Assigning sudo privilege to users on Linux

The sudo command is a very important command on Linux systems. You might say that it allows users to run privileged commands without logging in as root, and that is true. However, the more important point is that it allows individuals to manage Linux systems – adding accounts, running updates, installing applications and backing up the system – without requiring these things be done using the root account. This is consistent with the policy that says root privilege should only be used as needed and that no one should simply log in as root and run all of their commands. Doing routine work using the root account is considered dangerous because any typos or commands run in the wrong location can have very serious consequences.

On Fedora

To provide a user with sudo privileges on Fedora and related systems, the user must be made a member of the “wheel” group. While that might seem like an odd name for the group that provides root-level privilege, it appears to have been derived from the term “big wheel” that was used for many years to describe someone with considerable power or influence.

The process of assigning someone sudo privileges often starts with setting up the user’s account if it doesn’t yet exist, verifying the account and assigning a password (generally a temporary one) with commands like these:

$ sudo adduser newuser
$ id newuser
$ sudo passwd newuser

Afterward, you can add the user to the wheel group and verify the addition with commands like these:

$ sudo usermod -aG wheel newuser
$ grep wheel /etc/group
wheel:x:10:jdoe,shs,newuser

Once sudo privileges have been assigned in this way and verified, the user should be able to run some tests and verify that the sudo command works as expected. Note that one doesn’t need to run a privileged command to verify that sudo works for them. Given the setup just described, any command can be run as root using sudo. Here’s an example. Notice that the command requires that users supply their passwords.

$ sudo date
[sudo] password for newuser ;
Mon July 25 12:18:47 PM EDR 2023

Afterwards, the user will be able to run arbitrary commands with root privilege. In addition, if the user runs one command using sudo, additional sudo commands can be run without requiring the password to be supplied again for something like 15 minutes.

On Ubuntu

The process for giving users sudo privileges on Ubuntu and related systems is only a little different. First, add the user with a command like this:

$ sudo adduser nemo

Next, set up the user with sudo access like those shown below. Add the user to the sudo group:

$ sudo adduser nemo sudo

You can then check that the user has been added to the group with a command like this:

$ grep sudo /etc/group
sudo:x:27:shs,nemo

Forcing password changes

If you want a user to change his/her password at any point, you can expire the current password with a command like what is shown below.

$ sudo passwd –expire username

The user will then be able to log in with their current password and change to a new password after the login.

Wrap-up

Giving users the ability to run any command as root is not the only thing that you can do with sudo. You can select what commands a user can run to limit these privileges to what is required by their assigned tasks. To learn more about this, check these older posts:

Selectively deploying your superpowers on Linux

Building command groups