What It Means To Give Admin Privileges To Users Using Groups on Linux/Debian/Ubuntu
If you’re new to learning Linux and its administration chances are you have already come across the idea of Admin Privileges and Managing It Amongst Users. There is also another chance that you are yet to satisfactorily understand these concepts that you’ve come across(Like I was too). If that’s the case with you, then hang in there, this article is aimed at helping out.
I have seen people, including myself, ask questions such as: what does having admin privileges really mean? What is the difference between the sudo group and the admin group as seen in the sudoers file? Why do users still need to run commands with sudo even after they are said to have been made “admins”? All these and more are what we are going to be finding answers to using simple explanations and examples to illustrate them.
In other to follow along, you need to:
- Have access to either a local ubuntu/Debian OS or be logged in to a remote server of the same distro.
- Create one new user
To quickly create a new user, run the command below, replacing “newUser” with any name you decide to give your new user, an example is “stanley”:
Or if you are not logged in as root( if your command prompt starts with # then you’re logged in as root, otherwise you're not) use the command below instead:
$ sudo adduser newUser
You’ll be prompted to give this user a password. Provide a password that you’ll remember and confirm the password.
Login as this new user with the command:
$ su newUser
Then provide the password for this new user. Now that you're logged in as the new user, let's get to the main business of today.
What having Admin Privileges really mean
Other ways to say a user has Admin privileges is to say that they have “sudo privileges” “root privileges” or “administrator rights”. And this means that the user has permission to carry out tasks that ordinarily only the “root” user should be able to perform. This is as long as they add “sudo” in front of their commands and can provide the password for their user account.
On linux systems/servers the user called “root” also known as superuser gets automatically created during installation. This user differs from other ordinary user accounts because while ordinary users are restricted from performing certain actions, the root user has complete right/permission to do anything that can be done on the system. This includes changing system configurations, installing software, reading and writing to all files, etc.
But because there also comes times when ordinary users need to carry out tasks that they don’t have permission to perform by default, Unix systems provide a way to allow other users to temporarily act like the root user in order to complete a task at hand. The way this is done is by granting this user permission to run commands with
sudo. So essentially, using the program “sudo” is how a less privileged user can imitate and have privileges like the root user.
To illustrate the need to use sudo, run the below command with the new user account you created earlier:
This should return:
visudo: /etc/sudoers: Permission denied
... Permission denied is what gets returned when your try to access a file that you do not have permission to access. In this case, you're trying to open the file “sudoers” in the etc/ directory, but only the root/superuser has enough privilege to open this file.
Remember earlier we said we can temporarily act like the superuser by including
sudo in front of our commands? Now let's do that here:
$ sudo visudo
Oops! This still returned some sort of error. It returned
newUser is not in the sudoers file. This incident will be reported. right?
Well, this is so because even though other user accounts can act like root user by adding
sudo to their commands, they would need to first be given admin/sudo privileges before they can utilize
sudo. Or like the error message said, be added to the sudoers file.
So how do we do this for our current new user? That’s what we’re going to be demonstrating in the next section.
Give admin/sudo Privileges to Users by adding them to Groups
The primary way to give privileges to users is by adding them to certain groups. These will be groups that have been granted administrative rights in the sudoers file that we saw earlier.
By default there are two groups that can give a user sudo rights on debian/ubuntu servers, they are the sudo group and the admin group. To see that these groups are actually present, exit out of the new user account with:
Then with your previous account (which should already have sudo privileges), run:
$ sudo visudo
This will open the sudoers file on the nano editor. Scroll down to where you see;
User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
Confirm that the lines starting with
%sudo are present and they do not have # in front of them. If any of them have # in front of it it means it has been disabled/commented out, you can enable it by removing the #. Then exit the file. Refer to monovm.com/post/35/how-to-exit-in-nano if you have difficulty navigating around the nano editor.
After confirming that these groups exist, let's add our new user to the sudo group to give it admin privileges. (make sure you’re not logged in as the new user, as only other users with existing root privileges or the root user itself can add a user to these groups)
The command to do this is:
$ sudo usermod -a -G sudo newUser
If this was successful, then it will not return anything--error or whatsoever.
A brief breakdown of what the above command and its options do:
- Usermod - means user modify. This is the command we use to change the properties of an existing user account.
- a- is an option to show that we want to append a new group.
- G- This is how we mention that we don’t want to overwrite the exiting group, rather add this to them.
- sudo- the group we are adding newUser to.
To see the groups that our new user now belongs to, run:
$ groups newUser
This should return:
newUSer: newUser sudo
This means that newUser belongs to two groups: newUser and sudo. newUser here is a primary group which every normal user account gets automatically assigned to when they get created, they usually have the same name as the user itself.
Our new user now has admin privilege. To confirm that it does, log into it again and try opening the sudoers file again:
$ su newUser
$ sudo visudo
This time the sudoers file should open up in nano. Now exit the file without making any changes. Adding to the admin group instead would bring forth the same result as the sudo group. However it is best to use the sudo group instead because as of Ubuntu 12.04 LTS and later sudo is officially used to give administrator rights, but admin is still supported for backward compatibility. If you have done a fresh ubuntu install then admin will not be available to you, even though it is present in the sudoers file. Admin may only be available if you have upgraded from a previous distribution.
To see if admin is available, run:
$ cat /etc/group | grep admin
If what is returned starts with
admin then it is available, otherwise, it is not.
The final way to give admin rights to a user is to add the group where they already belong to the sudoers file. For example, one could add their primary group (which we said usually has the same name as the user itself) to the sudoers file and grant all access to it.
Like we saw above in the sudoers file, the sudo group just like the other default admin groups has been granted all-access with the following:
%sudo ALL=(ALL:ALL) ALL
We can do the same for our new user by editing the sudoers file and granting admin access to it like so:
%newUser ALL=(ALL:ALL) ALL
newUSer should of cause be the name you have given your new user. Now our newUser can run commands with sudo, even if we remove or do not add them to the sudo group.
Phew! This ride has been somewhat long, to be honest. But now at the end, we have come to understand what it means to have admin privileges: it simply means that this user can run root-level commands with
sudo, it is only the root/superuser who does not need to use
sudo on any of its commands. We also know how a user is given this privilege, and now also understands the difference between the sudo and admin groups: they’re just the same, only that one is only available to support backward compatibility.
I hope this proved useful to you and wishing to see you around on my future articles.