Learn How to Create a sudo and restricted sudo user in Linux

A step-by-step guide to creating a new user with sudo privileges in Ubuntu, also creating a user with specific sudo permissions

Type the following command to create a new user

sudo useradd -m master -s /bin/bash

Type the following command to set a password for the new user

echo 'master:password' | sudo chpasswd

Now, we need to add the new user to the sudo group, which will give them administrative privileges. To do this, type the following command

sudo usermod -aG sudo master

Finally, test if the new user's sudo privileges are working correctly.

id master

Verify by switching to the new user and running a command as sudo

right now admin_user can run every command which requires sudo access,

How to create a user with restricted access

What if we want a user to be able to run only specific kinds of commands with sudo privileges, like adduser, apt, etc?

let's create a new user restricted and allow only to run specific commands in my case only adduser, and apt

Please note that we are not adding this user to sudo group

Before proceeding further we need to know the location of the binaries of adduser and apt commands. use which commands to get the binaries locations

Now we have created a user and assigned the password, we also have binaries of the sudo commands finally we want to give specific access to the restricted user

let's create a configuration file in /etc/sudoers.d/ called restricted

Use the following command to create the file

sudo visudo -f /etc/sudoers.d/restricted

add these lines ,

#Cmnd_Alias    ANYNAME = LOCATION-OF-BINARY, LOC-OF-SEC-BINARY
#Cmnd_Alias     ANYNAME = LOCATION-BINARY, LOC-OF-SEC-BINARY 
Cmnd_Alias     USERADMINISTRATOR = /usr/sbin/useradd
Cmnd_Alias     PACKAGES =  /usr/bin/apt
Cmnd_Alias USERPACKAGES = USERADMINISTRATOR, PACKAGES
#ALLOWING restricted user to access to PACKAGES, USERADMINISTRATOR
restricted ALL=USERPACKAGES

from this line user restricted can only run useradd and apt commands

Test and Verify

# switch to the restricted user and run useradd , apt command
 sudo su - restricted

Notice below we have logged in as a restricted user and can run apt and adduser commands

But the catch Is here, the restricted user is unable to run systemctl commands because we were not allowed in the file at /etc/sudoers.d/restricted

Did you find this article valuable?

Support Muhammad Usama by becoming a sponsor. Any amount is appreciated!