Certain actions in Linux can only be performed by a group of administrators. The “root” by default has access to everything. We’ve already seen how it’s a bad idea to allow root logins. Instead, we can login as any other user and switch to root once inside. Some administrators go so far as to disable the “root” account entirely – though there are plenty of arguments against it.
The “sudoers” File
In the absence of root, regular users can temporarily gain access to root functionality by prefixing their commands with “sudo”. This will prompt for your password again and if you have permissions, you will be allowed to run an admin command. The file in Linux that determines whether or not you will be allowed to execute “sudo” is called “sudoers” and resides in the following location:
While this is a regular file just like any other, it’s extremely dangerous to edit it using the normal text editing commands. This is because a syntax error in this file can have drastic consequences for the system, by disabling root access. As a result, there is a special command which is used to access the sudoers file. It’s called:
Running “visudo” will open up the sudoers file in your regular text editor and verify the syntax before closing. This is the only difference. It keeps the sudoers file relatively safe from accidental syntax errors.
Running a Command without a “Sudoers” Presence
If I just try and run a “sudo” command as a user without changing anything, the system will deny me permission and issue a warning. For example, I’m going to try and restart the Apache service using the apachectl command like this while logged in as a non-root user:
sudo apachectl restart
This gives me the following output:
You can see the message “bhagwad is not in the sudoers file”. In addition, a mail will be sent to the default account informing them of this failed attempt. It’s classified as a security incident.
Adding a User to the Sudoers File
To correct this, we can add the user to the “sudoers” file. Log in as root and type “visudo” into the terminal. This will bring up the sudoers file for editing. Next, scroll down till you find the following line:
## Allow root to run any commands anywhere
Below that, you’ll see a line like this:
root ALL=(ALL) ALL
Next, we need to add the following line below the one above:
[username] ALL=(ALL) ALL
Replace [username] with the name of the user to whom we want to give permissions to run “sudo” commands. Here’s a screenshot:
Save and exit the sudoers file. Now the next time we try and run the “sudo” command with the newly added user, it’ll allow us through.
Adding a User to the “wheel” Group
Another option for CentOS users is hinted at in the sudoers file a little further down. It says:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
This tells us that there exists a group called “wheel”, and that users belonging to the wheel group can run sudo automatically. If you’re using another Linux distribution like Ubuntu for example, the name might be slightly different. This means that if we want a user to be able to run sudo commands, we just need to add them to the “wheel” group and we’re done! This is easily achieved using the following command:
usermod -aG wheel [username]
Replace [username] with the name of the user you want to add to wheel. The “-a” flag tells us that we just want to append the group the user’s existing profile. We don’t want to change or replace anything. The “-G” (capital) tells us that “wheel” is a supplemental group and not the primary one.
After executing this command, log out of the user’s account and log back in. Now they can once again run sudo commands while belonging to the “wheel” group as shown here:
So that’s it. Two ways to allow a user to run “sudo” commands. The first is by modifying the sudoers file. The second is by adding the user to a special group.