{"id":70398,"date":"2022-10-14T10:15:00","date_gmt":"2022-10-14T14:15:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=70398"},"modified":"2024-01-23T15:55:14","modified_gmt":"2024-01-23T20:55:14","slug":"how-to-create-sudo-user-manage-sudo-access-ubuntu-22-04","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/how-to-create-sudo-user-manage-sudo-access-ubuntu-22-04","title":{"rendered":"How to Create a New Sudo User & Manage Sudo Access on Ubuntu 22.04"},"content":{"rendered":"\n
Jump to Tutorial<\/a><\/p>\n\n\n\n As a systems administrator, you may want to assign limited admin privileges to a delegated administrator so they can assist with administrative tasks. To help you accomplish this, the following tutorial will examine how to create a sudo user as well as manage sudo access on Ubuntu 22.04.<\/p>\n\n\n\n The root user, also known as the superuser, is the user with the highest privileges in a Linux system. The user has rights to execute virtually any command without restriction, including installing and uninstalling applications, modifying configuration files, adding and removing user accounts, upgrading the system, and creating and removing files, among other things.<\/p>\n\n\n\n However, logging in and carrying out commands as root is highly discouraged. The fact that the root user can run any command on the system can also be risky. All it takes is one bad command to be executed and the whole system can be compromised. As such, it\u2019s always recommended to administer the Linux system as a sudo user.<\/p>\n\n\n\n In Linux, sudo is a program that allows a regular user to run commands with root privileges or permissions. Sudo stands for either \u201csuper user do\u201d or \u201csubstitute user do.\u201d A sudo user is a regular user that can run some commands as a root user or with root privileges. <\/p>\n\n\n\n Ideally, a sudo user is granted just enough privileges to allow them to perform the tasks at hand. This is known as the least privilege principle<\/a>, which is particularly important if you are granting sudo privileges to multiple users. They should only be granted the minimum rights or permissions needed to perform their role. <\/p>\n\n\n\n Now that you know why a sudo user is essential on a Linux system, let\u2019s create and configure a sudo user on Ubuntu 22.04.<\/p>\n\n\n\n To get started, log into your Ubuntu 22.04 server instance as the root user with the following SSH command:<\/p>\n\n\n\n If you are using the Putty SSH client, simply type in your server\u2019s IP address as indicated and click Open<\/strong>.<\/p>\n\n\n\n When prompted, provide the root password and hit ENTER. Once successfully logged in, you will land on the shell of your server instance.<\/p>\n\n\n\n To create a sudo user, you will first create a new login user and later make the user a sudo user.<\/p>\n\n\n\n To add or create a new user, run the adduser<\/strong> command as follows. In this example, we are creating a new regular user called jumpcloud<\/strong>.<\/p>\n\n\n\n The following happens when you run this command:<\/p>\n\n\n\n After providing the password, you will be prompted to provide additional information such as Full Name, Room Number, Work Phone, and Home Phone. Fill in where applicable, or simply press ENTER to leave it blank. Finally, press Y to save all the information provided.<\/p>\n\n\n\n All users\u2019 details are stored in a special file called the \/etc\/passwd<\/strong> file. To confirm that the user was created, you can view this file using the cat<\/strong> command as follows:<\/p>\n\n\n\n In addition, you can get more details about the user using the id <\/strong>command as follows:<\/p>\n\n\n\n The command displays the UID (User ID), GID (Group ID), and the groups that the user belongs to.<\/p>\n\n\n\n At this point, the user belongs only to the primary group. You can confirm this by running the following command:<\/p>\n\n\n\n To add the user to the sudo group, use the usermod<\/strong> command as follows:<\/p>\n\n\n\n Next, verify that the user now belongs to the sudo groups by running the id<\/strong> and groups<\/strong> command as shown.<\/p>\n\n\n\n This time around, you will notice the user now belongs to two groups: the primary group and sudo<\/strong>. <\/p>\n\n\n\n So far, we have created a regular user and added it to the sudo group, effectively granting it elevated privileges to run administrative tasks. Next, we are going to test its ability to execute privileged commands.<\/p>\n\n\n\n First, switch to the sudo user as follows:<\/p>\n\n\n\n The command switches to the sudo user’s home directory. When you switch to the sudo user for the first time, you will get a few tips on how to run commands as an administrator.<\/p>\n\n\n\n To run commands as a sudo user, use the following syntax:<\/p>\n\n\n\n For example, to install the Apache web server, run the command:<\/p>\n\n\n\n When prompted, type Y and hit ENTER to continue with the installation.<\/p>\n\n\n\n The sudoers file is a file that exists by default in UNIX\/Linux systems and is used to assign elevated privileges to users. The sudo user we have just created can run commands in the same way the root user can. <\/p>\n\n\n\n However, if you\u2019re granting sudo privileges to multiple users and would like to limit the commands they can run as sudo, you\u2019ll want to keep track of their permissions by making use of the sudoers file.<\/p>\n\n\n\n The sudoers file is located at \/etc\/sudoers<\/strong>. The file contains a set of rules that specify which users and groups can run certain elevated tasks on the system.<\/p>\n\n\n\n Note that directly editing the sudoers file is not recommended as it can lock you out of sudo privileges, as well as potentially destroy the system if you make a typo and end up with an incorrect username or wrong command. <\/p>\n\n\n\n Equally dangerous is losing your connection midway as you edit the sudoers file. A broken connection means that the last changes made to your disk will be saved, and these might contain broken syntax or incorrect sudo privilege definitions.<\/p>\n\n\n\n The proper way of making changes to the sudo configuration is using the visudo<\/strong> command.