How to Add Users to Sudoers in Debian

Many commands in Debian require elevated privileges. Something as simple as updating the system with:

apt update

Generates the following message:

As you can see, you get a “permission denied” message. This is because the command can only be executed by users using a special qualifier – sudo.

The “sudo” command allows you to run things that ordinary users cannot. So, for example, the above command would be:

sudo apt update

This will ask you for your password before proceeding with executing the command. However, not every user can run this special qualifier. If you’re a regular user, the system will reject your password. Those users who are allowed to run sudo commands belong in a special file called “sudoers”. In this tutorial, I’ll show you how to add users to the sudoers file in Debian. I’ve already written about how to let users run sudo commands on CentOS.

Note: In these examples, I will be using Ubuntu as the demo system. Ubuntu is based on Debian, so these code examples and screenshots should work on any Debian-based system.

Creating a New User in Debian

I’m starting this example by creating a brand-new user who doesn’t have extra privileges. Let’s call them “newusername”.

sudo adduser newusername

Here’s a screenshot:

As you can see, to create a new user in the first place, you need sudo permissions! Or you could also be the root user. But for many reasons, it’s always a good idea to disable the root user on Linux. But, for the moment, let’s assume that you already have permission to run the sudo qualifier

As you can see, the only thing you need to provide is the password. The rest of the details can be skipped over if you have nothing to say.

Trying to Run a Sudo Command with a New User

Now let’s see what happens when our new user tries to run a command that they’re not supposed to. At the beginning of this article, I showed how “apt update” required elevated permissions and the “sudo” qualifier. So first I switched to the new user with:

su - newusername

And then when I try and run the following command:

sudo apt update

Here’s what I get:

As you can see, the system asks me for my password (for the new user, that is) and refuses to allow the command to execute. It ominously informs me that the “incident will be reported” because the user does not belong to the “sudoers” file. Well, that’s about to change!

Two Methods to Add a Debian User to Sudoers

There are two methods to add a user to the sudoers file in Debian. The first one is easy, and the second one requires you to manually modify some code. However, they each have their own places.

1. Using “usermod” to Add a User to Sudoers

The simplest way to add a user to the sudoers file is to run the following command from an account that already allows for the execution of commands requiring elevated privileges:

sudo usermod -aG sudo newusername

After the command is executed, you can verify that the user has indeed been added with the following command:

groups newusername

This gives the following output:

As you can see, the new user belongs to the group “sudo”, showing that it’s been added to the sudoers file.

The above method is easiest when adding a new user. It’s not great if you want to modify permissions. For that, it’s better to go for the second method, which involves modifying the sudoers file directly.

2. Modifying the Sudoers File Directly

The second method of adding a user to the sudoers file in Debian is by modifying it directly. However, this is dangerous and you shouldn’t do it directly even if you have the proper privileges. Instead, we use the “visudo” command to edit it safely.

The reason why modifying sudoers is dangerous is that the consequences of something going wrong – for example via a syntax error – are so large, that it’s not worth the risk.

Potentially Lock you Out of the System

The sudoers file controls which users get to use the “sudo” command for executing commands with elevated privileges like updating the system repositories, and even modifying many important files. As I mentioned earlier, it’s standard security practice to disable the root user on Linux systems. This means that using sudo is the only remaining way to execute many commands. If you accidentally mess up the sudoers file, you could find yourself locked out of sudo privileges and not have root access!

This kind of situation is a nightmare for Linux admins. And if you don’t have access to the physical server to start it in recovery mode, your goose is cooked. You’ll have to ask your cloud service provider to intervene for you.

So the consequences of messing up the sudoers file are severe! Even if you get the syntax right, you might accidentally give a user sudo permissions that they don’t need.

Modifying the Sudoers File with visudo

Because of the above risk, it’s recommended to modify the sudo file using “visudo” instead. This is a program that opens the sudoers file in your default text editor but does so in a way that checks for syntax errors to avoid the worst-case scenarios. You shouldn’t modify the sudoers file directly. Instead, use the following command in Debian:

sudo visudo

This will open the sudoers file for you to edit. As a bonus, you don’t have to worry about finding it – the system will do it for you automatically.

Once in, you can scroll down till you find the line that says:

root    ALL=(ALL:ALL) ALL

Underneath that line, type the following:

newusername    ALL=(ALL:ALL) ALL

Replace [username] with the name of the user to whom you want to give sudo privileges. Add a new line for every other user who can use sudo. Save your changes, and exit. Once done, visudo will examine the file for syntax errors, and if it finds one, it will prevent the file from being saved. It’ll also give you information about the error to find it easily.

No Conflict Between Method #1 and #2

If you’ve already added a user via the following command:

sudo usermod -aG sudo newusername

You might note that you can’t see them in the sudoers file. But don’t worry, as long as you see that the user belongs to the “sudo” group in the following command:

groups newusername

It’s all good. That’s because the sudoers file also contains this line:

%sudo   ALL=(ALL:ALL) ALL

This line says that all users in the “sudo” group receive sudo privileges, so if a user belongs to that group, they don’t need to be explicitly included in the sudoers file.

Conclusion

As you can see, adding a user to the sudoers file in Debian is quite easy, and requires just a single command. If, on the other hand, you want to modify the list of users, it’s easier to open sudoers with the visudo command for safety and make the changes. Once done, you can disable the root account login to make your system more secure.