Debian

All About Sudo on a Debian 10 Buster System

So you have recently shifted to Debian 10 and need a way for yourself, or someone else, to be able to execute authority-restricted operations on the system. These operations include information and privacy-sensitive tasks like changing the system configuration, performing user management, editing all files, installing/removing software, and upgrading your system and its components. As the first default user account after installation, ‘root’ is the most powerful user on Debian that can do all of the above. Although the name ‘root’ comes from this user’s access and permissions on the root directory, it is also termed as an Administrator, Supervisor and Super User.So if root can do all, what is sudo and why do we need sudo users on our Debian?

What is Sudo?

Sudo or “superuser do” is a set of privileges that an Administrator/root can give to other users so that they can also perform some of the authority-restricted operations on Debian, while still maintaining the high-level security and authority on the system.

One way to give authority to users could simply be done by sharing the root password with them without getting into the whole sudo thing, but Linux has its reasons:

  • Sudo gives temporary privileges to users that can be taken away any time by root. If we had shared our root password instead, it required changing it when the privileges were to be terminated.
  • Working as root at all times is not a good security practice as one can mistakenly mess with sensitive system settings. So it is better to switch to sudo, and then back, when a restricted operation is complete.
  • The commands performed as sudo are all logged, along with the username that executed them. This ensures accountability and auditing for all such users

In this article, we will explain how you can do the following on a Debian 10 Buster System:

  1. Give sudo privilege to a user
  2. Use sudo once it is granted
  3. Remove sudo privilege from a user
  4. Check which users have sudo privilege on the system

Note: Please note that only an authorized user can perform all these operations on Debian.

Giving Sudo Privilege To A User

Most Debian installations do not come with the sudo utility installed by default. Therefore, we will first install it on our Debian-as an Administrator. Open the Terminal application through the Application Launcher search bar and then log in as root through the following command:

$ su -

The system will ask you the password for root; providing which, you will be logged in as root.

Now, run the following commands in order to install sudo on your system:

# apt-get update
# apt-get install sudo

The sudo utility should now be installed on your Debian.

The /etc/sudoers file contains a list of users that have sudo privileges on the system. Although it is a text file, we do not recommend opening it in any of the available text editors. One small mistake can cost a user access to sudo rights forever.

Therefore, let us use the highly preferred and safe way of editing the sudoers file by running the following command:

# visudo

This will open the sudoers file in a safe mode. Locate the section of the file that is marked in the following screenshot and then add the following line:

%user       ALL=(ALL:ALL) ALL

I have added a user by the name of “sana” as a sudo user. Exit the file by hitting Ctrl+X. Then enter Y in order to save the modified file.

Now the user is marked as a sudo user and can perform many privileged operations on your Debian.

How To Use Sudo Once It Is Granted

Log in as a user that is granted sudo rights on Debian and then open the Terminal application. Let us now verify the sudo login and also if we are able to perform any of the authority-restricted operations.

If you enter the following command in order to install the VLC player, you will get the error displayed in the screenshot:

$ apt-get install vlc

The reason here is that only an authorized user(root or sudo) is allowed to add and remove software on Debian. Therefore, we will run the same command as sudo now:

$ sudo apt-get install vlc

As a sudo user runs this command, they will be asked to provide their own password.

After being verified as sudo, the installation process will begin- as shown above.

How To Remove Sudo Privilege From a User

The process of removing a user from the sudoers list is as simple as adding one. As root or as a sudo user, open the sudoers file as follows:

# visudo

Or,

$ sudo visudo

Then, remove or comment out the line which marks the user as sudo.

Save the file and the specified user is no longer recognized by the system as an authorized sudo user.

How To Check Which Users Have Sudo Privilege in The System

It is a good managerial check to see, from time to time, as to which users have been granted sudo rights on a system. It helps in deciding whose sudo status should retain and whose to let go. What we are looking for is a way to list the members of the ‘sudo’ group.

The following use of the Linux getent command will enable an Administrator to check which users have sudo privileges on your Debian:

# getent group sudo

If you want to check whether a certain user is a member of the sudo group, you can make use of the Linux groups command as follows:

# sudo groups [username]

After reading this article, not only will you be able to differentiate the terms sudo, root, Administrator, supervisor, etc, but also manage safely which ones you want to grant sudo rights to, on your Debian.

About the author

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.