In the Filesystem Hierarchy Standard used by Linux operating systems, all files and directories appear under the root directory “/” but access to it is often restricted for security reasons. In Linux distributions like Debian, you can gain full access from the SSH by using the “sudo” command. This tutorial explains how to add a user to Sudoers so that the user is permitted to run the sudo command.
Logging in as a superuser or root user enables you to make system-wide modifications. “sudo” can also be used to login as another user – which is occasionally necessary for system administrators and technicians.
A list of users (and groups of users) that are permitted to execute various commands is stored in the file “/etc/sudoers”, so system admins need to know how to give new users root login privileges by adding their name to this file. There are two ways to do this. One is to manually edit the file. When you do this you can also assign a subset of privileges they are allowed to execute when they use their root login. A quicker alternative is to just add them to the “sudo” user-group from the command line.
Adding a user to the sudo group
Naturally, you will need to be logged in as a superuser before you can add someone else to the sudo group. To log into a Debian server as a root user –
ssh root@server-IP-address
Assuming the user you want to add already exists on the system, you can then run the command below;
usermod -aG sudo username
To double-check that you have successfully added them to the group, type the following and provide the user’s password;
sudo whoami
If they do indeed have sudo access the output will print “root”. If they don’t, or you’ve entered the details incorrectly, you will receive an error message informing you that the “user is not in the sudoers file“.
To create a completely new user, you can use the Linux “adduser” command;
adduser newusername
You will then be asked to supply a few additional details about them, including assigning them a password. When you finish, the new user’s information is written into the sudoers file.
If you want to assign a new user to the sudo user-group from the command line you can use “usermod” or “gpasswd“. For example –
usermod -aG sudo newusername
Adding users to the sudoers file manually
This is the better option when you want to set up custom security policies for the new superuser. You can either edit the sudoers file directly, or you can create a new configuration file within the /etc/sudoers.d directory. Any files located in that directory are effectively concatenated with the sudoers file at runtime.
Using visudo:
To edit the sudoers file always use the “visudo” command. Invoking an editor through visudo ensures that visudo will carefully check the file syntax before it is saved. If you edit the file without using visudo, it won’t – and this is a critical system file! You can still use visudo to edit files that you save into /etc/sudoers.d, but you may need to invoke the –f option to specify the location of the file you want to edit.
The actual editor that visudo uses is specified by the EDITOR environment variable. By default that is set to vim. If you wanted to change the default editor to an alternative, such as viduso, you could replace the default like this –
EDITOR=nano visudo
Assigning privileges:
Somewhere in the sudoers file, you might see a line like this one –
root ALL=(ALL) ALL
This demonstrates the syntax you use to assign a user’s privileges. In this case, the meaning is that the root user can execute from ALL (any) terminals, acting as ALL (any) users, and run ALL (any) commands.
To make it easier to apply groups of privileges to the names in the sudoers file, aliases are often defined. You can create aliases for groups of users, a range of terminals, or for access to groups of commands. For example, at the top of your sudoers file you can type something like this;
User_Alias OPERATORS = amy, ben, chris Runas_Alias OP = root, operator Host_Alias NETWORK = 192.168.0.0/255.255.255.0 Cmnd_Alias PRINTING_CMDS = /usr/sbin/lpc, /usr/sbin/lprm
You can then invoke these shortcuts when you give the user access rights. For example;
ben ALL = PRINTING_CMDS
This allows ben to use any terminal within the defined range of IP addresses and to execute the printer instructions lpc and lprm (which are in /usr/sbin/).
Root privileges in Debian are very powerful. That means there are many opportunities to corrupt your access controls, damage the server, or destroy data. For that reason, avoid giving every user full root access and avoid the habit of logging in as a superuser when you don’t need to.
