Security best practices recommend that you manage privileged access for Linux distributions like Ubuntu, just as with any other operating system. That’s why most Linux systems have the root user or superuser and regular users. At some point, you may need to elevate a regular user’s privileges so they can execute root-level tasks, such as modifying system configurations and settings. In this case, leveraging sudo can be helpful.
Understanding Sudo Privileges in Ubuntu
sudo is a command-line tool that allows regular users to run commands as the root user or another user. While sudo is commonly interpreted as "superuser do," it originally stood for "substitute user do." To grant root or superuser privileges to a regular user, you must add them to the sudo group or sudoers file.
The sudo group grants broad sudo access to any user in the group, while the sudoers file provides granular controls over which users have sudo privileges and the level of privileges they have.
Checking If a User Has Sudo Privileges
The user you want to give sudo privileges may already have them. Therefore, it’s essential to find out whether they have the privileges. To check for precise privileges, run the command below:
sudo -l -U <username>
Method 1: Adding a User to the Sudo Group
Members of a sudo group have root access and can perform commands reserved for superusers. Follow the steps below to add a regular user to the sudo group:
Step 1: Log in as a Root or Sudo User
You can only give a user access if you have administrative privileges. If you aren’t already logged in as one, you can switch by using the command below:
su - <username>
Step 2: Add the User to the Sudo Group
Once logged in as a sudo user, you can employ either the usermod or adduser command. Here’s how to use each of them:
usermod
Run the following command by replacing “username” with the name of the user account you want to give root privileges:
usermod -aG sudo <username>
This command can also take the format shown below:
usermod -a -G sudo <username>
adduser
While this command is typically used to create new users, you can also leverage it to add a user to the sudo group, as shown below:
adduser <username> sudo
Step 3: Verify the Change
It’s always best to confirm that you’ve added the user to the sudo group. To do this, run the command below:
groups <username>
If you see sudo in the output list, that’s your confirmation that you added the user successfully.
Step 4: Test Sudo Access
You can also check if the user can run sudo tasks by switching accounts using the su - <username> command and then running:
sudo whoami
Note: You may need to explicitly provide the shell in certain configurations, for instance:
su - <username> -s /bin/bash
If you get root as the output, this only verifies the user has some sudo access. If sudo is restricted to certain commands, this test may still return "root" while not allowing full administrative access.
Method 2: Manually Adding a User to the Sudoers File
You can also give a regular user sudo access by adding them to the /etc/sudoers file, which defines all the groups’ and users’ sudo permissions. Here’s how to go about it:
Step 1: Open the Sudoers File Securely
To open /etc/sudoers, run the visudo command as shown below:
sudo visudo
Note: Directly editing this file without visudo can lead to syntax errors that lock all users (including root) out of sudo access.
Step 2: Add the User With Sudo Privileges
Once it is open, scroll down to the end of the sudoers file and type in:
<username> ALL=(ALL:ALL) ALL
Note: This grants a user grants full privileges and can create security risks. It’s best to restrict sudo access to specific commands where possible. (This is covered in the best practices section.)
Step 3: Save and Exit
You can save your edits in two ways, depending on the text editor you’re using:
- For Nano, Press CTRL + X, then Y, and hit Enter.
- For Vim, Press the ESC key, type :wq, then hit Enter.
Method 3: Creating a Custom Sudoers Configuration File
Instead of editing the /etc/sudoers file and possibly losing sudo privileges due to syntax issues, you can create a new configuration file under /etc/sudoers.d/. To do so, follow the steps outlined below:
Step 1: Create a Custom Sudoers File
The command below will open a custom sudoers file:
sudo visudo -f /etc/sudoers.d/<username>
Step 2: Define User Privileges
Next, define the user’s permissions. Since you want to give the user sudo access in this case, run the command below at the end of the configuration file:
<username> ALL=(ALL:ALL) ALL
Removing a User From Sudo Access
If you no longer want a regular user to have superuser access, you can revoke it in three ways:
Method 1: Remove from Sudo Group
To remove a user from a group with root access (sudo), you can run:
sudo deluser <username> sudo
Method 2: Remove from Sudoers File
This method lets you remove the user manually by editing the sudoers file, assuming you added the user directly in this file.
After opening the sudoers file safely using the sudo visudo command, find the line that grants the user sudo access. It should look like this (of course, with <username> replaced with the actual name of the user account):
<username> ALL=(ALL:ALL) ALL
Method 3: Delete Custom Sudoers File
If you granted the user access via a /etc/sudoers.d/ configuration file, all you have to do is remove it. To do so, you can run the command shown below:
sudo rm /etc/sudoers.d/<username>
Security Best Practices for Managing Sudo Privileges
Granting users privileges on a Linux system requires a careful approach because you’re essentially opening up your system to vulnerabilities. That’s why we recommend these best practices for maintaining security:
Follow the Principle of Least Privilege (PoLP)
As easy and fast as it may be to grant sudo access to general users, it’s best to do so only when absolutely necessary. Additionally, you can also restrict the number and level of actions a user can perform when granted access. You can do this by specifying exactly which commands they’re allowed to execute with sudo.
For instance, instead of granting full sudo privileges, you can edit the <username> ALL=(ALL:ALL) ALL line when using the sudoers or custom configuration file to give sudo access.
In this command, for example, <username> ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart apache2, /usr/bin/apt update, the user can only restart the Apache service and update packages. They can’t execute arbitrary commands as root.
Avoid Using the NOPASSWD Option
NOPASSWD eliminates the need for the system to require passwords from users performing sudo commands. However, it poses a security risk if a malicious actor gains access to a sudo user account. Therefore while this option can be useful for automation, you should never enable it for unrestricted sudo access.
Monitor and Audit Sudo Usage
Due to the risk of insider threats, you must make sure users with sudo privileges only perform tasks they’re allowed to. You can track what they do by using the command as shown below:
sudo cat /var/log/auth.log | grep sudo
Note: This syntax works for Debian-based systems like Ubuntu. Other Linux distributions use different log paths like /var/log/secure in RHEL-based systems.
How StrongDM Helps with Secure Access Management
Managing sudo privileges securely is critical for Linux systems, but manual configurations can be time-consuming and prone to misconfigurations that introduce security risks. StrongDM simplifies and strengthens secure access management by eliminating the need for direct sudo access while maintaining control over privileged commands.
Here’s how StrongDM enhances secure access management:
- Role-Based Access Controls (RBAC): Instead of manually assigning sudo privileges through sudoers files, StrongDM enforces fine-grained access control policies, ensuring users only have access to the systems and commands they need—nothing more.
- Just-in-Time (JIT) Access: StrongDM enables temporary elevation of privileges when needed, reducing the risk of persistent superuser accounts and limiting attack surfaces.
- Audit Logging & Monitoring: Every sudo-level command execution is logged in real-time, providing full visibility into who accessed what and when. This simplifies compliance reporting and helps detect unauthorized activity.
- Passwordless Access: StrongDM eliminates the need to share or manage sudo passwords by seamlessly authenticating users through existing identity providers (IdPs) and enforcing least privilege access dynamically.
- Session Recording & Replay: StrongDM records privileged sessions, allowing security teams to review sudo activity, troubleshoot issues, and ensure policy compliance.
By integrating StrongDM into your Linux environments, you can enforce Zero Trust principles, reduce administrative overhead, and ensure secure access management without the risks associated with static sudo privileges. Book a demo today to see how StrongDM works.
