
Create a New Sudo User on Ubuntu – Fast Admin Guide
Creating a new sudo user on Ubuntu is one of those fundamental server management tasks that every sysadmin needs to master, whether you’re setting up a new development environment, onboarding a team member, or implementing proper access controls. The sudo mechanism provides a secure way to grant specific users administrative privileges without sharing the root password, following the principle of least privilege. In this guide, you’ll learn how to create new sudo users, configure their permissions properly, troubleshoot common issues, and implement security best practices that’ll keep your Ubuntu server locked down tight.
How Sudo Works Under the Hood
Before diving into user creation, it’s worth understanding what’s actually happening when you grant sudo access. The sudo system relies on the /etc/sudoers
file and the /etc/sudoers.d/
directory to define which users can execute which commands as which other users. When a user runs a command with sudo, the system checks these configuration files to verify permissions.
Ubuntu comes with a predefined group called sudo
that has full administrative privileges. Any user added to this group inherits these permissions automatically. The relevant line in /etc/sudoers
looks like this:
%sudo ALL=(ALL:ALL) ALL
This translates to: “Members of the sudo group can run any command as any user on any host.” Pretty straightforward, but there’s more granular control available when you need it.
Step-by-Step User Creation and Sudo Configuration
Method 1: Using adduser (Recommended)
The adduser
command provides an interactive way to create users with proper home directories and shell configuration:
# Create the new user
sudo adduser newusername
# Add the user to the sudo group
sudo usermod -aG sudo newusername
# Verify the user was added to the sudo group
groups newusername
The adduser
command will prompt you for a password and optional user information. Don’t skip the password step – passwordless sudo users are a security nightmare waiting to happen.
Method 2: Using useradd (Manual Configuration)
For more control over the user creation process, you can use useradd
with manual configuration:
# Create user with home directory and bash shell
sudo useradd -m -s /bin/bash newusername
# Set the user's password
sudo passwd newusername
# Add to sudo group
sudo usermod -aG sudo newusername
# Set proper home directory permissions
sudo chown -R newusername:newusername /home/newusername
sudo chmod 755 /home/newusername
Method 3: Creating Custom Sudo Rules
Sometimes you need more granular control than the default sudo group provides. Create custom rules using the visudo
command:
# Open sudoers configuration safely
sudo visudo
# Add custom rules at the end of the file
newusername ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
newusername ALL=(ALL) /usr/bin/apt update, /usr/bin/apt upgrade
Alternatively, create a separate file in /etc/sudoers.d/
:
# Create a dedicated sudo file for the user
sudo visudo -f /etc/sudoers.d/newusername
# Add the rules
newusername ALL=(ALL:ALL) ALL
Real-World Use Cases and Examples
Let’s look at some practical scenarios where different sudo configurations make sense:
Scenario | User Type | Sudo Configuration | Use Case |
---|---|---|---|
Development Team | developer | Full sudo access | Need to install packages, restart services, modify configs |
DevOps Engineer | deploy | Limited sudo (systemctl, nginx, docker) | Application deployment and service management |
Monitoring User | monitor | Read-only access + specific restart commands | System monitoring with emergency restart capabilities |
Backup User | backup | File access + mount/unmount | Automated backup processes |
Example: Creating a Deployment User
Here’s a complete example for creating a deployment user with limited but practical sudo privileges:
# Create the deployment user
sudo adduser deploy
# Create custom sudo rules file
sudo visudo -f /etc/sudoers.d/deploy
# Add these lines to the file:
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload nginx
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl status nginx
deploy ALL=(ALL) NOPASSWD: /bin/chown -R www-data:www-data /var/www/*
deploy ALL=(ALL) NOPASSWD: /bin/chmod -R 755 /var/www/*
# Test the configuration
sudo -u deploy sudo systemctl status nginx
Comparison with Alternative Approaches
Method | Pros | Cons | Best For |
---|---|---|---|
sudo group membership | Simple, standard, well-documented | All-or-nothing access | Trusted administrators |
Custom sudoers rules | Granular control, principle of least privilege | Complex configuration, harder to maintain | Specific service accounts |
