ºÚÁϺ£½Ç91Èë¿Ú

How To Manage Sudo Users in Other Distributions

Guides on Similar Procedures for Different Linux Distributions

Written by Sean Blanton on August 9, 2024

Share This Article


Contents


Jump to Tutorial

Managing sudo users is one of the most important administrative tasks in any Linux distribution. This process allows a permitted user to run commands as the superuser or another user, defined through security policies. 

This reduces the potential security threat of having unprivileged users run any command on the system, and we can also audit executed commands or apply the least privilege principle. 

In this tutorial, we will cover managing sudo users across different popular Linux distributions such as Debian, Ubuntu, Rocky Linux, and Fedora. This process will further explain adding, removing, and modifying sudo permissions.

Step 1: Adding Sudo Users

Adding Sudo Users in Debian or Ubuntu

In this example, we will use Debian 12 but the same procedure stands for older Debian versions. The same process is valid for any Ubuntu version. Ubuntu is based on Debian and it’s a popular Linux distribution that derives its core structure and package management system from Debian.

Our idea here is to create a dedicated sudo user and assign it the necessary permissions.

For all examples, use the command line to run commands and make sure you already have enough permissions to create new users and run higher privilege commands. 

Use the ‘adduser‘ command to create a new user, where you can replace ‘username‘ with your desired username. 

sudo adduser username

You will be prompted to enter and confirm the new user’s password as well as information about the name, phone number, and so on. These values, except for the password, are not mandatory and you can just type ‘Enter’ to skip. Once you are satisfied with your input, you can type ‘y‘ and then ‘Enter‘.

tutorial code

This will create a new user called ‘jumpcloud‘.

Once the new user is created, add it to the ‘sudo’ group so we can grant it the sudo privileges.

sudo usermod -aG sudo username

Switch to the new user account and verify that we have sudo privileges by executing a command with sudo.

su – jumpcloud
sudo whoami

tutorial code

You should see ‘root’ as the output if the user has been successfully granted sudo permissions.

Adding Sudo Users in Rocky Linux or Fedora

In this example, we will use Rocky Linux 9, but you can also use Rocky Linux 8 or any Fedora version since the procedure for adding a new sudo user is the same. Rocky Linux is based on Red Hat Enterprise Linux (RHEL) while Fedora is a community-driven distribution sponsored by Red Hat. It serves as a platform for innovation and testing new features that may eventually be incorporated into RHEL, and Fedora acts as the upstream source for RHEL.

We will use the ‘adduser’ command to create a new user, while you can change ‘username’ with your desired username.

sudo adduser username

In Rocky Linux, this doesn’t start a new prompt where you can enter your full name, work phone, and other details but it just creates a new user and assigns a new home directory with the same name.

Now, we need to create a new password for our user. We can do so by running the following command:

sudo passwd jumpcloud

tutorial code

After setting up a complex password, we can proceed by adding this user to the sudoers group. In both Rocky Linux and Fedora we can run the following command:

sudo usermod -aG wheel jumpcloud

This command will add our user to the ‘wheel‘ group which is a special group on many Unix-like systems that grants its members the ability to use the ‘sudo’ command to execute commands as the superuser. 

We can see a difference here compared to the Debian-based distros where they use the sudo group, and we see how the specific group name used varies between distributions. One thing to note though is that both RHEL and Debian-based systems rely on ‘/etc/sudoers‘ file.

Now, when we switch to our user, we can check if we can run sudo commands:

su – jumpcloud
sudo whoami

tutorial code

Step 2: Modifying Sudo Permissions

Both RHEL-based such as Rocky Linux, Fedora as well as Debian-based distributions use the ‘visudo’ command to safely edit ‘/etc/sudoers’ file. Editing this file with a regular text editor could potentially lead to corruption so ‘visudo’ command checks for syntax errors before saving changes, preventing configuration mistakes that could lock you out of sudo access.

sudo visudo

tutorial code

Modifying Sudo Permissions in Debian and Ubuntu

In Debian and Ubuntu, the ‘sudo’ group is used to manage sudo permissions. We can find the following line in the ‘/etc/sudoers’ file:

%sudo ALL=(ALL) ALL

This line grants all members of the sudo group the ability to execute any command as any user using ‘sudo’.

There are various scenarios of how you can edit the sudoers file to your preference. One of the examples is if you want to restrict a user to perform certain commands only. Let’s use our jumpcloud user so it can only execute the apt command. Here we should comment out the directive related to the sudo group and just below place a new line:

jumpcloud ALL=(ALL) /usr/bin/apt

tutorial code

Press Ctrl + O to save the file and Ctrl + X to exit the file.

Now we can try to run the apt-get command that we defined in our sudoers file.

su – jumpcloud

sudo apt update

tutorial code

We can see that our user is able to run the apt command, however, if we run the following command:

sudo systemctl status sshd

tutorial code

We can see that our user is not able to execute the command. Make sure to plan out your changes in sudoers file and make informed decisions so you are not locked out of your system.

Modifying Sudo Permissions in Rocky Linux and Fedora

The process of modifying sudo permissions for these distributions is similar to Debian-based systems. Here we use visudo command again to edit the sudoers file, as it’s the safer way to evade any syntax errors.

tutorial code

The difference is that sudo users are in the wheel group, and since the Vi editor is used by default you can edit the file by pressing i to enter edit mode, and once done you can pre Esc then type :wq which will save and exit the document.

Step 3: Removing a Sudo User

In our management process, we can also remove sudo users. This is an important procedure when the user doesn’t require higher privileges anymore or when it’s compromised so we need to establish damage control and revoke any exposed account.

Removing a Sudo User in Debian or Ubuntu

We can remove a user from the sudo group by running the following command:

sudo deluser jumpcloud sudo 

tutorial code

Now we can confirm that we don’t have sudo permissions for our user:

su – jumpcloud

sudo whoami

tutorial code

We can see based on the output that our user doesn’t have elevated privileges.

Removing a sudo user in Rocky Linux and Fedora

In Rocky Linux, Fedora, and similar RHEL-based distributions, we can use the following command:

sudo gpasswd -d jumpcloud wheel

This command is an administrative tool used to manage group memberships, specifically to remove a user from the ‘wheel‘ group, and we can use it to revoke sudo privileges from users and in that way restrict their ability to perform administrative tasks on the system.

We can again try to log in as our jumpcloud user and try a sudo command:

su – jumpcloud

sudo whoami

tutorial code

Based on the output, we can confirm that our user doesn’t have sudo permissions.

Managing sudo users is a crucial task for maintaining the security of your Linux system. By following this guide, you should be able to add, remove, and modify sudo privileges across different Linux distributions.

Make sure to use ‘visudo’ command for editing the sudoers file since possible corruption is possible due to syntax errors. Also, double-check your changes to ensure the correct permissions are granted.

Sean Blanton

Sean Blanton is the Director of Content at ºÚÁϺ£½Ç91Èë¿Ú and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

Continue Learning with our Newsletter