How To Add, Delete, and Grant Sudo Privileges to Users on a FreeBSD Server

Posted on in Categories , , last updated December 2, 2014

I‘m setting up a new FreeBSD server. I do not want to use a default root user who has full system access. How can I setup and grant sudo privileges to users on a FreeBSD VPS or server?

The root account has full system level access and usually reserved for admin tasks only.

The sudo command allows a very small delegation of power to users other than the root user. This is good tool if you have many users, logging everything the users do with privileges, and you are granting certain privileges. Unless the user is specified, sudo will escalate the privilege to root.

In this quick tutorial I will show you:

  1. How to create a new user on a FreeBSD server.
  2. How too add users access to the sudo command.
  3. How to delete users from the sudo command.

Install sudo app on a FreeBSD server/vps

Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to
give as few privileges as possible but still allow people to get their work done. You can install sudo using port, type:
# cd /usr/ports/security/sudo/ && make install clean
Or as a binary package, enter:
# pkg install security/sudo

Adding a new user on FreeBSD

The recommended command-line application for adding new users is called adduser. Just type the following command and it will walks through the steps for creating a new user account on a FreeBSD VPS or server:
# adduser

Grant users administrative privileges on FreeBSD

The configuration file is located in /etc/sudoers or /usr/local/etc/sudoers and is read-only by default. visudo command can be used to easily modify the sudoers
configuration file.

To add a username to sudoers

$ su -
# visudo

Append the following line and exit from a text editor:

      alice All=(ALL) ALL

This will allow the user alice to issue sudo command and be root. It will first ask for her password. To skip asking for password when sudo command is issued, change the line to:

    alice ALL=(ALL) NOPASSWD: ALL

If you want alice to only have sudo privileges on one server in a network and restrict her to /bin/ls command as user, you would add the following:

    alice server1=(bob) /bin/ls  /home/bob

Every usage of sudo gets logged in /var/log/messages file.

A sudo user can escalate to root by using the sudo command:

    [alice@hostname~]$ sudo su -

OR

    [alice@hostname~]$ sudo -s

Or, to execute a command as root:

    [alice@hostname ~]$ sudo whoami

Or, to execute a command as another user:

    [alice@hostname ~]$ sudo -u bob ls /home/bob

Remove a username from sudoers

To remove the privileges, take the user off the sudoers configuration file i.e. delete following line from config file by running visudo command:

    alice ALL=(ALL) NOPASSWD: ALL

OR

      alice All=(ALL) ALL

To completely remove a user (say alice) from the system, run rmuser as the superuser:
# rmuser alice
For more usage patterns, see the man pages: sudo(8),sudoers(5),visudo(8)

This quick tutorial was contributed by Wendy Michele. You can too contribute to nixCraft.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Leave a Comment