The sudo command in Linux is a powerful utility that allows users to perform tasks requiring administrative privileges. By default, standard users have limited access and cannot execute certain commands or install software that could affect the system. Granting sudo privileges to a user enables them to execute commands with superuser rights, enhancing their capabilities while maintaining system security.
When a user without sudo privileges attempts to install software or perform administrative tasks, they will encounter permission errors. For example, trying to install a package without the necessary rights results in the following error:
apt-get install aptitude
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?However, a user with sudo privileges can execute the same command successfully:
sudo apt-get install aptitude
Reading package lists... Done
Building dependency tree
....Adding an existing user to the sudo group
If a user is not part of the sudo group, they cannot use the sudo command and will receive an error message:
testuser is not in the sudoers file. This incident will be reported.To grant sudo privileges to an existing user, add them to the sudo group using the usermod command. Here's how to do it:
sudo usermod -aG sudo testuserIn this command, the -a option stands for 'append', ensuring the user is added to the new group without affecting their membership in other groups. The -G sudo option specifies that the user should be added to the sudo group.
After adding the user to the sudo group, they will receive the following message upon logging into the system:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.Creating a new user with sudo privileges
To create a new user and immediately grant them sudo privileges, use the adduser command with the --ingroup option to add them to the sudo group upon creation:
sudo adduser testuser --ingroup sudoRestricting commands allowed with sudo
The /etc/sudoers file contains configuration settings for the sudo command. Directly editing this file is discouraged due to potential security risks and syntax errors. Instead, use the visudo command, which opens the file in a safe environment that checks for errors before saving:
sudo visudoThis command opens the /etc/sudoers file with the nano editor by default. Locate the following lines in the file:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALLTo restrict the commands that sudo users can execute, replace the last ALL with the specific commands you want to allow. For example:
# Allow members of group sudo to execute specific commands
%sudo ALL=(ALL:ALL) /bin/mv, /usr/sbin/visudoImportant note: Modifying the sudoers file in this way will limit sudo users to only the specified commands (in this example, mv and visudo). This example is for illustrative purposes only; consider carefully before imposing such restrictions on your system's sudo users.
If you've made changes to the sudoers file, save your edits by pressing Ctrl + O, then exit the editor with Ctrl + X. For the changes to take effect, the user may need to log out and log back in, restart the system, or open a new terminal session.
By managing user privileges with the sudo command, you can maintain system security while providing necessary access to users. Whether adding existing users to the sudo group or creating new sudo users, these steps help you control administrative rights effectively.
🍻 Cheers!
Member discussion