Posted on by Dominik

How to set up sudo (on Debian)

This is just a quick tutorial on how to create a new user on your Debian machine and allow it to temporarily gain access to elevated privileges (root/Admin) via sudo.

What is “sudo”?

“sudo” is short for “super user do” and is a command you can add before any other command to run that as “root”, which is the user with the highest privileges (super user, or in Windows terms: the administrator).

The idea is that you only run commands with super user privileges when needed, never to use “root” as that has the risk of accidentially breaking something.

Connect to your terminal

Either open a terminal or SSH into your machine and sign in with a user that already has root privileges:

PowerShell
ssh johndoe@yourserver.com

From here, everything depends on what kind of user you are signed in as.

If your user already has access to “sudo”, prepend each command with “sudo”. If your user is already root, you don’t have to use sudo at all. If both aren’t the case, you have to become root by running

Bash
johndoe:~# su

followed by the password for the root user. This may be necessary if “root” isn’t allowed as a direct login for SSH.

Create a new user

If you want to give “sudo” rights to an already existing user, you can skip this step.

For this tutorial we will create a new user “janedoe”, either as root or as johndoe via sudo:

Bash
root:~# adduser janedoe
johndoe:~# sudo adduser janedoe

Next, enter the password for the user. Don’t worry that you don’t see any input, not even “*”, that’s just standard behaviour. If you paste the password and it failed, you’ll see a message “No password has been supplied” and will be prompted for the password again.

Add user to group “sudo”

Finally, add the newly created (or any already existing) user to the group “sudo”. To do so, run the command “usermod” with -aG (“append Group”). Do not forgot to use the “a” flag, else you will remove the user from all groups and add it to “sudo” exclusively, instead of adding “sudo” to the list of groups the user is already in. Also make sure it’s a capital “G”, else you’d need to supply the group id instead of the name.

Bash
root:~# usermod -aG sudo janedoe
johndoe:~# sudo usermod -aG sudo janedoe

If you were signed in as “root”, now would be a good time to exit the terminal to test your new privileges. Always keep your sessions as root as short as possible. That’s the whole idea behind “sudo”: only run commands with “sudo” when elevated privileges are needed. Otherwise, you’re just a regular user that can’t accidentially do any damage to the system.

Alternatively, you can also run the adduser command again to achieve the same result:

Bash
root:~# adduser janedoe sudo
johndoe:~# sudo adduser janedoe sudo

However, you can’t do this in one command.

Test it

Next, either switch to the account or create a new SSH session:

Bash
root:~# su janedoe
PowerShell
PS> ssh janedoe@server

Then, run a command that would naturally cause a “Permission denied” error, like

Bash
janedoe:~# ls /root

This should lead to the error message

Bash
--> ls: cannot open directory '/root/': Permission denied

Then, run the same command with “sudo” in front of it:

Bash
janedoe:~# sudo ls /root/

If this is the first time since the start of your session or you haven’t used sudo for a while you will be prompted to enter your password again. If that’s not the case, go to “Troubleshooting”.

That’s YOUR password (in this case for “janedoe”), not the “root” password!

Now the command should run fine and print the content of the directory. If not, go straight to “Troubleshooting”.

Another way to test it is to use “whoami”, which prints your username to the terminal:

Bash
janedoe:~# whoami
--> Prints: janedoe

janedoe:~# sudo whoami
--> Prints: root

If the second command fails or doesn’t print “root”, you don’t have “sudo” privileges. Read on at “Troubleshooting”.

Log all sudo commands

One of the main reasons to use sudo is to have a log of all privileged commands executed on your system.

This may already be enabled and you’d see a file /var/log/auth.log. If that’s not the case:

Bash
johndoe:~# su -
(Enter your root password)
root:~# visudo

This will open a text editor (usually “vi”, hence the name). Now add the line

Defaults logfile=/var/log/auth.log

From now on, every command running with sudo will be logged to that file and can be viewed with:

Bash
johndoe:~# sudo tail /var/log/auth.log -n 10

This will print the last five sudo commands (5 because each log entry has 2 lines):

Jul 28 14:02:13 : johndoe : TTY=pts/2 ; PWD=/home/johndoe ; USER=root ;
    COMMAND=the executed command

Troubleshooting

sudo: command not found

Use APT to install the package containing the sudo command. Sign in as root (or use “su”) to install it:

Bash
root:~# apt-get install sudo

janedoe is not in the sudoers file.

In this case, check the groups of the user by running

Bash
root:~# groups janedoe

This will print all the groups the user is in. That should contain the group “sudo”. If that’s not the case, go back to the step where you added the user to this group and make sure there weren’t any error messages.

Leave a Reply

Your email address will not be published. Required fields are marked *

Cookie Consent with Real Cookie Banner