How to Create a New Sudo User on Fedora Linux

Fedora does not use a separate sudo group for admin access. To add a user to sudoers on Fedora, put that account in the wheel group and test sudo from a fresh login shell. The wheel group is the standard Fedora sudoers group for both Workstation and Server installs.

If the user does not exist yet, create it first with adduser and passwd. The same workflow extends to passwordless or command-limited sudo rules through drop-in files in /etc/sudoers.d/.

Add a User to Sudoers on Fedora

Fedora grants sudo through the wheel group, not a separate sudo group. If the account already exists, skip to the wheel-group step.

These commands need an account that already has admin rights. If your current login cannot use sudo, use another Fedora admin account or switch to root if that account is already enabled.

Create a New User on Fedora

Skip this step if the account already exists. Create a new Fedora user with sudo adduser username, then set a password before you add the account to wheel.

sudo adduser josh

Fedora returns to the prompt when the account and home directory are ready. Set the password for the new account next:

sudo passwd josh

New password:
Retype new password:
passwd: password updated successfully

Add the User to the Wheel Group on Fedora

Fedora grants sudo through wheel, so this is the step that actually adds the user to sudoers on Fedora. The -aG flag means append to the supplementary group list; without -a, usermod would replace every other group the account belongs to.

sudo usermod -aG wheel josh

Check the user’s groups after the change:

id josh

uid=1001(josh) gid=1001(josh) groups=1001(josh),10(wheel)

If you prefer a command that prints a confirmation line, gpasswd can add the same membership. Use one command or the other, not both.

sudo gpasswd -a josh wheel

Adding user josh to group wheel

Verify Sudo Access on Fedora

Open a fresh login shell as that user before you test sudo. Existing sessions keep the old group list until you sign in again.

su - josh

Then run a quick admin command:

sudo whoami

root

Configure Passwordless or Limited Sudo on Fedora

Keep exceptions in /etc/sudoers.d/ instead of editing /etc/sudoers directly. Each drop-in stays separate, and visudo can validate the syntax before you rely on it.

Allow Passwordless Sudo on Fedora

This creates a dedicated drop-in for one account. tee writes the file as root because a plain > redirection does not inherit sudo. The chmod 0440 step keeps the root-owned file read-only, which is what sudoers expects. That same octal notation is part of the standard chmod command in Linux syntax.

printf '%s\n' 'josh ALL=(ALL) NOPASSWD: ALL' | sudo tee /etc/sudoers.d/josh-nopasswd > /dev/null
sudo chmod 0440 /etc/sudoers.d/josh-nopasswd

Check the file before you rely on it:

sudo visudo -cf /etc/sudoers.d/josh-nopasswd

/etc/sudoers.d/josh-nopasswd: parsed OK

This quick test runs sudo as that account from the current admin shell, so you can confirm there is no password prompt:

sudo -u josh sudo -n whoami

root

Passwordless sudo removes the normal authentication check. Keep it for automation, disposable lab systems, or tightly controlled accounts, not for broad day-to-day admin access.

Limit Sudo to Specific Commands on Fedora

For tighter control, use a separate account that is not also in wheel. If the user still belongs to wheel, Fedora keeps full sudo access no matter what you add in a narrower drop-in. Use full paths because sudoers matches the command path, not just the command name. If you need to confirm a path first, type -P command-name shows it.

printf '%s\n' 'webops ALL=(ALL) NOPASSWD: /usr/bin/systemctl status sshd, /usr/bin/systemctl reload sshd' | sudo tee /etc/sudoers.d/webops-limited > /dev/null
sudo chmod 0440 /etc/sudoers.d/webops-limited

Validate the drop-in, then inspect the effective rule with sudo -l -U webops. The -U flag checks the rules for a different user without switching to their shell. Fedora also prints its default sudo settings before the allowed-command block, so focus on the command list near the bottom.

sudo visudo -cf /etc/sudoers.d/webops-limited

/etc/sudoers.d/webops-limited: parsed OK

sudo -l -U webops

Matching Defaults entries for webops on fedora:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/var/lib/snapd/snap/bin

User webops may run the following commands on fedora:
    (ALL) NOPASSWD: /usr/bin/systemctl status sshd, /usr/bin/systemctl reload sshd

Check Sudo Logs on Fedora

Fedora writes sudo activity to the system journal. Reviewing it is the fastest way to see who ran a privileged command and when.

sudo journalctl _COMM=sudo -n 20 --no-pager

Mar 19 14:30:04 fedora sudo[5447]:   joshua : PWD=/home/joshua ; USER=root ; COMMAND=/usr/sbin/visudo -cf /etc/sudoers.d/webops-limited
Mar 19 14:30:04 fedora sudo[5447]: pam_unix(sudo:session): session opened for user root(uid=0) by joshua(uid=1000)
Mar 19 14:30:04 fedora sudo[5447]: pam_unix(sudo:session): session closed for user root

Swap -n 20 for --since "1 hour ago" when you want a time window instead of the newest entries.

Troubleshoot Sudo Access on Fedora

Most Fedora sudo problems come down to missing wheel membership or an old login session that never refreshed its groups.

User Is Not in the Sudoers File on Fedora

On a default Fedora install, this usually means the account is not matching a sudo rule yet.

josh is not in the sudoers file.

Check the groups that Fedora sees for the account:

id josh

uid=1001(josh) gid=1001(josh) groups=1001(josh)

If wheel is missing, add the account again and start a new session before you test sudo one more time:

sudo usermod -aG wheel josh

Group Changes Are Not Taking Effect on Fedora

Group changes apply only to new sessions. For local logins, sign out and back in; if you are working remotely, disconnect and reconnect over SSH so Fedora starts a fresh session with the updated groups. If OpenSSH is not ready on the machine yet, install and enable SSH on Fedora first.

You can also start a new login shell without ending the current admin session:

su - josh

Remove a User from Sudoers on Fedora

Remove the account from wheel when you want to revoke sudo but keep the user itself. Delete the account only when you also want to remove the home directory and mail spool.

Remove the User from the Wheel Group on Fedora

This drops the Fedora sudo grant while leaving the account intact.

sudo gpasswd -d josh wheel

Removing user josh from group wheel

Confirm that wheel is gone from the group list:

id josh

uid=1001(josh) gid=1001(josh) groups=1001(josh)

Delete the User Account on Fedora

Delete the account only after you move any files you still need. The -r flag tells userdel to also remove the home directory and mail spool, so there is nothing left to clean up.

This command is destructive. Keep a backup if you need anything from that account later.

sudo userdel -r josh

Check that Fedora no longer has a passwd entry for the account:

getent passwd josh

(no output)

No output means Fedora no longer has that user in its local account database.

Add User to Sudoers on Fedora FAQ

Conclusion

Fedora now grants admin access through wheel, and /etc/sudoers.d/ lets you add passwordless rules for an admin account or command-limited access for a separate service user. For network-facing systems, set up firewalld on Fedora first, then install Fail2Ban with firewalld on Fedora if you want another layer around remote logins.