Linux System Administration for Beginners
User and Group Management
Manage user privileges
Controlling who can perform administrative tasks is crucial for system security. In this guide, you’ll learn how to grant and restrict sudo access on Linux, manage entries in /etc/sudoers, and apply fine-grained policies for different users and groups.
Using sudo
By default, only the root (superuser) can modify system-critical files and settings. Prefixing a command with sudo elevates it to root privileges:
$ sudo apt update
Note
When running sudo for the first time, you’ll be prompted for your password—not the root password.
Granting sudo via the wheel group
Many Linux distributions allow members of the wheel group to use sudo:
$ groups
aaron family wheel
To add a user (e.g., trinity) to wheel:
$ sudo gpasswd -a trinity wheel
Now trinity can execute any command with sudo, which is easy but lacks fine control.
Fine-grained control with /etc/sudoers
Instead of a broad group assignment, define precise policies in /etc/sudoers. Never edit that file directly! Always use visudo, which validates syntax.
$ sudo visudo
Inside, you’ll find a line like:
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
Warning
A malformed /etc/sudoers can lock out all sudo access. Always use visudo to edit safely.
Breakdown of a sudoers entry
| Part | Description | Example |
|---|---|---|
| User/Group | Rule applies to this user (e.g., trinity) or group (%devs) | trinity<br/>%developers |
| Host | Hosts where the rule is valid (ALL for every host) | ALL |
| Run as | User(s) the command may run as (in parentheses) | (ALL), (aaron,john) |
| Commands | Which commands are allowed | /bin/ls, /usr/bin/vim |
Defining custom sudoers policies
Below are sample entries to append near the end of /etc/sudoers via visudo:
# 1. Allow trinity to run any command as any user (including root)
trinity ALL=(ALL) ALL
# 2. Grant all members of 'developers' the same privilege
%developers ALL=(ALL) ALL
# 3. Permit trinity to run any command, but only as aaron or john
trinity ALL=(aaron,john) ALL
# 4. Shortcut: run as root (default) without specifying run-as list
trinity ALL=ALL
# 5. Restrict trinity to only run /bin/ls and /bin/stat as root
trinity ALL=(ALL) /bin/ls, /bin/stat
# 6. Same as above, omitting the run-as list (defaults to root)
trinity ALL= /bin/ls, /bin/stat
Running commands as another user
Beyond root, you can invoke commands as any user:
$ sudo -u trinity ls /home/trinity
Desktop Documents Downloads Music Pictures
Handling “Permission denied” errors
If a user invokes a disallowed command, sudo reports:
$ sudo echo "Test passed?"
Sorry, user trinity is not allowed to execute '/bin/echo Test passed?' as root on server01.
Disabling the password prompt
To let a user run commands without entering their password, add NOPASSWD::
# Allow trinity to run any command without a password
trinity ALL=(ALL) NOPASSWD: ALL
Note
Use NOPASSWD: sparingly; it increases convenience but may reduce auditability.
Links and References
Watch Video
Watch video content
Practice Lab
Practice lab