How to Add User to Sudoers File in Linux

In linux
Tech reviewed: Deepak Prasad
How to Add User to Sudoers File in Linux

The sudoers file controls who can run commands with sudo, which user they can run those commands as, whether a password is required, and which commands are allowed or denied. Use sudoers rules when you need custom sudo permissions, not just broad administrator access.

This article focuses on /etc/sudoers and /etc/sudoers.d rules. If your goal is simply to give a trusted user full admin sudo access, use the group method instead: add user to sudo group in Linux.

IMPORTANT
Always use visudo for sudoers files. A syntax error in sudoers can lock administrators out of sudo access.

Sudo Group vs Sudoers File

Use this distinction to avoid choosing the wrong method:

Requirement Recommended method
Full admin access on Ubuntu/Debian Add user to sudo group
Full admin access on RHEL-family systems Add user to wheel group
Allow only one or a few commands Add a sudoers rule
Allow sudo without password for a command Add NOPASSWD: in sudoers
Use aliases for users, hosts, or commands Add sudoers aliases

The sudoers method is more precise. It is the better option for least-privilege access, automation accounts, service restart permissions, backup jobs, and command-specific delegation.

1. Check That sudoers.d Is Included

Most modern Linux distributions include drop-in files from /etc/sudoers.d through the main sudoers file.

bash 
sudo grep -E '^#includedir|^@includedir' /etc/sudoers

Tested output:

text 
@includedir /etc/sudoers.d

If your system uses #includedir, that is also valid sudoers syntax. In sudoers, the leading # in #includedir is part of the directive, not a normal comment.

2. Create a Test User for Sudoers Validation

The examples below were tested with a temporary user named glc_sudoers_demo.

bash 
sudo useradd -m -s /bin/bash glc_sudoers_demo
id glc_sudoers_demo

Tested output:

text 
uid=1002(glc_sudoers_demo) gid=1002(glc_sudoers_demo) groups=1002(glc_sudoers_demo)

If you need help creating users, see how to create users in Linux.

3. Create a Sudoers Drop-In File with visudo

Use visudo -f to edit a dedicated file under /etc/sudoers.d.

bash 
sudo visudo -f /etc/sudoers.d/glc_sudoers_demo

Add a rule like this:

sudoers 
glc_sudoers_demo ALL=(root) NOPASSWD: /usr/bin/id

This rule allows glc_sudoers_demo to run /usr/bin/id as root without a password. It does not allow every command.

The four main fields are:

Field Meaning in this rule
glc_sudoers_demo User the rule applies to
ALL Host list where the rule applies
(root) Run the command as root
NOPASSWD: /usr/bin/id Allow /usr/bin/id without a password

Use full command paths in sudoers rules. You can find a command path with command -v command_name.

4. Validate the Sudoers File Syntax

Before relying on a sudoers rule, validate it with visudo -cf.

bash 
sudo visudo -cf /etc/sudoers.d/glc_sudoers_demo

Tested output:

text 
/etc/sudoers.d/glc_sudoers_demo: parsed OK

This is one of the most important safety checks. It verifies sudoers syntax without opening the file interactively.

The sudo command examples article covers more day-to-day sudo usage.

5. Verify the User's Sudo Privileges

Use sudo -l -U username to list the privileges sudo sees for a user.

bash 
sudo -l -U glc_sudoers_demo

Tested output:

text 
Matching Defaults entries for glc_sudoers_demo on server1:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User glc_sudoers_demo may run the following commands on server1:
    (root) NOPASSWD: /usr/bin/id

This output confirms that the user can run only /usr/bin/id as root without a password.

For more verification methods, see check sudo access for a user in Linux.

6. Test an Allowed Sudoers Command

Run the allowed command as the test user:

bash 
sudo -u glc_sudoers_demo sudo -n /usr/bin/id

Tested output:

text 
uid=0(root) gid=0(root) groups=0(root),981(docker)

The output shows uid=0(root), so the command ran as root. The -n option tells sudo not to prompt for a password, which is useful in automated tests.

7. Confirm That Other Commands Are Not Allowed

The rule allows /usr/bin/id, not every command. When the same user tries another command without an allowed NOPASSWD rule, sudo refuses non-interactive execution.

bash 
sudo -u glc_sudoers_demo sudo -n /usr/bin/whoami

Tested output:

text 
sudo: a password is required

This confirms that the sudoers rule is limited to the command you allowed.

8. Understand Common Sudoers Rule Patterns

Here are common sudoers patterns. Replace usernames and command paths with values from your system.

