How to Use Ubuntu to Add a User to Sudoers

The sudo command is used to elevate your permissions for a single Linux command. You can use the sudo command to run a command of any other user although it is commonly used to run a command as the root user.

of 08

What is Sudo and What Is the Sudoers List?

Sudo prompt on the Linux command line

If you have multiple users on your computer then you probably don't want all of the users to be administrators because administrators can do things like install and uninstall software and change key system settings.

To show you an example of the sudo command in use, open a terminal window and run the following command:

apt-get install cowsay

A fairly cryptic message will be returned:

E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

The key points to note are the words "Permission denied" and "Are you root?".

Now try the same command again but this time put the word sudo in front of it as follows:

sudo apt-get install cowsay

You will be asked to enter your password. 

The cowsay application can now be installed. 

Cowsay is a small novelty application that lets you enter a message which is spoken as a speech bubble by an ascii cow.

When you first installed Ubuntu you were automatically set up as an administrator and therefore automatically added to what is known as the sudoers list.

The sudoers list contains the names of all the accounts that are entitled to use the sudo command.

The brilliance of sudo is that if you walk away from your computer without locking it first and another person wanders up to your machine they can't run administrator commands on the computer because they need your password to run that command.

Every time you run a command that requires administrator privileges you will be asked for your password. This is brilliant for security.

of 08

What Happens If You Don't Have Sudo Permissions?

Terminal response if user is not added to sudoers file

Not every user on your computer is going to have administrator permissions and therefore they won't be part of the sudoers list.

When somebody who isn't in the sudoers list tries to run a command with sudo, they will receive the following message:

user is not in the sudoers file. This incident will be reported

This is again brilliant. If a user does not have permissions to install software or perform any other command which requires administrator privileges then they just can't do it and what is more the fact that they attempted it is logged.

of 08

Do Sudo Permissions Only Affect The Command Line?

Authentication prompt in Ubuntu to perform a privileged action

The sudo privileges do not just affect command line actions. Everything in Ubuntu is governed by the same security protocols.

For instance, in the image, you will see that the current user is Tom who is a standard user. Tom has loaded the Ubuntu Software tool and is attempting to install a paint package.

The password window appears and Tom needs to enter the password of an administrator user. The only administrator user is Gary.

At this point, Tom could try guessing Gary's password but essentially he will get nowhere and cannot do things he isn't supposed to be able to do. 

of 08

How to Make a User an Administrator

Prompt to add change user privileges in Ubuntu

Many other guides on the internet show you how to use the command line to add a user to the sudoers file but this is Ubuntu and there is a perfectly good application for administering users built in.

To administer users in Ubuntu press the top icon on the Unity Launcher or press the super key on the keyboard.

The super key is a special key on your keyboard. On most laptops and desktop computers this is the key with the Windows logo on it and it is next to the Alt key 

When the Unity Dash appears type "Users".

An icon will appear with an image of 2 people on it and the text will say "User Accounts". Click on this icon.

By default, you will only be able to view the users on the system and not change anything. This is another one of those brilliant security features.

Imagine you as the administrator has walked away from your computer and somebody wanders up and decides to add themselves as a user. They can't do it without your password.

In order to amend any of the user's details, you need to unlock the interface. Click on the "unlock" icon in the top right of the window which is denoted by a padlock and enter your password.

There are two types of users within Ubuntu:

  • Administrators
  • Standard users

Users who are set up as administrators are added to the sudoers file and standard users are not.

Therefore to add a user to the sudoers file click on the words "standard user" next to the words "account type" and when the dropdown list appears choose administrator.

The user should now log out of Ubuntu and log back in and they will now be able to use the sudo command as well as change system settings and install software using the Ubuntu Software tool.

After changing anything in the user accounts dialog click the padlock icon again to lock the screen.

of 08

How to Remove Administrator Privileges for a User

Removing administrator privileges in Ubuntu

To remove the administrator privileges for a user you simply change the account type back from administrator to standard.

This works instantly and the user will not be able to perform any elevated actions as soon as you change their account type back to standard.

of 08

How to Add a User to the Sudoers File Using the Command Line

Successfully authenticating sudo on the Ubuntu command line

You can, of course, use the command line to add a user to the sudoers file and by learning the following commands you will understand how to do it on any other Linux distribution that has sudo enabled.

Any user that belongs to the "sudo" group will have permissions to run the sudo command so all you need to do is make sure that the user belongs to that group.

So how do you go about doing that? Simply follow these steps:

  1. Open a terminal window by pressing ALT and T
  2. Type groups <username> (replace <username> with the name of the user you wish to add to sudoers, for instance groups tom)
  3. A list of groups should be returned. If the user already has sudo privileges the sudo group will appear, if not then you will have to add it.
  4. To add a user to sudoers type sudo gpasswd -a <username> sudo (again replace <username> with the user you wish to add to sudoers,
    for instance sudo gpasswd -a tom)

If the user is currently already logged in they should log out and log back in again to ensure they have full sudo and administrator privileges.

The gpasswd command can be used to administer groups within Linux.

of 08

How to Remove a User From the Sudoers File Using the Command Line

Failing to authenticate sudo in the Ubuntu command line

To remove a user from the sudoers file using the command line follow these steps:

  1. Open a terminal window
  2. Type groups <username> (Replace <username> with the user you wish to remove from the sudoers file)
  3. If the returned list doesn't show "sudo" as a group then you don't need to do anything else otherwise continue on to step 4
  4. Type sudo gpasswd -d <username> sudo (Replace <username> with the user you wish to remove from the sudoers file)

The user will no longer be able to run any command with elevated privileges.

of 08

How to Find Out Who Tried to Use Sudo Without Permission

Viewing the sudoers error log in Ubuntu

When a user tries to run a sudo command without sudo permissions the error message states that the attempt will be logged.

Where exactly are the errors logged though? Within Ubuntu (and other Debian based systems) the errors are sent to a file called /var/log/auth.log.

On other systems such as Fedora and CentOS the errors are logged to /var/log/secure.

In Ubuntu you can view the error log by typing one of the following commands:

cat /var/log/auth.log | more
tail /var/log/auth.log | more

The cat command shows the whole file to the screen and the more command will show the output a page at a time.

The tail command shows the last few lines of the file and again the more command will show the output a page at a time.

Within Ubuntu though there is an easier way to view the file:

  1. Click on the top icon on the launcher or press the super key.
  2. Type "Log" into the search bar
  3. When the system.log icon appears click on it
  4. Click on the "auto.log" option
  5. Scroll down to the bottom to see the latest failures or to see just today's failures expand the auto.log option by clicking on it and click "Today".