Managing user privileges on Fedora Linux allows you to grant administrative access to trusted users without sharing the root password. Whether you need to set up a shared development environment, allow a family member to install software, or delegate server management tasks, adding users to the sudoers group provides controlled access to system commands. By the end of this guide, you will have created a new user account, added them to Fedora’s wheel group for sudo privileges, configured passwordless sudo or restricted command access when needed, and learned how to audit sudo activity on your system.
Switch to the Root Account
Before creating new users and modifying group memberships, you need administrative access. If you already have an existing sudo user, you can prefix commands with sudo. However, if you need to switch to the root account directly, first set or reset the root password using the following command:
sudo passwd rootAfter entering your current sudo account’s password, the system prompts you to create a new password for the root account. Once complete, switch to the root user with the su command:
suEnter the root password when prompted. Your prompt changes from your username to root@hostname, confirming you now have full administrative privileges.
If you already have sudo access on your account, you can skip the root password setup above and simply prefix each command with
sudoinstead.
Create a New User Account on Fedora
Now that you have administrative access, you can create a new user account. The adduser command creates the user along with their home directory and default configuration files. Replace josh with your preferred username:
adduser joshNext, set a secure password for the new account. Since you are already operating as root, the sudo prefix is not required:
passwd joshThe system then prompts you to enter and confirm the new password. For security, choose a strong password that combines uppercase and lowercase letters, numbers, and special characters. After successfully setting the password, you will see confirmation output similar to:
New password: Retype new password: passwd: password updated successfully
Add User to Sudoers on Fedora
Now that the user account exists, you need to grant sudo privileges. On Fedora, the sudoers group uses the name wheel. Members of this group can execute commands with root privileges by prefixing them with sudo. The -aG flags in the following command append the user to the wheel group without removing them from any existing groups:
usermod -aG wheel joshNext, confirm that the user was added successfully by checking their group memberships with the id command:
id joshThe output should include wheel in the list of groups, confirming sudo access:
uid=1000(josh) gid=1000(josh) groups=1000(josh),10(wheel)
The presence of 10(wheel) in the groups list confirms the user now has sudo privileges on the system.
Add User to Wheel Group with gpasswd
Alternatively, you can use the gpasswd command to add a user to the wheel group. This approach provides explicit feedback because it displays a confirmation message when the operation completes:
gpasswd -a josh wheelExpected output confirming you added the user:
Adding user josh to group wheel
Both usermod and gpasswd achieve the same result. Choose whichever you find more intuitive for your workflow.
Verify the New Sudo User’s Privileges
After granting sudo access, you should verify that the new user can actually execute administrative commands. First, switch to the new user account:
su joshOnce logged in as the new user, test their sudo privileges by running a command that requires root access. The whoami command with sudo should return root:
sudo whoamiThe system prompts you to enter the user’s password. After authentication, the expected output confirms sudo works correctly:
root
If the output shows root, you have successfully configured the new sudo user and they can now perform administrative tasks on the system.
Grant Sudo Access Without Password Prompt
For automation scripts or trusted single-user systems, you may want a user to run sudo commands without entering a password each time. Instead of editing the main /etc/sudoers file directly, create a drop-in file in /etc/sudoers.d/ which survives package upgrades and is easier to manage.
Create a new sudoers configuration file for the user:
sudo visudo -f /etc/sudoers.d/josh-nopasswdAdd the following line to grant passwordless sudo access for all commands:
josh ALL=(ALL) NOPASSWD: ALLSave and exit the editor. The visudo command automatically validates the syntax before saving. Verify the configuration was applied correctly:
sudo visudo -cExpected output confirming valid syntax:
/etc/sudoers: parsed OK /etc/sudoers.d/josh-nopasswd: parsed OK
Passwordless sudo reduces security by removing the authentication barrier. Use this configuration only on systems where convenience outweighs the security risk, such as personal development machines or automated deployment environments.
Restrict Sudo to Specific Commands
Rather than granting full administrative access, you can limit a user to running only specific commands with sudo. This approach follows the principle of least privilege and is useful for delegating limited tasks to users or service accounts.
Create a drop-in file to restrict the user to specific commands:
sudo visudo -f /etc/sudoers.d/josh-limitedAdd commands the user is allowed to run. The following example permits only restarting and checking the status of a web server:
josh ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginxYou can verify what sudo permissions a user has with the sudo -l command:
sudo -l -U joshThe output lists all commands the user can run with sudo:
User josh may run the following commands on hostname:
(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx
This pattern works well for web developers who need to restart services, database administrators who need specific management commands, or backup operators who need access to snapshot tools.
Audit Sudo Activity
Monitoring who uses sudo and what commands they run is essential for security auditing and troubleshooting. Fedora logs sudo activity through systemd’s journal. To view recent sudo usage:
sudo journalctl _COMM=sudo --since "1 hour ago"This displays all sudo commands run in the last hour, including the user who ran them, the command executed, and the working directory. For a broader view of sudo activity:
sudo journalctl _COMM=sudo -n 50The -n 50 flag limits output to the 50 most recent entries. Each log entry shows the timestamp, user, and the exact command they executed with sudo privileges, allowing you to track administrative actions across your system.
Troubleshooting Sudo Access Issues
User Not in Sudoers File Error
If you see an error message like the following when running a sudo command:
josh is not in the sudoers file. This incident will be reported.
This error indicates that you did not successfully add the user to the wheel group. To fix this, log in as root or another sudo user and verify the group membership:
id joshIf the user is not in the wheel group, you will see output without wheel listed:
uid=1000(josh) gid=1000(josh) groups=1000(josh)
Compare this to the expected output when wheel membership is correct, which includes 10(wheel). If wheel is missing, add the user to the group again using the usermod command as described above.
Group Changes Not Taking Effect
If you added a user to the wheel group but sudo still does not work, the user may need to log out and log back in. Group membership changes only take effect when a new session starts. For SSH connections on Fedora, disconnect and reconnect to refresh group memberships.
Alternatively, you can start a new login shell for the user to refresh their group memberships without fully logging out:
su - joshThe hyphen creates a login shell that reads the updated group information. Another option is to use newgrp wheel to activate the new group membership in your current session without logging out.
Remove a User from Sudoers on Fedora
If you need to revoke sudo privileges from a user, remove them from the wheel group using gpasswd with the -d flag:
gpasswd -d josh wheelExpected output:
Removing user josh from group wheel
Verify the removal by checking the user’s groups:
id joshThe output should no longer include wheel:
uid=1000(josh) gid=1000(josh) groups=1000(josh)
The user will lose sudo access immediately for new sessions. Existing sessions may retain sudo access until the user logs out.
Delete the User Account Entirely
If you need to completely remove the user account along with their home directory and mail spool, use userdel with the -r flag:
Warning: The following command permanently deletes the user account and their home directory, including all files stored there. Back up any important data before proceeding.
userdel -r joshFinally, verify that the user no longer exists:
id joshExpected output confirming you deleted the user:
id: 'josh': no such user
Conclusion
You have created a new user account on Fedora, added them to the wheel group for sudo privileges, and verified their administrative access works correctly. You also learned how to configure passwordless sudo for automation, restrict users to specific commands following the principle of least privilege, and audit sudo activity through the system journal. For enhanced security, consider configuring firewalld on Fedora, setting up Fail2Ban for intrusion prevention, and reviewing your SELinux configuration on Fedora for additional access controls.