fedora


Fedora and CentOS GNU/Linux: Add an existing user to the Sudoers list

So, you are a system administrator on a Fedora or a CentOS GNU/Linux machine and a user requests that you upgrade their account to allow the execution of privileged commands using sudo.

Warning

Be very careful to which users you give this right!
Being in the Sudoers list allows particular users to run various commands as the root user, without needing the root password.
Assuming that the user has a valid reason for you to add them to the Sudoers list, proceed with the commands below:

Using sudo

If you are using an account that is already in the Sudoers list and you want to allow the account useraccount to use sudo, execute the following

sudo chmod +w /etc/sudoers
sudo echo 'useraccount ALL=(ALL) ALL ' >> /etc/sudoers
sudo chmod -w /etc/sudoers

Using the root account

If you are using the root user account and you want to allow the account useraccount to use sudo, execute the following

chmod +w /etc/sudoers
echo 'useraccount ALL=(ALL) ALL ' >> /etc/sudoers
chmod -w /etc/sudoers

Notes

The /etc/sudoers file must have very limited access rights for it to be valid.

The system expects that:

  • it will be owned by the root user
  • it will belong to the group root
  • it has only that read access right
  • the read access right belongs only to the owner and to the group

For this reason we first use chmod +w to enable the right access on the file, then we append at the end of the file our configuration using echo >> and finally we remove the write access using chmod -w.

In case you are wondering how the file should be, using ls -l it should appear as follows:

ls -l /etc/sudoers
-r--r-----. 1 root root 3762 Oct 19 13:21 /etc/sudoers

If for some reason your file does not have these access rights, you can repair the file access right of your /etc/sudoers file using

sudo chmod 440 /etc/sudoers

Bonus

No password

Using the above method, it will prompt the user to enter their account password when they first want to use a sudo command after some time of inactivity.

In case you want the user to execute sudo without using a password at all (which is dangerous and definitely not recommended) use the following code

chmod +w /etc/sudoers
echo 'useraccount ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
chmod -w /etc/sudoers

The NOPASSWD directive in the echo command will instruct the system to not ask for a password when sudo is needed.

A valid occasion for you to allow this would be to allow an automated script to perform some tasks that require elevated privileges without the need to have the password hardcoded in the script not having to get the user involved each time in the process.

Adding a whole group to the sudoers list

Assuming you want enable all users of a specific group to execute sudo commands

Using sudo

If you are using an account that is already in the Sudoers list and you want to allow all the users of the user group usergroup to use sudo, execute the following

sudo chmod +w /etc/sudoers
sudo echo '%usergroup ALL=(ALL) ALL ' >> /etc/sudoers
sudo chmod -w /etc/sudoers

Same thing without a password

sudo chmod +w /etc/sudoers
sudo echo '%usergroup ALL=(ALL) NOPASSWD: ALL ' >> /etc/sudoers
sudo chmod -w /etc/sudoers

Using the root account

If you are using the root user account and you want to allow all the users of the user group usergroup to use sudo, execute the following

chmod +w /etc/sudoers
echo '%usergroup ALL=(ALL) ALL ' >> /etc/sudoers
chmod -w /etc/sudoers

Same thing without a password

chmod +w /etc/sudoers
echo '%usergroup ALL=(ALL) NOPASSWD: ALL ' >> /etc/sudoers
chmod -w /etc/sudoers