How to Use Ubuntu to Add a User to Sudoers

Add and remove admin-level permissions using the GUI or the shell

What to Know

  • Add Sudo access: Select Users tool > Unlock icon > Add User > select Administrator account type > follow prompts > Add.
  • To remove access, change the user account type to Standard.
  • To add a user within a shell session, execute this command: sudo usermod -a -G sudo. Remove user: sudo deluser sudo.

This article explains how to change existing users to administrators on Ubuntu Linux, and how to add new users as administrators. You can use sudo to run a command of any other user, although it is commonly used to run a command as the root user.

Terminal response if user is not added to sudoers file

How to Add or Remove Sudo Permissions

To add or remove sudo permissions:

  1. Open the Users tool and click the Unlock button.

    Ubuntu Users
  2. Click Add User.

  3. In the window that pops up, select the Administrator account type.

  4. Complete the name and username boxes, and configure a password setting. Click Add when you're done.

  5. To remove sudo access, modify the user account by changing its type to Standard.

To add or remove a sudo user within a shell session:

  1. Launch a shell session through an account that already enjoys sudo access.

  2. Execute the following command to add an existing account to the sudoers file:

    sudo usermod -a -G sudo 
  3. To remove a user account's sudo permissions, execute:

    sudo deluser sudo

    For a deeper dive into account usergroups, explore the gpasswd utility.

Sudo and the Sudoers List

Sudo prompt on the Linux command line

It's bad security practice to allow all user accounts on a system to enjoy administrator-level credentials because administrators install and uninstall software and change key system settings.

To see the sudo command in use, open a terminal window and run the following command:

apt-get install cowsay

This returns a fairly cryptic message:

E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

Now, try the same command again. This time, though, put sudo in front of it, as follows:

sudo apt-get install cowsay

Enter your password, after which the cowsay application installs.

Cowsay is a small novelty application for the shell that prompts you to enter a message, which is spoken as a speech bubble by an ASCII-drawn cow.

When you first installed Ubuntu you were automatically set up as an administrator and therefore automatically added to what is known as the sudoers list. The sudoers list contains the names of all the accounts that are entitled to use the sudo command.

The brilliance of sudo is that, if you walk away from your computer without locking it and another person wanders up to your machine, they can't run administrator commands on the computer because they need your password.

What Happens If You Don't Have Sudo Permissions?

When somebody who isn't in the sudoers list tries to run a command with sudo, they receive this message:

User is not in the sudoers file. This incident will be reported.

If a user account does not have permission to install software or perform any other command which requires administrator privileges, then the command is rejected and the incident is logged to a special file for later review by administrators.

Authentication prompt in Ubuntu to perform a privileged action

The sudo privileges do not just affect command line actions. Everything in Ubuntu is governed by the same security protocols. Thus, installing an application from Ubuntu Software Center requires the same security access as installing that application from a shell session. In a graphical environment, the desktop environment raises a dialog box prompting for appropriate credentials.

How to Find out Who Tried to Use sudo Without Permission

When someone tries to run a sudo command without sudo permissions, the error message states that the attempt will be logged.

In Ubuntu and other Debian-based systems, the errors are sent to /var/log/auth.log. On other systems such as Fedora and CentOS, the errors are logged to /var/log/secure.

In Ubuntu, view the error log by typing one of the following commands:

cat /var/log/auth.log | more
tail /var/log/auth.log | more

The cat command shows the whole file to the screen and the more command displays the output a page at a time. The tail command shows the last few lines of the file.

Was this page helpful?