How to Add a User to Sudoers in Ubuntu [Step-by-Step]

The sudo command lets regular users run administrative tasks without logging in as root. On Ubuntu servers, granting sudo access is one of the first steps after creating a new user, because running everything as root increases the risk of accidental system damage and makes it harder to trace who did what.

In this tutorial, you will learn how to add a user to the sudo group, edit the sudoers file directly with visudo for fine-grained permissions, grant passwordless sudo access for automation, and remove sudo privileges when they are no longer needed.

#What is a sudo user

A sudo (Super User do) user is a regular Linux user with permission to execute privileged commands as the root user. For this to happen, the user needs to be added to the sudo group or /etc/sudoers file. The sudoers file controls who can run what command in the system.

The sudo command grants elevated privileges to a sudo user to run root-level tasks. Each command executed with sudo gets logged to /var/log/auth.log, creating an audit trail that the root account alone cannot provide.

#Prerequisites

To follow along in this tutorial, ensure you have the following in place:

• An instance of Ubuntu. In this guide, we are using Ubuntu 24.04 LTS.

• A root user or access to a pre-existing sudo user for running privileged tasks.

#Adding a user to sudoers in Ubuntu

In Ubuntu and Debian-based systems, the easiest way of creating a sudo user is by adding a regular user to the sudo group. The sudo group is a pre-existing group on the system. Members of this group acquire elevated privileges to carry out root-level tasks using the sudo command.

We will start by creating a regular user and later add the user to the sudo group. If you already have a regular user created, follow along from Step 2.

#Step 1: Create a regular User in Ubuntu

To get off the ground, log into your instance. We will start by creating a new regular user account. To create a new user account, run the adduser command followed by the user's login name.

sudo adduser username

For example, to create a regular user called cherry, run the following command:

sudo adduser cherry

The adduser command provides an interactive way for adding users to the system by prompting for user details.

When you execute the command, a series of events happens. The command creates a user named cherry and assigns a UID (User ID) from the range 1000 to 59999. It then creates a new group with the username and adds the user to it. This is also known as the primary group.

Next, the command creates a home directory and copies user-specific configuration files from /etc/skel to the home directory.

Next, you will be prompted for the user's password, then asked to confirm it.

You will then be required to provide additional information such as the user's login name, room number, work phone, etc. These are optional fields and you can fill or leave them blank. To skip the entries, just press ENTER.

Finally, type Y and hit ENTER to save the values you have just provided. The user is eventually added to a supplemental or extra group called users.

Outputsudo adduser cherry  
info: Adding user `cherry' ...  
info: Selecting UID/GID from range 1000 to 59999 ...  
info: Adding new group `cherry' (1000) ...  
info: Adding new user `cherry' (1000) with group `cherry (1000)' ...  
info: Creating home directory `/home/cherry' ...  
info: Copying files from `/etc/skel' ...  
New password:  
Retype new password:  
passwd: password updated successfully  
Changing the user information for cherry  
Enter the new value, or press ENTER for the default  
Full Name []:  
Room Number []:  
Work Phone []:  
Home Phone []:  
Other []:  
Is the information correct? [Y/n] Y  
info: Adding new user `cherry' to supplemental / extra groups `users' ...  
info: Adding user `cherry' to group `users' ...

To check the groups the user belongs to, run the groups command followed by the username.

groups cherry

From the output, you can see that the user belongs to two groups: cherry group, which is the primary group, and users, the supplementary group.

Outputcherry : cherry users

#Step 2: Add a regular user to the sudo group /sudoers file

So far, you have created a regular login user called cherry. However, the user is limited to standard system tasks.

If you log in to the user and run a privileged task with the sudo command, you will be notified that the user is not in the sudoers file, and the command will not be executed.

sudo su - cherry  
cherry@cool-chicken:~$ sudo apt update  
[sudo] password for cherry:  
cherry is not in the sudoers file.  
cherry@cool-chicken:~$

To run privileged tasks on the system, you need to add the user to the sudo group. The sudoers file already has a sudo group entry that specifies permissions for users that belong to the group.

Thus, the recommended approach is to add the regular user to the sudo group and leave the sudoers file intact.

Users added to the sudo group can run elevated tasks on the system using the sudo command.

There are two main ways of adding a user to the sudo group. You can use the usermod or adduser commands. Let's take a look at each of these.

Adding a regular user to the sudo group using usermod command

The usermod command is a command-line tool for modifying user accounts. It modifies various user attributes, including the uid, shell, and login name. You can also use it to change the user's default group and add a user to an existing group.

To add a user to the sudo group, use the usermod syntax as shown below.

sudo usermod -aG sudo username

The command can also take the following format, where a and G options are specified separately using a hyphen.

sudo usermod -a -G sudo username

For example, to add the user called cherry to the sudo group, run the command:

sudo usermod -aG sudo cherry

The -a option appends the user to a secondary group while the -G option specifies the name of the group that the user is being added to, in this case, sudo.

Adding a regular user to the sudo group using adduser command

The adduser command is typically used to create or add new users to the system. In addition, you can also use it to add an existing user to another group using the following syntax.

sudo adduser username group

For example, to add a user called alice to the sudo group, run the command:

sudo adduser alice sudo

Outputinfo: Adding user `alice` to group `sudo' ...

#Step 3: Confirm user belongs to sudo group

To verify that the user has been added to the sudo group, run the groups command followed by the username. For example, to confirm that user cherry is part of sudo group, run the command:

groups cherry

Outputcherry : cherry sudo users

This time around, you will see that the user belongs to three groups: the two original groups ( cherry and users ) and sudo.

