How to use sudo on Debian, CentOS, and FreeBSD
In this tutorial we will show you the basic steps for disabling direct user access, create a user sudo, and set the sudo group on CentOS, Debian and FreeBSD.
or
or
Note: In Debian, the sudo group is often found instead of wheel. You can however manually add the wheel group using the groupadd command. For the purpose of this tutorial, we will use the sudo group for Debian.
first. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo command.
or
or
or
Note: The visudo command will open
This section of
In some systems, you may not findStep 5: Allowing a user that belongs to neither the wheel
It is possible to allow a user that is in neither user groups to execute the sudo command by simply adding them to
Any of the below commands will allow the sudo users to become root.
Notes:
Note: You need to restart your SSHD server in order to apply the changes.
Regardless of the prefix or the value of the option in
Finally, restart your SSHD server.
Note: Do not forget to test your changes by attempting to SSH into your server as root. If you are unable to do so, this means that you have successfully completed all the necessary steps.This concludes our tutorial.
Prerequisites
- A newly installed Linux server with your preferred distribution.
- A text editor installed on the server whether it's nano, vi, vim, emacs.
Step 1: Installing sudo
Debian
apt-get install sudo -yCentOS
yum install sudo -yFreeBSD
cd /usr/ports/security/sudo/ && make install cleanor
pkg_add -rv sudoor
pkg_add -r sudoStep 2: Adding the sudo user
A sudo user is a normal user account on a Linux or Unix machine.Debian
adduser mynewusernameCentOS
adduser mynewusernameFreeBSD
adduser mynewusernameStep 3: Adding the new user to the wheel group (optional)
The wheel group is a user group which limits the number of people who are able to su to root. Adding your sudo user to the wheel group is entirely optional, but it is advisable.Note: In Debian, the sudo group is often found instead of wheel. You can however manually add the wheel group using the groupadd command. For the purpose of this tutorial, we will use the sudo group for Debian.
The difference between wheel and sudo.
In CentOS and Debian, a user belonging to the wheel group can execute su and directly ascend to root. Meanwhile, a sudo user would have use the sudo sufirst. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo command.
Debian
usermod -aG sudo mynewusernameCentOS
usermod -aG wheel mynewusernameFreeBSD
pw group mod wheel -m mynewusernameStep 4: Making sure your sudoers file is setup properly
It is important to ensure that sudoers file located in/etc/sudoersis setup properly in order to allow sudo users to effectively use the sudo command. In order to accomplish that, we will view the contents of/etc/sudoersand edit them where applicable.Debian
vim /etc/sudoersor
visudoCentOS
vim /etc/sudoersor
visudoFreeBSD
vim /etc/sudoersor
visudoNote: The visudo command will open
/etc/sudoersusing the system's preferred text editor (usually vi or vim).Start reviewing and editing below this line:# Allow members of group sudo to execute any commandThis section of
/etc/sudoersoften looks like this:# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALLIn some systems, you may not find
%wheelinstead of%sudo; in which case, this would be the line under which you would start modifying.If the line starting with%sudoin Debian or%wheelin CentOS and FreeBSD is not commented out (prefixed by #), this means that sudo is already setup and is enabled. You can then move to the next step.Step 5: Allowing a user that belongs to neither the wheel
nor the sudo group to execute the sudo command
It is possible to allow a user that is in neither user groups to execute the sudo command by simply adding them to/etc/sudoersas follows:anotherusername ALL=(ALL) ALLStep 6: Restarting the SSHD Server
In order to apply the changes you made to/etc/sudoers, you need to restart the SSHD server as follows:Debian
/etc/init.d/sshd restartCentOS 6
/etc/init.d/sshd restartCentOS 7
systemctl restart sshd.serviceFreeBSD
/etc/rc.d/sshd startStep 7: Testing
After you have restarted the SSH server, log out and then log back in as yoursudo user, then attempt to execute some testing commands as follows:sudo uptime
sudo whoamiAny of the below commands will allow the sudo users to become root.
sudo su -
sudo -i
sudo -SNotes:
- The whoami command will return root when coupled with sudo.
- You will be prompted to enter your user's password when executing the sudo
command unless you explicitly instruct the system to not prompt sudo users
for their passwords. Please note that is not a recommended practice.
Optional: allowing sudo without entering the user's password
As previously explained, this is not a recommended practice and is included in this tutorial for demonstration purposes only.In order to allow yoursudo userto execute thesudocommand without being prompted for their password, suffix the access line in/etc/sudoerswithNOPASSWD: ALLas follows:%sudo ALL=(ALL:ALL) ALL NOPASSWD: ALLNote: You need to restart your SSHD server in order to apply the changes.
Step 8: Disable direct root access
Now that you have confirmed that you can use yoursudo userwithout issues, it is time for the eighth and final step, disabling direct root access.First, open/etc/ssh/sshd_configusing your favorite text editor and find the line containing the following string. It may be prefixed with a#character.PermitRootLoginRegardless of the prefix or the value of the option in
/etc/ssh/sshd_config, you need to change that line to the following:PermitRootLogin noFinally, restart your SSHD server.
Note: Do not forget to test your changes by attempting to SSH into your server as root. If you are unable to do so, this means that you have successfully completed all the necessary steps.This concludes our tutorial.