Ugacomp

How to grant sudo privileges to a user in Linux?

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM

CLOUD VPS M

$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM

CLOUD VPS L

$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

Linux systems provide a robust security model that allows administrators to control access to various system resources. This type of previllaged access is the sudo (superuser do) command, which enables authorized users to execute commands as another user, typically the superuser. In this guide, we will walk through the process of granting sudo privileges to a user in Linux.

Step 1: Accessing the sudoers File

The sudoers file, located at /etc/sudoers, contains the configuration for sudo. It is crucial to edit this file with caution, as any errors can lead to access issues. To modify the file, open a terminal and use a text editor like nano or vim:

sudo visudo

This command opens the sudoers file in a safe manner, preventing multiple users from editing it simultaneously.

Here is the sample output of the doers file after running the above command:

# Sample sudoers file

# User privilege specification
username   ALL=(ALL:ALL) /bin/ls, /usr/bin/apt-get
# Allow the user to execute only 'ls' and 'apt-get' commands

# Time-based restrictions
username   ALL=(ALL:ALL) ALL, !/usr/bin/passwd : 12:00-13:00, !/sbin/reboot
# User can't run 'passwd' and 'reboot' commands between 12:00 PM and 1:00 PM

# Defaults specification
Defaults logfile=/var/log/sudo.log
# Log sudo activities to /var/log/sudo.log

Step 2: Adding a User Entry

Once inside the sudoers file, you can add a line to grant sudo privileges to a specific user. Look for the section that begins with “# User privilege specification” and add the following line, replacing ‘username’ with the actual username:

username   ALL=(ALL:ALL) ALL

This line allows the specified user to run commands as any user on any host.

Step 3: Saving and Exiting

After adding the user entry, save the changes and exit the text editor. If you’re using nano, press Ctrl + X, then press Y to confirm the changes, and finally, press Enter. If you’re using vim, type :wq and press Enter.

Step 4: Verifying Sudo Access

To ensure that the user now has sudo privileges, open a new terminal window and attempt to run a command with sudo:

sudo ls /root

Replace /root with any directory or command you want to execute with superuser privileges. If the configuration is correct, you’ll be prompted to enter the user’s password, and the command will be executed with sudo.

Specifying Command Restrictions

In some scenarios, you may want to restrict a user’s sudo access to specific commands. This fine-grained control enhances security. Modify the sudoers file to allow a user to execute only certain commands:

username   ALL=(ALL:ALL) /bin/ls, /usr/bin/apt-get

The line “username ALL=(ALL:ALL) /bin/ls, /usr/bin/apt-get” in the sudoers file grants the user with the specified username the ability to execute the ‘ls’ command in the ‘/bin’ directory and the ‘apt-get’ command in the ‘/usr/bin’ directory with superuser privileges. The syntax “(ALL:ALL)” signifies that the user can run these commands as any user and from any host. This configuration provides a controlled and limited sudo access, allowing the user to perform specific tasks essential for system management.

Replace /bin/ls and /usr/bin/apt-get with the actual commands you want to permit.

Setting Time-Based Restrictions

To add a time-based constraint to sudo privileges, use the following syntax in the sudoers file:

username   ALL=(ALL:ALL) ALL, !/usr/bin/passwd : 12:00-1:00, !/sbin/reboot

This example restricts the user from executing the passwd command and rebooting the system between 12:00 PM and 1:00 PM.

Revoking Sudo Access

If you need to revoke sudo access for a user, simply remove or comment out the corresponding line in the sudoers file:

# username   ALL=(ALL:ALL) ALL

This effectively removes the user’s sudo privileges.

Checking Sudo Configuration

To validate the syntax of the sudoers file without saving changes, use the visudo command with the -c option:

sudo visudo -c

This command checks the file for syntax errors, ensuring that the sudoers file remains intact.

Logging Sudo Activities

Enabling sudo logging provides an audit trail of user activities. Open the sudoers file and add the following line:

Defaults logfile=/var/log/sudo.log

This directs sudo to log its activities to the specified file.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.
 

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.