How to Add a New Sudo User in Ubuntu
The acronym sudo stands for "substitute user and do." The sudo program allows regular users in the system to perform tasks that would typically require the superuser (root), who has full privileges and access rights.
This approach enables system management under a user with limited privileges, reducing the risk of errors or unauthorized access to critical system functions.
Thus, you can create a separate user with access to the sudo utility but without access to many system functions, the misuse of which could harm the system.
The key difference between sudo and su (substitute user) is that sudo switches users temporarily, without asking for the user's password.
In this guide, we'll go over how to create a new user in Ubuntu 22.04 and add them to the sudo group, thus providing extended privileges for system management.
Creating a New User for Sudo Copy link
Before creating a new user with special privileges, you need to log into the system as the superuser.
If you're using a server running Ubuntu, connect to it via SSH as the root user:
ssh root@IP_ADDRESSFor example, the connection command might look like this:
ssh root@166.1.227.189After that, the terminal will prompt you to enter the root password. For security reasons, the terminal won't display the password characters as you type them.
Next, create a new user by assigning them a chosen name:
adduser hostmanThe terminal will show a few messages indicating the creation of the new user, a new group to which they are automatically added, and a directory associated with the user:
Adding user `hostman' ...
Adding new group `hostman' (1001) ...
Adding new user `hostman' (1000) with group `hostman' ...
Creating home directory `/home/hostman' ...
Copying files from `/etc/skel' ...
Next, the terminal will ask you to set a password for the new user and provide additional information about them:
Changing the user information for hostman
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
After filling out the information, press y to confirm. You have created a new user.
Adding a User to the Sudo Group Copy link
Now, you need to add the new user to the special sudo group, which will grant them extended privileges:
usermod -aG sudo hostmanThe -a flag is necessary to ensure that the specified group does not replace other groups the user is already a part of. In this case, the user hostman is at least part of the previously created hostman group.
The -G flag is used to specify additional groups we want to add the user to. It is different from the -g flag, which sets the user's primary group. In this case, the primary group for the user hostman is the hostman group.
Now, you can switch to the new user:
su - hostmanImmediately after switching, the terminal will display a message stating that commands can now be executed as the administrator (root) using sudo:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.By the way, you can always check which user is currently executing commands:
whoamiThe terminal will display the active user's name:
hostmanRunning Commands with Sudo Copy link
Sudo As root Copy link
To test the new user's privileges, try listing the contents of the system directory /root:
sudo ls -la /rootThe -la flag is a combination of two flags:
-
-lspecifies a detailed (long) format for listing the contents of the filesystem. -
-aincludes directories whose names start with a dot.
Thus, the ls command will show all the contents of the /root directory in detail.
When running this command for the first time, the terminal will ask for the password set for the user hostman:
[sudo] password for hostman:After entering the password, you will see the contents of the /root directory:
total 48
drwx------ 7 root root 4096 Nov 20 05:30 .
drwxr-xr-x 20 root root 4096 Nov 20 12:09 ..
drwx------ 3 root root 4096 Nov 11 12:17 .ansible
-rw-r--r-- 1 root root 4078 Nov 20 10:12 .bash_history
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 2 root root 4096 Nov 11 12:17 .cache
drwxr-xr-x 3 root root 4096 Nov 19 05:36 .local
-rw------- 1 root root 214 Nov 18 04:26 .mysql_history
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r--r-- 1 root root 1372 Nov 18 04:16 resize.log
drwx------ 3 root root 4096 Nov 11 12:17 snap
drwx------ 2 root root 4096 Nov 18 04:16 .ssh
Note that using sudo does not require wrapping the command in quotes or anything else. The target command is written naturally right after sudo.
If you enter the above command without using sudo:
ls -la /rootYou will see an access denied message:
ls: cannot open directory '/root': Permission deniedAnother basic command that is run with sudo is updating the list of available repositories:
sudo apt updateSimilarly, if you try to update repositories without sudo, you'll get an access restriction message:
Reading package lists... Done
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)
Thus, any attempt to use a command requiring administrator privileges will result in an access denied message in the terminal.
Sudo As Another User Copy link
With sudo, you can execute commands not only as root but also as any other user.
First, let's switch back to the root user:
su - rootThe terminal will prompt for the root user's password.
Now, let's try executing a command that requires administrative privileges as the user hostman, using the -u flag:
sudo -u hostman ls -la /rootThe terminal will display the familiar access denied message:
ls: cannot open directory '/root': Permission deniedNext, let's switch back to the hostman user:
su - hostmanFor clarity, we can perform the same action under the hostman user:
sudo -u root ls -la /rootFirst, the terminal asks for the hostman user's password and then displays the contents of the specified directory:
total 52
drwx------ 7 root root 4096 Nov 20 15:39 .
drwxr-xr-x 20 root root 4096 Nov 20 12:09 ..
drwx------ 3 root root 4096 Nov 11 12:17 .ansible
-rw-r--r-- 1 root root 4171 Nov 20 15:21 .bash_history
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 2 root root 4096 Nov 11 12:17 .cache
drwxr-xr-x 3 root root 4096 Nov 19 05:36 .local
-rw------- 1 root root 214 Nov 18 04:26 .mysql_history
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r--r-- 1 root root 1372 Nov 18 04:16 resize.log
drwx------ 3 root root 4096 Nov 11 12:17 snap
drwx------ 2 root root 4096 Nov 18 04:16 .ssh
-rw-r--r-- 1 root root 0 Nov 20 15:39 .sudo_as_admin_successful
Configuring Sudo Access Permissions Copy link
You can restrict the permissions of a particular user in the sudo group to only executing specific allowed commands.
