So if root can do all, what is sudo and why do we need sudo users on our Debian?
What is Sudo?
Sudo or “superuser do” is a set of privileges that an Administrator/root can give to other users so that they can also perform some of the authority-restricted operations on Debian, while still maintaining the high-level security and authority on the system.
One way to give authority to users could simply be done by sharing the root password with them without getting into the whole sudo thing, but Linux has its reasons:
- Sudo gives temporary privileges to users that can be taken away any time by root. If we had shared our root password instead, it required changing it when the privileges were to be terminated.
- Working as root at all times is not a good security practice as one can mistakenly mess with sensitive system settings. So it is better to switch to sudo, and then back, when a restricted operation is complete.
- The commands performed as sudo are all logged, along with the username that executed them. This ensures accountability and auditing for all such users
In this article, we will explain how you can do the following on a Debian 10 Buster System:
- Give sudo privilege to a user
- Use sudo once it is granted
- Remove sudo privilege from a user
- Check which users have sudo privilege on the system
Note: Please note that only an authorized user can perform all these operations on Debian.
Giving Sudo Privilege To A User
Most Debian installations do not come with the sudo utility installed by default. Therefore, we will first install it on our Debian-as an Administrator. Open the Terminal application through the Application Launcher search bar and then log in as root through the following command:
The system will ask you the password for root; providing which, you will be logged in as root.
Now, run the following commands in order to install sudo on your system:
# apt-get install sudo
The sudo utility should now be installed on your Debian.
The /etc/sudoers file contains a list of users that have sudo privileges on the system. Although it is a text file, we do not recommend opening it in any of the available text editors. One small mistake can cost a user access to sudo rights forever.
Therefore, let us use the highly preferred and safe way of editing the sudoers file by running the following command:
This will open the sudoers file in a safe mode. Locate the section of the file that is marked in the following screenshot and then add the following line:
I have added a user by the name of “sana” as a sudo user. Exit the file by hitting Ctrl+X. Then enter Y in order to save the modified file.
Now the user is marked as a sudo user and can perform many privileged operations on your Debian.
How To Use Sudo Once It Is Granted
Log in as a user that is granted sudo rights on Debian and then open the Terminal application. Let us now verify the sudo login and also if we are able to perform any of the authority-restricted operations.
If you enter the following command in order to install the VLC player, you will get the error displayed in the screenshot:
The reason here is that only an authorized user(root or sudo) is allowed to add and remove software on Debian. Therefore, we will run the same command as sudo now:
As a sudo user runs this command, they will be asked to provide their own password.
After being verified as sudo, the installation process will begin- as shown above.
How To Remove Sudo Privilege From a User
The process of removing a user from the sudoers list is as simple as adding one. As root or as a sudo user, open the sudoers file as follows:
Or,
Then, remove or comment out the line which marks the user as sudo.
Save the file and the specified user is no longer recognized by the system as an authorized sudo user.
How To Check Which Users Have Sudo Privilege in The System
It is a good managerial check to see, from time to time, as to which users have been granted sudo rights on a system. It helps in deciding whose sudo status should retain and whose to let go. What we are looking for is a way to list the members of the ‘sudo’ group.
The following use of the Linux getent command will enable an Administrator to check which users have sudo privileges on your Debian:
If you want to check whether a certain user is a member of the sudo group, you can make use of the Linux groups command as follows:
After reading this article, not only will you be able to differentiate the terms sudo, root, Administrator, supervisor, etc, but also manage safely which ones you want to grant sudo rights to, on your Debian.