When you’re managing a server, sooner or later you need another user who can run admin commands without sharing the root password. That’s where a sudo-enabled user comes in.
This guide walks you through creating a new user with sudo access on Ubuntu, using the built-in sudo group. No manual editing of /etc/sudoers needed.
Who This Helps and What We’re Doing
This is for you if:
- You have an Ubuntu server or VPS.
- You’re currently logging in as root, or you only have one admin user.
- You want to safely give someone (or yourself) admin rights without breaking the system.
We’ll go through four simple steps:
- Log in as root or an existing sudo user.
- Create a new user.
- Add that user to the
sudogroup. - Test and verify sudo access.
We’ll also touch a bit on:
- Why sudo is safer than using root directly.
- Why you normally shouldn’t touch
/etc/sudoersfor this. - Service accounts that should not have shell access.
Step 1: Log in as Root or an Existing Sudo User
Before you can give someone sudo permissions, you need to already have admin rights yourself.
You should be logged in as one of these:
- The
rootuser. - A user that already has sudo access.
If you’re on a fresh server, many providers give you a root login by default. If you’re already using sudo on another user, that’s even better—stick with that one to avoid using root more than necessary.
Why this matters: Only users with administrative rights can create new users and manage group membership.
Step 2: Create the New User
Now we’ll create a normal user account. On Ubuntu, this is done with adduser.
From your terminal, run:
adduser newusername
Replace newusername with the actual username you want to use.
Ubuntu will walk you through:
- Setting a password for the new user.
- Optionally filling in some user info (you can usually just press Enter to skip those).
Why this matters: You first create a regular user account. By default, this user has no admin rights yet—this keeps things safer and more controlled.
Note: If you already have a user that you want to give sudo access to, you can skip this step and go straight to adding them to the sudo group.
Step 3: Add the User to the sudo Group
On Ubuntu, sudo access is controlled by group membership. Users in the sudo group automatically get full administrative privileges.
That means you usually don’t need to edit /etc/sudoers at all.
To add your user to the sudo group, run:
usermod -aG sudo newusername
usermodchanges user settings.-aGmeans “append this user to the following group(s)”.sudois the group that has sudo privileges on Ubuntu.
Why this matters: Group-based access is cleaner and safer than hand-editing sudoers. Ubuntu is already configured so that the sudo group has full admin rights.
Step 4: Verify the User’s Sudo Access
Now let’s make sure everything actually works.
First, switch to the new user:
su - newusername
The - loads the user’s full environment. Once you’re in, run a simple sudo test command—something harmless but privileged, like updating the package list:
sudo whoami
or:
sudo ls /root
- When prompted, enter the new user’s password (not root’s password).
- If sudo is set up correctly, the command should run and not give you a permission error.
sudo whoami should output:
root
Why this matters: Testing immediately confirms that the user is properly configured and can use sudo without touching system configs any further.
Understanding sudo vs su (So You Don’t Get Confused Later)
You’ll often see both sudo and su used when people talk about Linux admin work. They are not the same thing.
sudoruns a single command with elevated privileges.suswitches your shell to another user, often toroot.
Key differences:
sudouses the current user’s password and can be logged and audited.suuses the target user’s password (for example, root’s password) and gives you a full session as that user.
This is why modern systems lean heavily on sudo:
- You don’t have to share the root password with anyone.
- Each admin uses their own account and password.
And since Ubuntu links admin rights to the sudo group, once your user is in that group, you can run commands like:
sudo apt update
sudo systemctl restart some-service
…without ever logging in as root directly.
Service Accounts and No-Login Users
Not every user on your system should be able to log in and run commands.
For things like automation or system services, it’s common to have service accounts that exist only for a specific purpose, not for human login.
For these accounts, you don’t want interactive shell access. Instead of using a normal shell like /bin/bash, they can be created with a non-login shell such as:
/usr/sbin/nologin/bin/false
Why this matters: Preventing interactive logins for service accounts improves security. These users can still be used by services or scripts, but nobody can just SSH in and start running commands as them.
Security Tip: Use the Principle of Least Privilege
Giving someone full sudo access is powerful. That user can basically act as root whenever they want.
The Principle of Least Privilege says: only give the minimum access needed.
So:
- Don’t add users to the
sudogroup unless they truly need admin rights. - If someone only needs to run a very small set of commands, consider whether they really need full sudo at all.
On Ubuntu, using the sudo group is usually enough for admin users, and you avoid the danger of manually editing /etc/sudoers unless you have a very specific reason.
Quick Recap
To create a new sudo-enabled user on Ubuntu without touching /etc/sudoers:
- Log in as root or an existing sudo user.
- Create the user:
bash
adduser newusername - Add the user to the
sudogroup:
bash
usermod -aG sudo newusername - Test sudo access:
bash
su - newusername
sudo whoami
If that prints root after you enter the new user’s password, you’re done.
Need more help? Check the latest CrushEdge posts.
No Comments