To check this, let's first switch back to the root user:
su - rootSetting Access Permissions Copy link
To configure unique access permissions for each sudo user, we need to open the /etc/sudoers file:
sudo nano /etc/sudoersThen, we can add the description of allowed commands using the following format:
USER HOST=(AVATAR:GROUP) COMMANDSWhere:
USER: The user that will initiate thesudocommand.HOST: The hostname where thesudocommand will be executed. This is relevant when using multiple machines.AVATAR: The user under whose name the allowed commands will be executed viasudo.GROUP: The group the user belongs to.COMMANDS: The set of commands (which may consist of just one command) that the user can execute viasudo.
In the simplest case, you can allow to execute all commands under any user:
hostman ALL=(ALL:ALL) ALLIn a more complex case, only specific commands can be allowed from a limited set of users:
hostman ALL=(root:ALL) /usr/bin/apt,/usr/bin/rm,/bin/nanoNote that command sets are listed comma-separated without spaces.
To find the full paths to the binaries of necessary commands, you can use the whereis utility:
whereis apt rm nanoThe terminal will display information about the specified commands:
apt: /usr/bin/apt /usr/lib/apt /etc/apt /usr/share/man/man8/apt.8.gz
rm: /usr/bin/rm /usr/share/man/man1/rm.1.gz
nano: /usr/bin/nano /usr/share/nano /usr/share/man/man1/nano.1.gz /usr/share/info/nano.info.gz
The first path listed after the command name is the actual address of the binary file.
To activate the specified restrictions, you need to replace the line that allows sudo group users to execute any root commands:
%sudo ALL=(ALL:ALL) ALLWith a similar one but with a comment symbol at the beginning, to disable the setting:
#%sudo ALL=(ALL:ALL) ALLNow you can switch back to the hostman user:
su - hostmanAnd let's try running the familiar command to list the contents of the /root directory:
sudo ls -la /rootThe terminal will display a message indicating that the specified command is prohibited on this host:
Sorry, user hostman is not allowed to execute '/usr/bin/ls /root' as root on <hostname>.However, the command to update repositories will still work:
sudo apt updateChecking Access Rights Copy link
Of course, you can find out the details of a user's privileges by simply viewing the contents of the /etc/sudoers file. However, there's an easier way, by using the sudo command itself:
sudo -l -U hostman-
The
-lflag lists all commands the user is allowed to use. -
The
-Uflag specifies the target username. If omitted, the terminal will display access rights for therootuser.
In the terminal, you will see a message detailing the access rights for the specified user:
Matching Defaults entries for hostman on <hostname>:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
use_pty
User hostman may run the following commands on <hostname>:
(root : ALL) /usr/bin/apt, /usr/bin/rm, /bin/nano
The key part of the output is:
User hostman may run the following commands on <hostname>:
(root : ALL) /usr/bin/apt, /usr/bin/rm, /bin/nano
This indicates that the user hostman can run the following commands as root:
/usr/bin/apt/usr/bin/rm/bin/nano
These are exactly the commands specified in the /etc/sudoers configuration file. This way, you can quickly review the privileges of a specific user without the need to search through the /etc/sudoers file manually.
Additionally, you can simplify the process of obtaining user privilege information by checking the permission for executing a specific command:
sudo -l -U hostman lsIf the command is not allowed, there will be no output in the terminal. However, if it is allowed:
sudo -l -U hostman aptThe terminal will display the full path to the command's binary:
/usr/bin/aptThis way, you can check whether the current user can execute a specific command when unsure about their access rights.
Disabling Password Prompt Copy link
The sudo utility allows running commands without explicitly entering a password. However, disabling the password prompt is not considered secure, so perform this configuration at your own risk.
To disable the password prompt, you need to open the /etc/sudoers file:
sudo nano /etc/sudoersThen, add a new line containing the NOPASSWD keyword and a list of commands for which the password is not required:
hostman ALL=(root:ALL) NOPASSWD: /usr/bin/aptYou should also separate commands that require a password from those that don't. For example, the allowed commands with a password prompt should be listed separately from the ones without:
hostman ALL=(root:ALL) /usr/bin/rm,/bin/nano
hostman ALL=(root:ALL) NOPASSWD: /usr/bin/aptThis way, you'll have two sections for allowed commands: one requiring a password and one that doesn't.
Conclusion Copy link
Although the sudo command resembles the su command, there is a key difference between them:
sustands for "substitute user".sudostands for "substitute user and do".
Thus, su performs a full user switch, requiring an explicit password input, while sudo only simulates executing a command as another user, without switching the user entirely.
For this reason, sudo is much safer when granting extended privileges to another user. The user won't need the root password, as they can execute administrator commands under their own user account.
Additionally, unique permissions (access rights) for each individual user in the sudo group can be configured in a special configuration file. In this file, you can also specify whether a password is necessary to run certain commands.
And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with US based VPS and Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.