How to Add a User to Sudoers in Linux
In this article, we are going to discuss special permissions on Linux servers to manage things for various categories of tasks as per their role. These permissions are known as privilege access to linux servers.
All Linux distributions whichever you consider out of hundreds of Linux distros root user is the most powerful user which have the privilege to make any changes to linux server.
Many people use the terminology of the superuser. So you can say root is the superuser of all the linux distros installations.
Power comes with responsibility. To maintain security and integrity all can not be given a root level of access. As per industry standard, the RBAC concept is there to address security issues by allowing permissions based on user role.
What is SUDO in Linux?
It is the short form of superuser do. As mentioned above sudo means permissions to do the same as superuser can do.
By standard sudo package is part of security and by default, it does not get installed while during installation root account gets created .sudo package needs to be installed to manage privilege access.
How to Install SUDO in Linux?
Well, you can use the below-mentioned command to check if the sudo package is already installed or not.
#yum --enablerepo=* list sudo Installed Packages sudo.x86_64 [email protected]/7.6-4.el7
In the above example, it is showing it is already installed. In case if you do not have it installed you will not found the installed option.
Another was you can enquire sudo is installed or not is package manager like rpm.
# rpm -qa |grep sudo sudo.1.8.23-4.el7_7.2
#yum --enablerepo=* install sudo confirm (Y) and gets installed.
You are all set. You can validate using the rpm command as well as mentioned above. The below file gets installed with the sudo package.
$ ls -ltr /etc/sudoers -r--r----- 1 root root 5195 Feb 24 08:14 /etc/sudoers
How to Check SUDO Access for a User in Linux
There are many ways you can validate sudo access for a user in linux.Below are some methods shown how to check sudo access for a user in linux.
5 Easy Method to Check sudo Access for a User in Linux
Let us explore all 5 easy methods to check SUDO access for a user in linux one by one briefly to understand better.
|1||sudo -l||user level|
|2||sudo -ll||user level|
|3||sudo -l -U||admin level|
|4||cat /etc/sudoers||admin level|
First Method : User Level SUDO Verification for yourself
Any user who logs in to any linux server he can validate his sudo privilege using the sudo -l linux command.
Please refer to the below output. This method is only for user itself as it asks user password to get the sudo details of the user.
$ sudo -l Output is truncated for clarity. User ramesh may run the following commands on lnxsrv01:(ALL) ALL
2nd Method : User Level SUDO Verification for himself
First method and second method how to check user sudo access to linux server.Command is also almost same with different listing options.
$ sudo -ll [sudo] password for raj: Matching Defaults entries for raj on lnxsrv01: User raj may run the following commands on lnxsrv01: Sudoers entry: RunAsUsers: ALL Commands:ALL Sudoers entry: RunAsUsers: root Commands:/bin/su -
In above example you can see user Raj is able to become root.Lets move further and see other methods.
Third Method : System Admin Level Sudo Verification for reported user
Below method can be used by anyone who already have elevated privilege on server.Most oftenly system admins have this level of privilege.
# sudo -l -U keshav Matching Defaults entries for keshav on lnxsrv01: User keshav may run the following commands on lnxsrv01: (ALL) ALL (root) /bin/su - oracle
In above example you can see that user keshav have privilege to become oracle.
Fourth Method : System Admin Level Sudo Verification for reported user
This you also can consider as part of system admin level verification as sudoers file is not writable to all.If any normal user try to see contents of sudoers he will get error “Permission denied“.
$ cat /etc/sudoers cat: /etc/sudoers: Permission denied
# cat /etc/sudoers |egrep "keshav|raj" User_Alias SYSADMIN= keshav,raj,satish,santosh
As you can see above it will display the line where queried user exists else it will return no output.
Fifth Method : System Admin Level Sudo Verification for reported user using visudo
As mentioned above it is always recommended to use visudo instead of editing sudoers files directly as it performs syntax checking.In many cases if you do not find sudo in /etc it may be installed somewhere else in system keeping consideration of system security.You may get error like below.
sudo: can't stat /etc/sudoers: No such file or directory sudo: no valid sudoers sources found, quitting
You can use below command to locate sudoers file and still it is advised not to edit directly.visudo command is recommended to be used for editing purpose to sudoers file it usage vi editor only.
This will open sudoers file for edit you can use <ESC+/> sequence for pattern search in file and enter user name to search and hit enter .If there is no entry you will get notified and if it finds user it will land you to the location where you can see what sudo permission user have.If it have many instances reported you can use “N” to see next instance of user sudo.After seeing you can exit without saving using <ESC+q!> option and you can provision user sudo with using visduo command in linux.
Using below you can easily understand the sudoers file and you can easily fond three major component of it like Host Aliases,User Aliases and Command Aliases.Also you can understand how different groups can be created to manage sudoers efficiently .User may be part of many group based on his role in organization.
# visudo ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS =raj,keshav ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database /raj - Pattern search
How to Add User to Sudoers in Linux
Well, so we have seen the format of the sudoers file. Now it comes to how to add a user to sudoers in linux?. You can realize it already has few groups created by default like the group for system admins, linux admins, network administrators, and storage administrators.
By default, it has already assigned few commands for each group based on their role. You can add whatever command access you want to the group and you can add any user to any group even if he is not part of that specific group if required.
How to Edit the Sudoers File in Linux
Please remember not to edit this file manually always use the visudo command in linux to edit sudo membership whatever needed.
In an actual sense, visudo works on /etc/sudoers file only, and all changes get saved to sudoers files only. It performs syntax validation in the file /etc/sudoers. Any improper syntax may leave your sudoers broken and if it finds any inconsistency it will prompt you to select the proper option to do to safeguard your sudoers file.
It has been seen in recent days many organizations keep their sudoers outside of the servers for centralized management of sudo privileges for all their unix linux related users.
So any impurity in the sudoers file may impact all the users of organizations.
Sample of visudo already shared above for reference.As per best practice before editing sudoers file you MUST backup it for any unusual happenings with sudoers file as it may impact all the users in organization and even you can avoid editing those during business hour.
How to Validate SUDOERS File in Linux
If you have any inconsistency or you think sudoers file is having any inconsistency you can validate it. Again visudo command is really helpful to solve your query how to validate SUDOERS file in linux.Please refer to below sample command to validate the integrity of sudoers file.
If you have no inconsistencies in sudoers file you will get “parsed OK” else you will get “parse error“.Please see below output.
# visudo -cf /etc/sudoers /etc/opt/sudo/sudoers file "parsed OK" # visudo -cf /etc/sudoers >>> sudoers file: syntax error, line 2815 <<< "parse error" in /etc/sudoers near line 2815
That`s it about how to install sudo in linux and how to add a user to sudoers in linux. I hope you will find it helpful to understand what is SUDO and other stuff you can do with sudo.It can be used as sudo guide for linux.
Please share and subscribe to our blog if you like in your circle to reach the intended audience. Please share your thoughts on this if you have something to add to this post to make it even better without hesitation.