Quick Links
Summary
If asudocommand on Linux gets you a message that a user “is not in the sudoers file,” you’ll need to get on the “sudoers” list. We’ll walk through adding a user to sudoers in Ubuntu and other Linux distributions as well as editing the sudoers file.
Why Do I Need to Be Added to the sudoers File?
In Linux installations,the root useris the most highly-privileged user. They can perform any administrative task, access any file regardless of actually owns it, and they cancreate, manipulate, and evenremove other users.
This level of power is dangerous. Ifrootmakes a mistake, the results can be catastrophic. They have the ability tomount and unmount file systems, and to over-write them entirely. A much safer way to work is tonever log in asroot.
Nominated users can usesudoto temporarily gain administrative powers, perform the action that is required, and then return to their normal, unprivileged state. This is safer because you consciously invoke your higher powers when you need them, and while you’re focused on doing whatever it is that requires them.
Thesudocommand is the Linux equivalent of shouting “Shazam.” When the scary stuff is over, you abandon your superpowered alter-ego and go back to your normal humdrum self.
Logging in asrootis turned off by default on most modern distributions, but it can be reinstated. Using the root account for day-to-day work is inadvisable. Mistakes that would ordinarily impact a single user or that would be blocked altogether because of insufficient privileges, can run unhindered ifrootissues them.
Modern Linux distributions grantsudoprivileges to the user account that’s created during the installation or post-installation configuration steps. If anyone else tries to usesudo, they’ll see a warning message like this:
That seems plain enough. Our usermarycan’t usesudobecause she isn’t “in the sudoers file.” So let’s see how we can add her, making her a sudo user.
How to Open the sudoers File
Before we can add asudouser we need to work with thesudoersfile. This lists the user groups of the users who can usesudo. If we need to make amendments to the file, we must edit it.
Thesudoersfile must be opened using thevisudocommand. This locks thesudoersfile and prevents two people trying to make changes at the same time. It also performs some sanity checks before saving your edits, ensuring they parse correctly and are syntactically sound.
Note thatvisudoisn’t an editor, it launches one of your available editors. On Ubuntu 22.04, Fedora 37, and Manjaro 21,visudolaunchednano. That might not be the case on your computer.
If we want to give someone access to fullsudoprivileges, we only need to reference some information from thesudoersfile. If we want to be more granular and give our user some of the capabilities ofroot, we need to edit the file and save the changes.
Either way, we need to usevisudo.
Add a sudo User in Ubuntu and Other Linux Distros
We’ve got two users who need access to root privileges to carry out their job roles, so we’ll add them to sudoers. They are Tom and Mary. Mary needs to have access to everythingrootcan do. Tom only needs to install applications.
Let’s add Mary to the sudoers' group first. We can do this on Ubuntu and most other Linux distributions the same way, by startingvisudo.
Scroll down in the editor until you see the “User Privilege Specification” section. Look for a comment that says something similar to “Allow members of this group to execute any command.”
We’re told that members of thesudogroup can execute any command. All we need to know in Mary’s case is the name of that group. It isn’t alwayssudo; it might bewheelor something else. Now that we know the name of the group, we can close the editor andadd Mary to that group.
We’re using theusermodcommand with the-a(append) and-G(group name) options to add users to sudoers. The-Goption allows us to name the group we’d like to add the user to, and the-aoption tellsusermodto add the new group to the list of existing groups this user is already in.
If you don’t use the-aoption, the only group your user will be in is the newly added group. Double-check, and verify you’ve included the-aoption.
The next time Mary logs in, she’ll have access tosudo. We’ve logged her in and we’re trying to edit the file system table file, “/etc/fstab.” This is a file that is out of bounds to everyone butroot.
The nano editor opens up with the “/etc/fstab” file loaded.
Withoutsudoprivileges, you’d only be able to open this as a read-only file. Mary no longer has those restrictions. She can save any changes she makes.
Close the editor and don’t save any changes you may have made.
Limit sudo Privileges by Editing the sudoers File
Our other user, Tom, is going to be granted permission to install software, but he isn’t going to receive all of the privileges that were awarded to Mary. We can make Tom a sudo user without giving him every privilege.
We need to edit thesudoersfile.
Scroll down in the editor until you see the “User Privilege Specification” section. Look for a comment that says something similar to “Allow the members of this group to execute any command.” It’s the same point in the file where we found the name of the group we needed to add Mary to.
Add these lines below that section.
The first line is a simple comment. Note that there is a Tab between the user name “tom” and the word “All.”
This is what the items on the line mean.
We’ve specified theaptpackage manager here because this computer uses Ubuntu Linux. You’d need to replace this with the appropriate command if you’re using a different distribution.
Let’s log Tom in and see if we get the expected behavior. We’ll try to edit the “/etc/fstab” file.
That command is rejected, and we’re told that “user tom isn’t allowed to execute ‘/usr/bin/nano /etc/fstab’ as root …”
That’s what we wanted. User Tom is only supposed to be able to use theaptpackage manager. Let’s verify they can do that.
The command is successfully executed for Tom.
Whosoever Holds This Command
If all your users can usesudo, you’ll have chaos on your hands. But it is worth promoting other users to the sudoers list so they can share your administrative burden. Just make sure they’re worthy, andkeep an eye on them.
Even if you’re the only user on your computer, it’s worth considering creating another user account and adding it as asudouser. That way, if you ever find yourselflocked out of your main account, you have another account you can log in with to try to remedy the situation.
