In most organization you may observe that you will not get root access for the Linux systems and instead you will get sudo level access. So you might wonder what is this sudo and how does it allow you to only run specific commands and not all commands?
In this tutorial will answer all those questions and will also guide to add user to sudo group so that the user can perform tasks which otherwise would be allowed only to root users.
sudo basically stands for "superuser do" i.e. a normal user gets the power of superuser which in Linux is root user. So using sudo a normal user can run all those commands which requires root level access.
What is the right method to provide sudo permission to a user?
Before I explain the steps on how to add user to either sudoers or sudo group, you should clearly understand the difference and use the method as per your requirement
In Ubuntu and in most Linux distribution you will find a group named "sudo" which is created by default:
# grep sudo /etc/group
sudo:x:27:deepak
and this group will have complete access to execute all root level commands via /etc/sudoers.
# grep ^%sudo /etc/sudoers
%sudo ALL=(ALL:ALL) ALL
So this means if you want a specific user to be able to run each and every system commands using sudo privilege then you can simply make that user part of sudo group.
But if you want to narrow down the sudo access, i.e. if you want a user to only be allowed to run some pre-defined specific commands then you should update your rules inside /etc/sudoers or create a new file inside /etc/sudoers.d.
So now I hope you are clear and you can make a smart decision to choose the right method to add a user to either sudoers or sudo group.
1. Add user to sudo group
Now ironically to perform this step you will need sudo access or root level access. I hope you were not thinking to do it as a normal user as that would defy the whole meaning of implementing security.
So assuming you have sudo or root access, you can use couple of methods to add user to sudo group.
Using usermod command:
sudo usermod -aG sudo username
After the usermod command, -a (append) and -G (group) parameters should be written. The group name is added first, followed by the user name.
-a parameter is not used, the user leaves the groups he owns and only joins the sudo group i.e. the command will overwrite all the existing group instead of append operation. We just used the -a parameter because we wanted to add the user to a new group.Using adduser command:
Alternatively, you can use the adduser command to add a user to the sudo group. This command is slightly more verbose and interactive:
sudo adduser username sudo
This command does the same thing as usermod but is often considered more user-friendly for beginners. The user will need to re-authenticate or restart their session to apply these new permissions.
Using gpasswd command:
To add a user to the sudo group with gpasswd, you would use the following command:
sudo gpasswd -a username sudo
Here, -a stands for "add", username should be replaced with the actual user's name, and sudo is the name of the group to which the user is being added.
You can choose any of the above methods, verify if the user is added to the sudo group:
[foc@rocky9 ~]$ sudo cat /etc/group | grep sudo sudo:x:27:deepak,foc,faruk [foc@rocky9 ~]$ groups faruk faruk : faruk sudo
2. Add user to sudoers
As I already explained above, you can use this method if you want to control the level of access you want to give to any user. The /etc/sudoers is the main configuration which is generally not recommended to be directly edited so we create a new file inside /etc/sudoers.d and manage the sudo policy.
visudo command when updating /etc/sudoers or any file inside /etc/sudoers.d to avoid any syntax errors that could potentially lock you out of the system.Suppose you want to allow user deepak to restart apache2 service so we can create a new rule file for user deepak inside /etc/sudoers.d:
sudo visudo -f /etc/sudoers.d/deepak
and add the following entry:
deepak ALL=NOPASSWD: /bin/systemctl restart apache2
This line allows deepak to execute the systemctl restart apache2 command without a password. I have written a separate article to cover more simple and advanced examples which you can check at How to add user to sudoers with best practices & examples.
Summary
In this tutorial we learned how to add user to either sudo group or sudoers based on the requirement. To summarise, if you want to provide complete root level access to any user then you can add them to sudo group using different commands such as usermod, adduser, gpasswd etc. But if you want to give controlled access to any user then you should add them to /etc/sudoers using visudo command.
Good Day, I think this documentation is good.
But I thnik how to add an Domain Group?
I tested
sudo:x:27:%Domainname:lokaladmin
But the System ask to lokaladmin not for my Domain User , that is login and is super user.
Please give an answer.
Greeting
Jan