<\/p>\n\n\n\n When executed, the command opens the \/etc\/sudoers<\/strong> file using the nano editor as shown.<\/p>\n\n\n\n Most lines are commented out and have no effect on the permissions assigned to users and groups. Scroll all the way down to the section that says #User privilege specification<\/strong>. Under that, you will see the root user defined as follows:<\/p>\n\n\n\n Some important notes on understanding this line:<\/p>\n\n\n\n The following line indicates that the admin group can execute all commands as any user. <\/p>\n\n\n\n This next line shows that the sudo user can run any command as any user and as any group.<\/p>\n\n\n\n While it is possible to edit the sudoers file directly using visudo<\/strong>, this is not the preferred approach. A better way of making changes to the configuration is by adding a new file containing new sudo rules in the \/etc\/sudoers.d<\/strong> directory, as described in the next section.<\/p>\n\n\n\n As pointed out earlier, you can restrict sudo users from performing certain tasks on the system. Instead of directly editing the sudoers file, a better approach is to create a custom file for each user and place it in the \/etc\/sudoers.d <\/strong>directory.<\/p>\n\n\n\n To illustrate this, we are going to create a rule called jumpcloud<\/strong> as follows.<\/p>\n\n\n\n We will specify two rules, one that prevents the user from upgrading packages to their latest versions and another that prevents the user from installing any packages. To accomplish this, paste the following line of code into the file:<\/p>\n\n\n\n An exclamation mark (!) precedes the full binary path of the comma-separated commands. To find the full path of a command, run the which <\/strong>command as follows:<\/p>\n\n\n\n For example, to find the full binary path of the apt upgrade<\/strong> command, run:<\/p>\n\n\n\n Similarly, run the following command to find the full path of the apt install<\/strong> command:<\/p>\n\n\n\n The !\/usr\/bin\/apt upgrade <\/strong>directive prevents the user from performing the sudo apt upgrade <\/strong>command while the <\/p>\n\n\n\n !\/usr\/bin\/apt, !\/usr\/bin\/apt install <\/strong>directives prevent the user from installing any packages using the sudo apt install <\/strong>command.<\/p>\n\n\n\n With the custom rule in place, the user will not be able to upgrade system packages or install any software packages as demonstrated below.<\/p>\n\n\n\n Password prompts are not always desirable, especially when you want to automate tasks in shell scripts or run frequently carried out tasks such as refreshing the local repositories.<\/p>\n\n\n\n As such, you might want to disable password prompts for commands that are frequently executed. To do so, use the NOPASSWD<\/strong> directive followed by the full path to the command.<\/p>\n\n\n\n The sudo rule entry below disables password prompts when the user updates the local repositories.<\/p>\n\n\n\n The sudo user can now update the repositories by running sudo apt update<\/strong> without being prompted for a password.<\/p>\n\n\n\n It\u2019s always a good idea to create and run the system as sudo to avoid breaking things in the event a command is run erroneously or otherwise. It’s also highly important to assign just the right amount of privileges sudo users need to run their tasks and revoke ones they don’t need to prevent undesirable outcomes.<\/p>\n\n\n\n Managing the process to assign specific permissions to specific users can be overly time-consuming and quickly overwhelm your priorities, especially if you are facing a growing environment and a growing team. <\/p>\n\n\n\n JumpCloud\u2019s Linux device management<\/a> capabilities make it easier to manage sudo access across entire fleets through its user security settings and permissions. To see how this works, along with a number of other device security and management features, sign up for your free triat today<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":" In this tutorial, learn how to create a new sudo user, as well as manage sudo access and permissions, on Ubuntu 22.04.<\/p>\n","protected":false},"author":150,"featured_media":70406,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[2781],"tags":[],"collection":[2778],"platform":[],"funnel_stage":[3017],"coauthors":[2535],"acf":[],"yoast_head":"\nWhat Is a Sudo User?<\/h2>\n\n\n\n
How to Create a Sudo User<\/h2>\n\n\n\n
Step 1: Log in to your server<\/h3>\n\n\n\n
$ ssh root@server-ip<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Step 2: Create a new user<\/h3>\n\n\n\n
# adduser jumpcloud<\/code><\/p>\n\n\n\n
\n
<\/figure>\n\n\n\n
# cat \/etc\/passwd | grep jumpcloud<\/code><\/p>\n\n\n\n
# id jumpcloud<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Step 3: Add the new user to the sudo group<\/h3>\n\n\n\n
# groups jumpcloud<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
# usermod -aG sudo jumpcloud<\/code><\/p>\n\n\n\n
# id jumpcloud<\/code><\/p>\n\n\n\n
# groups jumpcloud<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Step 4: Test sudo<\/h3>\n\n\n\n
# su – jumpcloud<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
$ sudo command-to-be-executed<\/code><\/p>\n\n\n\n
$ sudo apt install apache2<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Examining the Sudoers File <\/h2>\n\n\n\n
# visudo<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
root ALL=(ALL:ALL) ALL<\/code><\/p>\n\n\n\n
\n
%admin ALL=(ALL) ALL<\/code><\/p>\n\n\n\n
%sudo ALL=(ALL:ALL) ALL<\/code><\/p>\n\n\n\n
How to Restrict Sudo Users From Executing Certain Commands<\/h2>\n\n\n\n
# vim \/etc\/sudoers.d\/jumpcloud<\/code><\/p>\n\n\n\n
jumpcloud ALL=!\/usr\/bin\/apt upgrade, !\/usr\/bin\/apt, !\/usr\/bin\/apt install<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
$ which command<\/code><\/p>\n\n\n\n
$ which apt upgrade<\/code><\/p>\n\n\n\n
$ which apt install<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
How to Run Specific Sudo Commands Without a Password <\/h2>\n\n\n\n
jumpcloud ALL=(ALL) NOPASSWD: \/usr\/bin\/apt update<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Conclusion<\/h2>\n\n\n\n