SSH key-based with restricted commands | No local user needed, very secure | Limited flexibility, complex setup | Automated deployments |
Docker/container-based isolation | Complete isolation, reproducible | Resource overhead, complexity | Development environments |
Security Best Practices and Common Pitfalls
Essential Security Practices
- Always use strong passwords – Consider enforcing password complexity policies in
/etc/pam.d/common-password
- Enable sudo logging – All sudo commands are logged to
/var/log/auth.log
by default, but you can enhance this - Set sudo timeouts – Configure
timestamp_timeout
in sudoers to require password re-entry - Use NOPASSWD sparingly – Only for specific, low-risk commands in automated environments
- Regular audit – Periodically review
/etc/group
and/etc/sudoers.d/
for unnecessary access
Advanced Security Configuration
# Enhanced sudo security settings
sudo visudo
# Add these lines to /etc/sudoers
Defaults timestamp_timeout=15
Defaults passwd_tries=3
Defaults badpass_message="Incorrect password, try again"
Defaults log_input, log_output
Defaults logfile="/var/log/sudo.log"
Defaults requiretty
Common Mistakes to Avoid
- Never edit /etc/sudoers directly – Always use
visudo
to prevent syntax errors that could lock you out - Don’t use NOPASSWD for ALL commands – This defeats the purpose of sudo entirely
- Avoid duplicate user entries – Check existing users with
getent passwd
before creating new ones - Don’t forget to test – Always verify sudo access works before logging out of your root session
- Watch out for typos in usernames – Unlike most Linux commands, user creation won’t always warn you about questionable names
Troubleshooting Common Issues
User Not in Sudoers File Error
If you see “user is not in the sudoers file. This incident will be reported,” check these items:
# Verify group membership
groups username
# Check if sudo group exists and has proper permissions
getent group sudo
# Manually add user to sudo group if needed
sudo usermod -aG sudo username
# User needs to log out and back in for group changes to take effect
# Or use this command to switch to the user's context:
sudo su - username
Permission Denied Issues
When sudo commands fail with permission errors:
# Check sudoers file syntax
sudo visudo -c
# Verify the user's environment
sudo -u username env
# Test with explicit shell
sudo -u username -i sudo whoami
Sudoers File Corruption
If you’ve accidentally broken the sudoers file, you’ll need to fix it from a recovery mode or different privileged session:
# Boot into recovery mode or use existing root access
pkexec visudo
# Or if you have physical access
# Boot from live USB, mount the filesystem, and edit /etc/sudoers
Advanced Use Cases and Integration
LDAP Integration
For larger environments, you might want to integrate sudo with LDAP for centralized management. The sudo-ldap
package provides this functionality:
sudo apt update
sudo apt install sudo-ldap
This allows you to store sudo rules in your LDAP directory and manage them centrally across multiple servers.
Automation and Configuration Management
When using tools like Ansible, Terraform, or custom scripts, you can automate user creation:
#!/bin/bash
# Script to create multiple users with sudo access
USERS=("developer1" "developer2" "devops1")
DEFAULT_PASSWORD="TempPass123!"
for user in "${USERS[@]}"; do
if ! id "$user" &>/dev/null; then
sudo adduser --disabled-password --gecos "" "$user"
echo "$user:$DEFAULT_PASSWORD" | sudo chpasswd
sudo usermod -aG sudo "$user"
echo "Created user: $user"
else
echo "User $user already exists"
fi
done
Remember to force password changes on first login for security:
sudo chage -d 0 username
SSH Key Integration
Combine sudo user creation with SSH key setup for passwordless authentication:
# Create user and setup SSH keys
sudo adduser newuser
sudo usermod -aG sudo newuser
# Setup SSH directory
sudo mkdir /home/newuser/.ssh
sudo chmod 700 /home/newuser/.ssh
# Add public key (replace with actual key)
echo "ssh-rsa AAAAB3NzaC1yc2E... user@hostname" | sudo tee /home/newuser/.ssh/authorized_keys
# Set proper permissions
sudo chmod 600 /home/newuser/.ssh/authorized_keys
sudo chown -R newuser:newuser /home/newuser/.ssh
This approach is particularly useful when setting up servers for development teams or automated deployment processes. For production environments on VPS or dedicated servers, always combine this with proper firewall rules and fail2ban configuration.
For more detailed information about sudo configuration and security, check the official documentation at sudo.ws and the Ubuntu Server Guide at ubuntu.com.

This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.
This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.