the system or in charge of protecting the system are creating new users and nobody else.

# adduser  $ sudo adduser

You will be prompted for a password. Set and confirm the new user's password at the prompt. A strong password is highly recommended and you can generate one with most password managers!

It may be worth noting that when you type your password, it will be invisible, but you can also use delete or backspace whenever you like.

The process will also ask for details for name, phone numbers, and others. Follow the prompts to set the new user's information.

It is fine to accept the defaults to leave all of this information blank. After confirmation, the user will be created successfully.

You can see that the user is created by running either of the following commands

ls /home/ (or) cat /etc/passwd | grep  (or) cat /etc/passwd | grep

Step 3: Add user to sudoers

Once the user is created, or if it is an existing user, use the "usermod" command to add the user to the sudo group.

The usermod command modifies the system account files to reflect the changes that are specified on the command line.

sudo usermod -aG sudo

If you run this without the "-a" option and the user is currently a member of a group that is not listed, the user will be removed from the group when you run this command. But by using the "-a" option, the user is appended to the current group list.

You must also make certain that the named user is not executing any processes when this command is being executed if the user's numerical user ID, the user's name, or the user's home directory is being changed. usermod checks this on Linux, but only check if the user is logged in according to utmp on other architectures.

You must change the owner of any crontab files or jobs manually.

Option -G lists the groups to which the user is to be added. In our case, it is “sudo”. So it is added directly to the command.

Step 3: Test sudo access for the new user

You can do this by using the su command to switch to the new user account.

The su (short for substitute user) command makes it possible to change a login session's owner (i.e., the user who originally created that session by logging on to the system) without the owner having to first log out of that session.

Although su can be used to change the ownership of a session to any user, it is most commonly employed to change the ownership from an ordinary user to the root (i.e., administrative) user, thereby providing access to all parts of and all commands on the computer or system.

For this reason, it is often referred to (although somewhat inaccurately) as the superuser command.

It is also sometimes called the switch user command.

$ su - username

OR

$ su  -l username

OR


$ su --login username

Another major benefit of using "su" is that a record is kept of its usage in a system log, typically /var/log/messages.

This is particularly valuable if there are multiple administrators for the system (each of which should have an individual username and password) because it facilitates finding out who was doing what and when. /var/log/messages records the username and user ID (UID) of the user that opens a su session as well as the times that the session is opened and closed.

However, su does not keep a record of what is actually done as root, and such information must, therefore, be obtained from other sources.

The contents of /var/log/messages can be viewed by first using su to switch to the root account and then issuing the following command:


tail /var/log/messages

It is convenient to use the tail command here because it shows the last part of a file, rather than starting at the beginning as commands such as cat (possibly the most commonly used command for reading text files) do.

As /var/log/messages can be a rather long file, this can save a lot of scrolling.

Tail prints (i.e., writes to the monitor screen) the final ten lines by default, but this can be easily adjusted by using the -n option followed by a space and an integer representing the desired number of lines.

For example, the following command would print the final 20 lines of /var/log/messages:


tail -n 20 /var/log/messages

OK!

Now that you are the new user, verify that you can use sudo by pre-pending "sudo" to the command that you want to run with superuser privileges.


sudo whoami
		 
sudo yum check-update or any root command.

The first time you use sudo in a session, you will be prompted for the password of the user account. Enter the password to proceed.

If your user is in the proper group and the password is correct, the command that you issued with sudo should run with root privileges.

Run the exit command to exit the user shell, return to your account or exit the system.

However, if you want to limit programs the user can execute, you can do so with /etc/sudoers.

It is important to note that improper syntax in the /etc/sudoers file can leave you with a system where it is impossible to obtain elevated privileges, so it is important to use the "visudo" command to edit the file.

The visudo command opens a text editor like normal, but it validates the syntax of the file upon saving.

This prevents configuration errors from blocking sudo operations, which may be your only way of obtaining root privileges.

You can manually check the syntax by using:


visudo -c

The best practice is to put your local changes in the new /etc/sudoers.d/ location as a uniquely named file such as /etc/sudoers.d/local-sudoers since changes made to files in /etc/sudoers.d remain in place if you upgrade the system.

You can see that the file ends with this line: #includedir /etc/sudoers.d which may look as if it needs to be edited to take out the leading number sign (a.k.a. "hash" or "pound").

But nope, the '#' is part of the directive!

Doing so makes it easy to see which privileges are associated with which accounts and to reverse credentials easily without having to try to manipulate the /etc/sudoers file directly.

It is also easier for automated tools (such as Chef or Puppet) to drop individual files into this directory, rather than making changes to /etc/sudoers, which might be fragile.


# visudo -f /etc/sudoers.d/somefilename

Or, if needed:

$ sudo visudo -f /etc/sudoers.d/somefilename
Bu cavab sizə kömək etdi? 0 istifadəçi bunu faydalı hesab edir (0 səs)

Ən məşhur məqalələr

How To Access cPanel/WHM Via Command Line As The Root User

It is true that cPanel & WHM automates many of the server administration tasks that you may...
How To Resolve Empty cPanel CPU/Concurrent Usage Snapshot

When a CloudLinux user hits LVE limits, appropriate faults are generated and lvestats package...
How To Implement cPanel Firewalls On AWS & Google Cloud

If you are using a public cloud such as AWS, Google Cloud Platform, Microsoft Azure, Alibabacloud...
How To Check Your cPanel & WHM Server Ports As An Admin

For a Linux instance, follow these steps to verify the security group rule: Connect to a Linux...
How To Check cPanel Log Files With Location and Description

First of all, some of these locations do change as cPanel release new versions. If you are...