Allow one command as root:

sudoers 
username ALL=(root) /usr/bin/systemctl restart nginx

Allow a command without password:

sudoers 
username ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx

Allow a group to run a command:

sudoers 
%webadmins ALL=(root) /usr/bin/systemctl restart nginx

Allow a user to run a command as another application user:

sudoers 
username ALL=(deploy) /usr/local/bin/deploy-app

For general user and group management, see add user to group in Linux, usermod command examples, and groupadd command examples.

9. Use Aliases in sudoers

Sudoers aliases keep larger rule sets readable.

sudoers 
User_Alias WEBADMINS = alice, bob
Cmnd_Alias WEB_COMMANDS = /usr/bin/systemctl restart nginx, /usr/bin/systemctl reload nginx
WEBADMINS ALL=(root) WEB_COMMANDS

Alias names are conventionally uppercase. Use aliases when several users or groups need the same command set.

10. Validate Bad Syntax Before It Breaks sudo

This invalid sudoers line is missing a closing parenthesis:

sudoers 
glc_sudoers_demo ALL=(root NOPASSWD: /usr/bin/id

visudo -cf catches the error:

bash 
visudo -cf /tmp/glc_sudoers_bad

Tested output:

text 
/tmp/glc_sudoers_bad:1:28: syntax error
glc_sudoers_demo ALL=(root NOPASSWD: /usr/bin/id
                           ^~~~~~~~~

This is why visudo matters. It prevents broken sudoers syntax from being saved without warning.

11. Best Practices for Sudoers Files

Follow these practices in production:

  • Prefer /etc/sudoers.d/name over editing /etc/sudoers directly.
  • Use visudo -f /etc/sudoers.d/name to edit drop-in files.
  • Validate with visudo -cf /etc/sudoers.d/name after changes.
  • Use full command paths, not bare command names.
  • Grant the smallest command set needed.
  • Avoid broad NOPASSWD: ALL unless there is a strong operational reason.
  • Keep a root session open while changing sudoers on a remote server.
  • Use groups or aliases for teams instead of duplicating many user rules.

For broader Linux file permission context, see Linux file descriptors and permissions basics.

Frequently Asked Questions

1. What is the safest way to add a user to sudoers?

Create a drop-in file under /etc/sudoers.d with visudo -f and validate it with visudo -cf before relying on it.

2. Should I edit /etc/sudoers directly?

Avoid direct edits when possible. Use visudo and prefer files under /etc/sudoers.d so custom rules are isolated from the main sudoers file.

3. How do I give a user passwordless sudo for one command?

Use a sudoers rule such as username ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx, replacing the user and command path as needed.

4. What is the difference between sudo group and sudoers file?

The sudo or wheel group usually grants broad admin access. A sudoers file is better for custom rules, limited commands, aliases, and passwordless command-specific access.

5. How do I check whether a sudoers rule is valid?

Run visudo -cf /path/to/file. It reports parsed OK for valid syntax and shows the line and column for syntax errors.

6. How do I list sudo privileges for a user?

Use sudo -l -U username as root or from an account allowed to inspect sudo privileges.

Summary

Use sudoers files when you need custom sudo privileges, command-specific access, passwordless automation for selected commands, or least-privilege admin delegation. Create a drop-in file under /etc/sudoers.d, edit it with visudo -f, validate it with visudo -cf, and confirm the result with sudo -l -U username.

If you only need full administrator sudo access for a trusted user, use the simpler group-based method in add user to sudo group.

Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels across development, DevOps, …

Certifications
  • Red Hat Certified System Administrator in Red Hat OpenStack
  • Certified Kubernetes Application Developer (CKAD)
  • Red Hat Certified Specialist in Ansible Automation
Expertise
  • Go (programming language)
  • Python (programming language)
  • DevOps
  • Computer Security

Related Articles

Convert Decimal to Fraction [7 Programming Languages]

Convert Decimal to Fraction [7 Programming Languages]
Where to set environment variables in Linux?

Where to set environment variables in Linux?
Add User to Group in Linux Efficiently

Add User to Group in Linux Efficiently
How to PROPERLY delay reboot in Linux?

How to PROPERLY delay reboot in Linux?
Linux File Descriptors [In-Depth Tutorial]

Linux File Descriptors [In-Depth Tutorial]
How to Edit a File in Linux? [SOLVED]

How to Edit a File in Linux? [SOLVED]
Git Fix: error cannot open .git/FETCH_HEAD permission denied (Complete Guide)

Git Fix: error cannot open .git/FETCH_HEAD permission denied (Complete Guide)
PROPERLY recover lost files Linux

PROPERLY recover lost files Linux