≡ Menu

How To Add, Delete, and Grant Sudo Privileges to Users on a FreeBSD Server

I‘m setting up a new FreeBSD server. I do not want to use a default root user who has full system access. How can I setup and grant sudo privileges to users on a FreeBSD VPS or server?

The root account has full system level access and usually reserved for admin tasks only.

The sudo command allows a very small delegation of power to users other than the root user. This is good tool if you have many users, logging everything the users do with privileges, and you are granting certain privileges. Unless the user is specified, sudo will escalate the privilege to root.

In this quick tutorial I will show you:

  1. How to create a new user on a FreeBSD server.
  2. How too add users access to the sudo command.
  3. How to delete users from the sudo command.

Install sudo app on a FreeBSD server/vps

Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to
give as few privileges as possible but still allow people to get their work done. You can install sudo using port, type:
# cd /usr/ports/security/sudo/ && make install clean
Or as a binary package, enter:
# pkg install security/sudo

Adding a new user on FreeBSD

The recommended command-line application for adding new users is called adduser. Just type the following command and it will walks through the steps for creating a new user account on a FreeBSD VPS or server:
# adduser

Grant users administrative privileges on FreeBSD

The configuration file is located in /etc/sudoers or /usr/local/etc/sudoers and is read-only by default. visudo command can be used to easily modify the sudoers
configuration file.

To add a username to sudoers

$ su -
# visudo

Append the following line and exit from a text editor:

      alice All=(ALL) ALL

This will allow the user alice to issue sudo command and be root. It will first ask for her password. To skip asking for password when sudo command is issued, change the line to:

    alice ALL=(ALL) NOPASSWD: ALL

If you want alice to only have sudo privileges on one server in a network and restrict her to /bin/ls command as user, you would add the following:

    alice server1=(bob) /bin/ls  /home/bob

Every usage of sudo gets logged in /var/log/messages file.

A sudo user can escalate to root by using the sudo command:

    [alice@hostname~]$ sudo su -

OR

    [alice@hostname~]$ sudo -s

Or, to execute a command as root:

    [alice@hostname ~]$ sudo whoami

Or, to execute a command as another user:

    [alice@hostname ~]$ sudo -u bob ls /home/bob

Remove a username from sudoers

To remove the privileges, take the user off the sudoers configuration file i.e. delete following line from config file by running visudo command:

    alice ALL=(ALL) NOPASSWD: ALL

OR

      alice All=(ALL) ALL

To completely remove a user (say alice) from the system, run rmuser as the superuser:
# rmuser alice
For more usage patterns, see the man pages: sudo(8), sudoers(5), visudo(8)

This quick tutorial was contributed by Wendy Michele. You can too contribute to nixCraft.

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 0 comments… add one }

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , ,