Securing your VPS is a crucial step in keeping your data and applications safe from threats. One recommended security practice to harden your server is to disable the default root user and replace it with a new user with root privileges. In this article, we will show you how to add a user to sudoers in AlmaLinux 10.
Prerequisites
- A server with AlmaLinux 10
- SSH root access or a normal system user with sudo privileges
Conventions
# – given commands should be executed with root privileges either directly as a root user or by use of sudo command
$ – given commands should be executed as a regular userWhat is root?
In the Linux operating system, root is a default system user. The root user is the user with the highest access rights (superuser). The root user has unlimited access to execute commands, such as installing applications, deleting applications, upgrading the system, adding users, performing configurations, and so on.
In practice, it is highly recommended to deactivate the direct root access for security reasons. You can create a new user and then change the new user’s privileges to have the same access rights as root.
How to Add a New User
Here’s how to create a new user on a VPS using the command line:
To create a new user, you can use the following command while in the terminal. Make sure to replace ‘newuser’ with any user name you want.
# adduser newuserThen give the user a new password
# passwd newuserYou will be prompted to type the new password twice.
Changing password for user newuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfullyHow to Add a User to Sudoer
There are several ways to add a user to sudoer.
Visudo
The /etc/sudoers file contains a set of rules that determine which users or groups are granted sudo privileges. By editing this file, you can grant specific access to commands and set specific security policies. You can configure user access by editing the sudoers file or creating a new configuration file in the /etc/sudoers.d directory. The files in this directory will be included in the sudoers file.
Always use the visudo command to edit the /etc/sudoers file, and never edit it directly with a text editor. This command checks the file for syntax errors when you save it. If there are any errors, the file will not be saved. Editing the file with a regular text editor can introduce syntax errors that can result in the loss of sudo access.
Visudo uses the file editor specified by the EDITOR environment variable, which by default is set to vim. If you want to edit the file with another file editor, for example nano, you can change the variable by running this command:
# EDITOR=nano visudoWhen adding a new user or group to the sudoers file, it’s important to specify the user or group name, the hosts they’re allowed to access, the users who can run commands, and the commands they’re allowed to run. For example, if you want to allow a user to run sudo commands without being prompted for a password, let’s open the /etc/sudoers file:
# visudoScroll down to the end of the file and add the following line:
username ALL=(ALL) NOPASSWD:ALLReplace Username
Make sure to replace “username” with the system user that exists on your Almalinux 10 machine. And, dot nof forget to save the file and exit the editor. The NOPASSWD tag can be used to allow certain commands to be executed without prompting for the user’s password, which can be useful for automation but can also increase security vulnerabilities.
If for some reasons you want the sudoers to run only certain commands through sudo, let’s say the mkdir and rmdir commands, you would use:
username ALL=(ALL) NOPASSWD:/bin/mkdir,/bin/rmdir
Rather than modifying the sudoers file directly, you can achieve the same result by creating a new file with authorization rules in the /etc/sudoers.d directory. Simply add the same rules you included in the sudoers file:
# echo "username ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/username
This method simplifies the management of sudo privileges. While the file name itself isn’t crucial, it’s a common convention to name the file after the username.
Usermod
On a Linux system, we can use usermod to modify existing user accounts. To grant a system user sudo privileges in AlmaLinux, we can use the usermod command to add the user to the wheel group. In AlmaLinux (and other RHEL-based distributions), typically we use the wheel group to grant members sudo access.
# usermod -aG wheel newuser
The command “usermod” is used to change an existing user account.
The options “-aG” signify that the command will add the user to a designated group.
The “-a” option allows the user to join the group without losing their current group memberships, while the “-G” option indicates which group to add them to. It’s important to always use these two options together.
The group “wheel” is included with these options; while “wheel” is mentioned here, it can be substituted with any other group. The term “newuser” represents the user account that is intended to be added to the sudo group.
Gpasswd
We can use the gpasswd command to administer /etc/group, and /etc/gshadow. Every group can have administrators, members and a password. The difference between usermod and gpasswd is that usermod expects the group name first, then the username. While the gpasswd command expects the username first, then the group name. To add a user to the sudoer group (typically the wheel group) in AlmaLinux using the gpasswd command, we can execute this command:
# gpasswd -a username wheel
Replace username with the actual username you want to add to the sudoers group. The -a flag stands for “add.”
Conclusion
That is all! You have learned how to add a user to sudoers in AlmaLinux 10.
If you liked this post about adding a user to sudoers in AlmaLinux 10, please share it with your friends or leave a comment down below.