Sharing the root password across multiple admins is messy and hard to audit. A cleaner setup is giving each admin their own account, then granting sudo rights only when needed. To add a user to sudoers on Debian, place that account in the sudo group.
This workflow is tested on Debian 13 (Trixie), Debian 12 (Bookworm), and Debian 11 (Bullseye). You will create a user, grant sudo access with usermod or gpasswd, verify access, and remove sudo rights later if required.
Prepare to Add a User to sudoers on Debian
You can run these steps from a root shell or from an existing admin account with sudo. If you set a root password during Debian installation, switch to root first:
su -The hyphen (-) creates a login shell with the correct PATH and environment variables. Once you enter the root password, your prompt changes to show “root”, confirming you have switched to the root account:
root@debian:~#
Debian 13, 12, and 11 use the same command flow for sudoers access. The main differences are version numbers in output and whether the optional
usersgroup appears.
If you installed Debian with sudo configured for your initial user (no root password set), you can run the commands in this guide with
sudofrom that account instead of switching to root.
Install the sudo Package on Debian
Most Debian desktop installations already include sudo. Minimal or server deployments may not, so update package metadata first:
apt updateThen install the package:
apt install sudoReading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed:
sudo
Setting up sudo (1.9.x...)
After installation, verify the package is working:
sudo --versionExpected output (version numbers vary by Debian release):
Sudo version 1.9.13p3 Sudoers policy plugin version 1.9.13p3 Sudoers file grammar version 50
Version numbers differ by Debian release. During testing for this guide, Debian 13 reported
1.9.16p2, Debian 12 reported1.9.13p3, and Debian 11 reported1.9.5p2.
Create a New User on Debian
Create the new account with adduser, replacing <example username> with the account name you want:
sudo adduser <example username>For instance, to add a user named “josh”:
sudo adduser joshThe system then prompts you to set a password for the new user. Choose a strong password with a mix of uppercase, lowercase, numbers, and symbols since this user will have sudo privileges:
Adding user `josh' ... Adding new group `josh' (1001) ... Adding new user `josh' (1001) with group `josh' ... Creating home directory `/home/josh' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully
Enter Optional Debian User Details
After setting the password, Debian prompts for optional user information such as full name and contact details. You can press Enter to skip each field, or fill them in for easier user identification on multi-user systems:
Changing the user information for josh
Enter the new value, or press ENTER for the default
Full Name []: Josh Smith
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
Finally, confirm your entries by pressing “Y” and Enter.
Verify Debian User Creation
To confirm the new user exists, search /etc/passwd with grep. For additional pattern syntax, see grep command usage in Linux.
grep josh /etc/passwdExpected output showing the user entry:
josh:x:1001:1001:Josh Smith,,,:/home/josh:/bin/bash
This line shows the username, UID, GID, home directory, and login shell. If the entry exists, Debian created the account successfully.
Add the User to Debian sudoers
With the user account created, you can now grant them sudo privileges by adding them to the sudo group. The usermod command is the standard method:
sudo usermod -aG sudo <example username>For example, to grant sudo privileges to a user named “josh”:
sudo usermod -aG sudo joshThen, verify the user was added to the sudo group with the id command:
id <username>Replace <username> with your user’s name. The output shows user ID, group ID, and group memberships. Look for sudo in the groups list to confirm elevated privileges. For example:
id joshExpected output:
uid=1001(josh) gid=1001(josh) groups=1001(josh),27(sudo)
The 27(sudo) entry confirms the user has sudo privileges.
On some Debian 12 and Debian 13 installations,
idmay also show100(users)in the group list. That extra group is normal and does not change sudo behavior.
Alternative Debian Method with gpasswd
Alternatively, you can use the gpasswd command to add users to groups:
sudo gpasswd -a <example username> sudoReplace <example username> with your user’s name. For example:
sudo gpasswd -a josh sudoExpected output:
Adding user josh to group sudo
Both commands accomplish the same result:
| Method | Command | When to Use It |
|---|---|---|
usermod -aG | sudo usermod -aG sudo josh | Default choice for most admins and automation scripts. |
gpasswd -a | sudo gpasswd -a josh sudo | Useful when you want a command focused only on group membership changes. |
Use whichever you find easier to remember; the end result is identical.