Alternatively, you can run the id command followed by the username. This provides a more detailed output, which includes the UID of the user and the groups the user belongs to, along with their GIDs.

id cherry

Outputuid=1000(cherry) gid=1000(cherry) groups=1000(cherry),27(sudo),100(users)

The commands we just executed confirm that the user has been successfully added to the sudo group.

#Step 4: Run privileged tasks as sudo user

So far, you have created a regular user and added them to the sudo group. As we mentioned in the introduction, a sudo user possesses permission to run elevated or privileged tasks on the system. Let's see this in action.

Be sure to switch to the user using the su - command followed by the username.

For example, to switch to user cherry, run the command:

su - cherry

Provide the user's password and hit ENTER. This takes you straight to the user's home directory.

Once you have switched to the sudo user for the first time, you will see a notification informing you of how to run commands as root using the sudo command.

When you run the whoami command with sudo, you will get root as the output. This indicates you can run commands as root by invoking sudo.

sudo whoami

Output[sudo] password for cherry:  
root

Now run a command that requires elevated privileges. To run commands as a sudo user, use the following syntax:

sudo <command>

In this example, we are running the apt update command, which updates the local package lists on the system, which are defined in the /etc/apt/sources.list file and /etc/apt/sources.list.d directory.

sudo apt update

Once you run the command, provide the user's password and hit ENTER to start executing it. From the output, you’ll see that the command executed successfully.

#How to edit the sudoers file directly with visudo

Adding a user to the sudo group grants full root privileges for every command. Sometimes you need finer control. The visudo command opens the /etc/sudoers file in a safe editor that checks for syntax errors before saving. Never edit this file with nano or vim directly, because a syntax error can lock every user out of sudo access entirely.

Open the sudoers file:

sudo visudo

The basic syntax for a sudoers entry is:

username ALL=(ALL:ALL) /path/to/command

Here is what each field means: the first ALL refers to all hosts, (ALL:ALL) means the user can run commands as any user and any group, and the last field specifies which commands are allowed.

For example, to allow user cherry to restart only the Nginx service as root:

cherry ALL=(ALL) /usr/bin/systemctl restart nginx

You can allow multiple commands by separating them with commas:

cherry ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/systemctl restart postgresql

Save and close the file. The visudo editor will warn you if it detects a syntax error and give you the option to re-edit, preventing accidental lockouts.

#How to grant passwordless sudo access

Automated scripts and CI/CD pipelines cannot enter passwords at prompts. You can configure sudo to skip the password requirement for a specific user or group. Use this only when necessary, as it reduces the security of the sudo barrier.

Open the sudoers file:

sudo visudo

Add a NOPASSWD entry for the user. To grant passwordless sudo for all commands:

cherry ALL=(ALL) NOPASSWD: ALL

To restrict passwordless access to specific commands only:

cherry ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/apt update

The second option is safer because it limits what the user can do without a password. Save and close the file, then test by switching to the user and running a command with sudo. No password prompt should appear.

#How to remove a user from the sudo group

When someone leaves your team or no longer needs administrative access, revoke their sudo privileges immediately. Two commands handle this.

Remove a user from the sudo group using deluser:

sudo deluser cherry sudo

Alternatively, use gpasswd:

sudo gpasswd -d cherry sudo

Verify the removal by checking the user's groups:

groups cherry

The output should no longer include sudo. The user can still log in and perform regular tasks, but sudo commands will fail with "user is not in the sudoers file."

If you also added custom entries in the sudoers file via visudo, you need to remove those lines manually. Open the file with sudo visudo and delete or comment out any lines that reference the user.

#How to list all sudo users on the system

Auditing who has sudo access is a routine part of server security. Two quick commands show you the current sudo group members.

List all members of the sudo group:

getent group sudo

The output displays the group name, GID, and a comma-separated list of usernames. Alternatively, grep the /etc/group file:

grep '^sudo:' /etc/group

For a broader audit that includes users with custom visudo entries, review the sudoers file directly:

sudo grep -v '^#' /etc/sudoers | grep -v '^$'

This command filters out comments and blank lines, showing only active rules. Run these checks regularly, especially after team changes, to make sure only authorized users retain elevated privileges.

#Troubleshooting common sudoers issues

#"User is not in the sudoers file" after adding to the group

The most common cause is a stale session. After adding a user to the sudo group, the change does not take effect in the current shell. The user must log out and log back in, or start a new login shell:

su - cherry

If the error persists, verify that the user was added correctly with groups cherry and confirm the sudo group exists with getent group sudo.

#Syntax error locks out sudo access

A malformed /etc/sudoers file will break sudo for every user on the system. If you edited the file without visudo and introduced a syntax error, you need physical or console access to the server to fix it.

Boot into single-user mode or use your provider's out-of-band console to access the system as root. Then fix the sudoers file:

visudo

The editor will highlight the syntax error. Correct it, save, and exit. Always use visudo to prevent this situation.

#Password prompt appears despite NOPASSWD

Check that your NOPASSWD entry appears after any group-level rules in the sudoers file. The sudoers file applies rules from top to bottom, and a later rule overrides an earlier one. If the %sudo group entry (which requires a password) appears below your NOPASSWD line, it will override the passwordless setting.

Move your NOPASSWD entry to the end of the file, or place it in a dedicated file under /etc/sudoers.d/:

sudo visudo -f /etc/sudoers.d/cherry-nopasswd

Add your rule there. Files in /etc/sudoers.d/ are processed after the main sudoers file, so they take priority.

#Conclusion

In this tutorial, you learned how to safely create a regular user on Ubuntu and grant them sudo privileges, including command-level permissions and passwordless access for automation. You also saw how to revoke sudo rights and troubleshoot common issues.

Following these practices lets you handle administrative tasks safely without using the root account, making your server more secure and easier to track. For more on creating and managing Linux users, check out our dedicated guide. You can also learn more about the sudo command from the sudo man pages.