Share This Article
You probably have heard of the concept “In Linux, everything is a file”. This sounds somewhat puzzling since the Linux system comprises various entities and not just files. We have directories, symbolic links, processes, pipes, and sockets just to mention a few. The oversimplification simply gives a high-level overview of the Linux architecture. It implies that in a Linux system, every single entity is considered a file. These entities are represented by a file descriptor which is a unique identifier for a file or other resources such as directories, network sockets, or processes – hence the concept “everything is a file”.
This oversimplification then leads us to the concept of file permissions and directories. By default, each file in Linux has its own permissions and directories. These permissions determine access rights or privileges that users have on the file. If you own a file or a directory, you can pretty much do anything you want with it – you can access it, edit it, rename and even delete it.
But not all users are the same. One unique user in the Linux system is the root user. The root user is an administrative user with the highest privileges and is not bound by any permission restrictions. The user can do pretty much anything. This includes installing and uninstalling programs, accessing and modifying system files, and customizing the system. The root user can also break the system, whether intentionally or accidentally – which is why it’s not recommended to log in and run the system as the root user. It only takes one wrong command to crash the system. For this reason, it’s always recommended to run commands as a sudo user.
What is a sudo user?
Since administering the Linux system as the root user is highly discouraged, a system administrator needs to grant a regular user some level of privilege to execute some (or all) root commands.
Sudo is a program that grants regular users permissions to run commands with root privileges or as another user. A sudo user is, therefore, a regular Linux user with elevated privileges to run commands as a root user or another regular user, the default being the root user. In addition, you can configure sudo to restrict a sudo user to a handful of commands or allow them to run all commands as the root user. We will cover these scenarios in depth later on in this guide.
First, we will walk you through the creation of a sudo user on Ubuntu 20.04.
How to create a sudo user
To create a sudo user on Ubuntu 20.04, follow the steps outlined.
Step 1: Log in to your server
First, log in to your cloud server as the root user using the syntax shown.
$ ssh root@server-ip
Provide the root password when prompted and hit ENTER to gain access to the server. If you are using Putty, simply type in the IP address of the remote server and click the ‘Open’ button, or hit ENTER.
Step 2: Create a new user
Once logged in, create a new regular user using the adduser command. Here, jumpcloud is our new user.
# adduser jumpcloud
The command does a couple of things. First, It creates a new user and primary group called jumpcloud, and then adds the user to the group. Next, a home directory for the user is created and configuration files are copied into it. Thereafter, you will be prompted to type in the new user’s password. Be sure to provide a strong password and confirm it.
Once the user’s password is set, some additional information will be required of you. Fill in where necessary or leave it blank by hitting ENTER if the information is not applicable.
To confirm that the newly added user was created, view the /etc/passwd file using the cat command. This provides information such as the UID (User ID), GID (Group ID), and the path to the home directory.
# cat /etc/passwd | grep jumpcloud
Similarly, you can retrieve the user details using the id command.
# id jumpcloud
Step 3: Add the new user to the sudo group
A sudo group is a group of superusers that have privileged access to root commands. With that in mind, proceed and add the new user to the sudo group using the usermod command as follows.
# usermod -aG sudo jumpcloud
To verify that the user has been added to the sudo group, use the id command.
# id jumpcloud
From the output, we can see that the user now belongs to two groups: jumpcloud and sudo. Alternatively, you can also run the groups command to only display the groups that the user belongs to.
# groups jumpcloud
Perfect! The new user is now a sudo user and has unrestricted access to root privileges.
Step 4: Test sudo
With the sudo user already in place, we are going to proceed and test the user. So, switch to the sudo user using the su command.
# su – jumpcloud
The command places you in the user’s home directory path.The syntax for using sudo is indicated below
$ sudo command-to-be-executed
As an example, we are going to update the package lists of our system. So, invoke sudo followed by the command to be executed.
$ sudo apt update
When prompted, type in the password of the user and hit ENTER. The command will execute successfully – a confirmation that the user has successfully been added to the sudo group and can now perform elevated system tasks.
Understanding the sudoers file
The sudo user that we have created assumes all the rights and privileges of the root user and can run virtually any command. However, good practice recommends that you employ the least privilege principle. This is a security concept whereby a user is only assigned minimum access rights or permissions to perform their role. Therefore, as a systems administrator, you should only grant the necessary permissions to the sudo user to allow them to perform their roles.