Verify sudoers Access on Debian
Group membership changes only take effect after the user logs out and back in. If you are testing immediately after adding the user to the sudo group, use
su - username(with the hyphen) to simulate a fresh login session.
First, switch to the new user account with a login shell:
su - joshThen, test sudo access by running a command that requires root privileges:
sudo whoamiEnter the user’s password when prompted. Expected output:
[sudo] password for josh: root
The output root confirms the user can execute commands with superuser privileges.
Troubleshoot sudo Access on Debian
Fix “User Is Not in the sudoers File” on Debian
If you see this error when running a sudo command:
josh is not in the sudoers file. This incident will be reported.
This usually means the user is not in the sudo group yet, or the username was mistyped in the group command. Check current group membership first:
groups joshIf sudo privileges are missing, you will see only the user’s primary group:
josh : josh
To fix this, add the user to the sudo group as root:
usermod -aG sudo joshAfterwards, verify the fix worked:
groups joshExpected output now includes sudo:
josh : josh sudo
Remember: the user must log out and back in (or use su - josh) before sudo works.
Fix sudo Access That Works Only After Re-Login
Linux reads group membership at login time. If you added the user to sudo while they were already logged in, the current session still uses the old group list.
You can confirm this is the issue by checking groups in two different ways:
groups joshThis queries the system and shows the updated membership:
josh : josh sudo
In contrast, running groups without a username shows the current session’s groups:
groupsjosh
This mismatch confirms the session hasn’t loaded the new group. To test without fully logging out, use a login shell:
su - joshThe hyphen (-) creates a login shell that loads the updated group membership. For GUI sessions, log out and back in completely.
Fix “adduser: command not found” on Debian
You can see this message on minimal installs, or when running adduser without sudo and your PATH does not include /usr/sbin:
adduser: command not found
Use the command with sudo first:
sudo adduser joshIf the package is genuinely missing, install it as root:
su -
apt update
apt install adduserVerify the package is installed:
apt-cache policy adduseradduser:
Installed: 3.x
Candidate: 3.x
Fix “sudo: command not found” on Debian
If Debian returns this error, the sudo package is missing:
sudo: command not found
Switch to root and install sudo:
su -
apt update
apt install sudoVerify the command is now available:
sudo --versionSudo version 1.9.x Sudoers policy plugin version 1.9.x
Remove a User from Debian sudoers
To revoke sudo privileges from a user, simply remove them from the sudo group:
sudo gpasswd -d josh sudoExpected output:
Removing user josh from group sudo
Alternatively, use deluser:
sudo deluser josh sudoExpected output:
Removing user `josh' from group `sudo' ... Done.
Finally, verify the user no longer has sudo access:
id joshExpected output without sudo:
uid=1001(josh) gid=1001(josh) groups=1001(josh)
The 27(sudo) entry is no longer present. The user must log out and back in for changes to take effect in their active sessions.
Frequently Asked Questions
No. The core commands are the same across Debian 13, 12, and 11: create a user, add that user to the sudo group, then verify access. Output formatting can differ slightly between releases.
First run adduser with sudo, because many systems keep /usr/sbin out of a regular user PATH. If adduser is still unavailable, install the adduser package from root, then verify with apt-cache policy adduser.
/etc/sudoers directly to grant sudo access?
For standard admin access, no. Add the account to the sudo group instead. Reserve direct sudoers edits for advanced command restrictions and always use visudo to avoid syntax errors.
Run id USERNAME or groups USERNAME and check for the sudo group. Then sign in as that user and run sudo whoami. If sudo access is active, the command returns root.
Conclusion
You now have a clean, auditable way to add a user to sudoers on Debian without handing out the root password. Keep this workflow as your baseline for Debian 13, 12, and 11, then harden the host further with guides to enable SSH on Debian, install Fail2ban on Debian, and configure UFW on Debian.
Thanks! It’s very rare to find such clear beginner-friendly explanations with examples. Excellent work!