Adding a new user to sudoers on Debian grants that user the ability to run commands with root privileges using the sudo command. If you’re familiar with Windows, sudo is similar to “Run as Administrator” since it grants temporary elevated permissions for a single command. The root account is Linux’s superuser with unrestricted system access, and sudo provides a safer way to use those privileges without staying logged in as root.
This setup is essential when setting up new accounts for system administrators, granting temporary elevated access for maintenance tasks, or configuring a shared server where multiple users need administrative capabilities. By the end of this guide, you will have created a new user account, added them to the sudo group using either usermod or gpasswd, and verified their elevated privileges work correctly.
Switch to the Root Account
To add a new user with sudo privileges, you must first switch to the root account. If you set a root password during Debian installation, use the following command:
su -The hyphen (-) creates a login shell with the correct PATH and environment variables. Once you enter the root password, your prompt changes to show “root”, confirming you have switched to the root account:
root@debian:~#
If you installed Debian with sudo configured for your initial user (no root password set), you can run the commands in this guide with
sudofrom that account instead of switching to root.
Install the sudo Package
Most Debian desktop installations include the sudo package by default. However, minimal and server installations may not include it. Therefore, if you’re running a minimal install or netinst setup, first update the package index to ensure you’re installing from current repositories:
apt updateThen install sudo while logged in as root:
apt install sudoAfter installation, verify the package is working:
sudo --versionExpected output (version numbers vary by Debian release):
Sudo version 1.9.13p3 Sudoers policy plugin version 1.9.13p3 Sudoers file grammar version 50
Create a New User Account
Now, create a new user with the adduser command followed by your chosen username:
sudo adduser <example username>For instance, to add a user named “josh”:
sudo adduser joshThe system then prompts you to set a password for the new user. Choose a strong password with a mix of uppercase, lowercase, numbers, and symbols since this user will have sudo privileges:
Adding user `josh' ... Adding new group `josh' (1001) ... Adding new user `josh' (1001) with group `josh' ... Creating home directory `/home/josh' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully
Enter User Details
After setting the password, Debian prompts for optional user information such as full name and contact details. You can press Enter to skip each field, or fill them in for easier user identification on multi-user systems:
Changing the user information for josh
Enter the new value, or press ENTER for the default
Full Name []: Josh Smith
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
Finally, confirm your entries by pressing “Y” and Enter.
Verify User Creation
To confirm the new user exists, search the /etc/passwd file:
grep josh /etc/passwdExpected output showing the user entry:
josh:x:1001:1001:Josh Smith,,,:/home/josh:/bin/bash
This line contains the username, user ID (1001), group ID, full name, home directory, and default shell. As a result, the presence of this entry confirms the user was created successfully.
Add User to the Sudoers Group
With the user account created, you can now grant them sudo privileges by adding them to the sudo group. The usermod command is the standard method:
sudo usermod -aG sudo <example username>For example, to grant sudo privileges to a user named “josh”:
sudo usermod -aG sudo joshThen, verify the user was added to the sudo group with the id command:
id <username>Replace <username> with your user’s name. The output shows user ID, group ID, and group memberships. Look for sudo in the groups list to confirm elevated privileges. For example:
id joshExpected output:
uid=1001(josh) gid=1001(josh) groups=1001(josh),27(sudo)
The 27(sudo) entry confirms the user has sudo privileges.
Alternative Method: gpasswd
Alternatively, you can use the gpasswd command to add users to groups:
sudo gpasswd -a <example username> sudoReplace <example username> with your user’s name. For example:
sudo gpasswd -a josh sudoExpected output:
Adding user josh to group sudo
Both commands accomplish the same result:
- usermod -aG: Standard method, modifies user account settings. The
-aflag appends to existing groups rather than replacing them. - gpasswd -a: Group administration tool, specifically designed for managing group membership. Some administrators prefer this for its explicit purpose.
Use whichever you find easier to remember; the end result is identical.
Test Sudo Access
Group membership changes only take effect after the user logs out and back in. If you are testing immediately after adding the user to the sudo group, use
su - username(with the hyphen) to simulate a fresh login session.
First, switch to the new user account with a login shell:
su - joshThen, test sudo access by running a command that requires root privileges:
sudo whoamiEnter the user’s password when prompted. Expected output:
[sudo] password for josh: root
The output root confirms the user can execute commands with superuser privileges.
Troubleshooting Sudo Access
User Not in Sudoers File
If you see this error when running a sudo command:
josh is not in the sudoers file. This incident will be reported.
This error typically occurs when the user was never added to the sudo group, or when the usermod or gpasswd command failed silently (often due to a typo in the username). First, verify their current group membership:
groups joshIf sudo privileges are missing, you will see only the user’s primary group:
josh : josh
To fix this, add the user to the sudo group as root:
usermod -aG sudo joshAfterwards, verify the fix worked:
groups joshExpected output now includes sudo:
josh : josh sudo
Remember: the user must log out and back in (or use su - josh) before sudo works.
Sudo Works Only After Re-Login
If you added a user to the sudo group but they still see the “not in sudoers file” error, this is likely the most common cause. Linux loads group membership at login time, so changes made while a user is logged in won’t take effect until they start a new session.
You can confirm this is the issue by checking groups in two different ways:
groups joshThis queries the system and shows the updated membership:
josh : josh sudo
In contrast, running groups without a username shows the current session’s groups:
groupsjosh
This mismatch confirms the session hasn’t loaded the new group. To test without fully logging out, use a login shell:
su - joshThe hyphen (-) creates a login shell that loads the updated group membership. For GUI sessions, log out and back in completely.
Remove User from Sudoers Group
To revoke sudo privileges from a user, simply remove them from the sudo group:
sudo gpasswd -d josh sudoExpected output:
Removing user josh from group sudo
Alternatively, use deluser:
sudo deluser josh sudoExpected output:
Removing user `josh' from group `sudo' ... Done.
Finally, verify the user no longer has sudo access:
id joshExpected output without sudo:
uid=1001(josh) gid=1001(josh) groups=1001(josh)
The 27(sudo) entry is no longer present. The user must log out and back in for changes to take effect in their active sessions.
Conclusion
You have now created a new user account on Debian, added them to the sudo group using usermod or gpasswd, and verified their elevated privileges. Remember that group membership changes require a fresh login session to take effect. For finer permission control, explore the /etc/sudoers file using visudo to grant specific command access. Next, consider setting up SSH for remote access, installing Fail2ban to protect against brute-force attacks, or configuring UFW to manage firewall rules.