The sudoers file /etc/sudoers is a file that spells out which users can run what commands on the system. It comprises a set of rules that govern which users or groups can run elevated tasks. To grant or restrict root privileges to users, you need to edit this file.
You should never edit the sudoers file using a normal text editor like nano or vim as this could lead to a corrupted file which can potentially lock everyone out including the admin. As such, the sudoers file should be accessed by executing the command visudo as follows.
$ visudo
This opens the /etc/sudoers file using the nano editor as shown. All lines starting with a hash sign – # – are comments and do not have any effect or impact on the file.
By default, the file has 6 uncommented lines. Let’s skip to the user privilege line which is the fourth line.
root ALL=(ALL:ALL) ALL
- The first parameter points to the username – in this case root user.
- The first “ALL” indicates that the rule is applicable to all hosts.
- The second “ALL” indicates that the root user can execute all commands as all users.
- The third “ALL” shows that the root user can execute all commands as all the user groups.
- Finally, the last “ALL” indicates that the rules are applicable to all commands.
The next two lines define the sudo rules for groups. The “%” defines a group. Here, we have two groups that have been defined: admin and sudo groups.
The second line indicates that the admin group can run all commands as any user.
%admin ALL=(ALL) ALL
The third line indicates that the sudo user can run any command as any user and as any group.
%sudo ALL=(ALL:ALL) ALL
Editing the sudoers file directly is not recommended. Instead, it is preferred to place the associated sudo rules in the /etc/sudoers.d directory. This makes it easy for sysadmins to keep track of which rules apply to which user accounts. Files placed in this directory will follow the same rules as the sudoers file.
How to restrict sudo users from executing certain commands
As we pointed out earlier, you might need to limit sudo users from running certain system commands. To accomplish this, you need to create a sudo rule in the /etc/sudoers.d directory.
For demonstration, we will create a rule called jumpcloud which restricts the sudo user from upgrading the packages to their latest versions.
# vim /etc/sudoers.d/jumpcloud
Next, copy and paste the line shown and save the changes.
jumpcloud ALL=(ALL) !/usr/bin/apt upgrade
The rule indicates that the jumpcloud user can execute all commands as the root user with the exception of the apt upgrade command. Note that you need to provide the full path of the command prefixed by an exclamation mark.
To find the full path of a command, use the which command syntax as shown.
$ which command
When the user tries to upgrade the packages, an error is splashed on the screen indicating that the user is not allowed to do so.
Where multiple commands are involved, list them in a single line separated by a comma. In the example below, the sudo user has been limited from shutting down and rebooting the system. Notably, there are multiple ways of shutting down or rebooting a Linux system, and the associated commands have been listed in a single line below.
jumpcloud ALL=(ALL) !/usr/sbin/shutdown,!/usr/sbin/poweroff, !/usr/sbin/reboot,!/usr/sbin/init,!/usr/sbin/halt
Any attempt to power off or reboot the system by the user will be thwarted by the system.
How to run specific sudo commands without a password
Sometimes, you might need to run some commands without being prompted for a password. This is particularly helpful if you are running a script containing a sudo command.
To achieve this, use the directive NOPASSWD followed by the full path to the command. In the example below, the user can update the package lists without a password prompt.
jumpcloud ALL=(ALL) NOPASSWD: /usr/bin/apt update
Conclusion
Managing user privileges is usually one of the top-of-mind tasks that every system administrator has to undertake. Sudo privileges should only be granted to trusted users such as support or operation teams.
It’s always recommended to restrict sudo users to a subset of system commands. By doing so, you provide them with the basic privileges that they need to perform their roles. Unrestricted sudo access can be detrimental as this can lead to the sudo user performing some unauthorized operations which can wreak havoc on the system. Or worse, unrestricted sudo access privileges can make it that much easier for a malicious actor to take over the system.
That being said, managing the process to assign specific permissions to specific users can be overly time consuming and quickly overwhelm your priorities, especially if you are facing a growing environment and a growing team. JumpCloud’s Linux device management capabilities make it easier to manage sudo access across entire fleets through its user security settings and permissions. To see how this works, along with a number of other device security and management features, sign up for a free demo today.
