Running commands as root is risky for daily tasks because a single mistake can break your system. Arch Linux follows the Unix convention of using the wheel group for sudo access, which differs from Debian-based distributions that use a sudo group. Creating a regular user account with administrative privileges lets you work safely while retaining the ability to run privileged commands when needed.
This guide walks through creating users, granting sudo privileges via the wheel group or direct sudoers entries, verifying access works correctly, revoking privileges when needed, and removing users entirely. Each step includes verification commands and expected output so you can confirm your configuration. By the end, you will have a non-root administrative user configured on your Arch Linux system.
Choose Your Sudo Configuration Method
Arch Linux provides two approaches for granting sudo privileges. Both achieve the same result but suit different administrative scenarios.
| Method | How It Works | Best For | Trade-offs |
|---|---|---|---|
| wheel group | Add users to the wheel group, uncomment one line in sudoers | Multiple administrators, standard setups | Requires editing sudoers once; all wheel members get full sudo |
| Direct sudoers entry | Add individual user entries to the sudoers file | Granular control, single admin, custom command restrictions | Requires sudoers edit per user; more flexible but more maintenance |
We recommend the wheel group method for most users because it follows Arch Linux conventions, requires minimal configuration, and makes adding or removing administrators straightforward. Use direct sudoers entries only when you need to restrict specific users to specific commands.
Install and Verify Sudo
Fresh Arch Linux installations may not include sudo. Before configuring user privileges, verify sudo is installed and update your system.
Update System and Install Sudo
Log in as root (or use an existing sudo user) and synchronize the package database before installing:
pacman -SyuInstall the sudo package:
pacman -S sudoIf you already have sudo configured and are running as a sudo user, prefix these commands with
sudo. The examples in this section assume you are logged in as root during initial setup.
Verify Sudo Installation
Confirm sudo is installed and check the version:
sudo --versionExpected output:
Sudo version 1.9.17p2 Sudoers policy plugin version 1.9.17p2 Sudoers file grammar version 50 Sudoers I/O plugin version 1.9.17p2 Sudoers audit plugin version 1.9.17p2
The version number confirms sudo is installed and accessible. Arch Linux tracks the latest stable sudo release through rolling updates.
Create a New User
Before granting sudo privileges, you need a user account. The useradd command creates new users, and the --create-home flag ensures they have a home directory.
Create User with Home Directory
Create a new user (replace joshua with your desired username):
useradd --create-home joshuaThe --create-home flag (or -m) creates the user’s home directory at /home/joshua and copies default configuration files from /etc/skel.
Set User Password
Assign a password to the new account:
passwd joshuaYou will be prompted to enter and confirm the password:
New password: Retype new password: passwd: password updated successfully
Verify User Creation
Confirm the user exists and check their group memberships:
id joshuaExpected output showing the user exists with their own primary group:
uid=1000(joshua) gid=1000(joshua) groups=1000(joshua)
At this point, the user has no sudo privileges. The next sections cover granting administrative access.
Grant Sudo Privileges via the wheel Group
Arch Linux grants sudo access by adding users to the wheel group and enabling that group in the sudoers file. This approach follows Unix conventions and simplifies managing multiple administrators.
Add User to the wheel Group
Use the usermod command to add the user to the wheel group without removing them from their existing groups:
usermod -aG wheel joshuaThe -a flag appends to the user’s groups rather than replacing them. The -G flag specifies supplementary groups. You can also use the long form:
usermod --append --groups wheel joshuaVerify the user is now in the wheel group:
id joshuaExpected output showing wheel group membership:
uid=1000(joshua) gid=1000(joshua) groups=1000(joshua),998(wheel)
Enable wheel Group in Sudoers
Adding a user to the wheel group alone does not grant sudo access. You must also uncomment the wheel group line in the sudoers file. Always edit the sudoers file using visudo, which checks for syntax errors before saving:
visudoThe
visudocommand opens the sudoers file in the default editor (usuallyviorvim). If you are unfamiliar with vi, pressito enter insert mode for editing, pressEscto exit insert mode, then type:wqand pressEnterto save and quit. To quit without saving, type:q!instead.
Locate this commented line (around line 125):
# %wheel ALL=(ALL:ALL) ALLRemove the # at the beginning to uncomment it:
%wheel ALL=(ALL:ALL) ALLThis line grants all members of the wheel group permission to run any command as any user, with password authentication required.
There is also a
NOPASSWDvariant (%wheel ALL=(ALL:ALL) NOPASSWD: ALL) that allows sudo without entering a password. This is convenient but less secure. Only use it on personal systems where physical security is not a concern.
Verify Sudo Access
Check that the user now has sudo privileges:
sudo -lU joshuaExpected output showing full sudo access:
Matching Defaults entries for joshua on archlinux:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/bin
User joshua may run the following commands on archlinux:
(ALL : ALL) ALL
If you see “User joshua is not allowed to run sudo on archlinux” instead, verify that:
- The user is in the wheel group (
id joshuashould showwheel) - The wheel line is uncommented in sudoers (run
visudoand check) - You saved the sudoers file correctly (no syntax errors)
Grant Sudo Privileges via Direct Sudoers Entry
For more granular control, you can add individual users directly to the sudoers file without using the wheel group. This approach lets you restrict users to specific commands or assign different privilege levels to different users.
Add User Entry to Sudoers
Open the sudoers file with visudo:
visudoNavigate to the section containing root’s permissions (look for the line root ALL=(ALL:ALL) ALL) and add a new line for your user:
joshua ALL=(ALL:ALL) ALLThis grants the user joshua permission to execute any command as any user on any host. The format is:
- joshua: The username
- ALL (first): Applies to all hosts
- (ALL:ALL): Can run as any user and any group
- ALL (last): Can run any command
Restrict User to Specific Commands
To limit a user to specific commands, replace the final ALL with a comma-separated list of allowed commands:
backup_user ALL=(ALL:ALL) /usr/bin/rsync, /usr/bin/tarThis restricts backup_user to running only rsync and tar with sudo, which suits service accounts or users with limited administrative needs.
Verify Direct Entry Works
Check the user’s sudo privileges:
sudo -lU joshuaThe output will list the commands the user can run.
Revoke Sudo Privileges
When a user no longer needs administrative access, you should revoke their sudo privileges immediately. The method depends on how the privileges were originally granted.
Remove User from the wheel Group
If you granted sudo via the wheel group, remove the user with the gpasswd command:
gpasswd -d joshua wheelExpected output:
Removing user joshua from group wheel
Verify the user is no longer in the wheel group:
id joshuaExpected output without wheel:
uid=1000(joshua) gid=1000(joshua) groups=1000(joshua)
Remove Direct Sudoers Entry
If you granted sudo through a direct sudoers entry, open the sudoers file and remove the user’s line:
visudoFind and delete the user’s entry (the entire line containing their username).
Confirm Privileges Are Revoked
Verify the user no longer has sudo access:
sudo -lU joshuaExpected output confirming no sudo access:
User joshua is not allowed to run sudo on archlinux.
Delete a User Account
When a user account is no longer needed, remove it entirely. The userdel command handles user deletion.
Remove User and Home Directory
To delete the user and their home directory:
userdel -r joshuaThe -r flag removes the user’s home directory (/home/joshua) and mail spool. Without this flag, those files remain on the system.
The
userdel -rcommand permanently deletes the user’s home directory and all files within it. If the user has important data, back it up first withcp -r /home/joshua /tmp/joshua-backup.
Handle Active User Sessions
If the user is currently logged in, you may see an error. Check for active sessions:
who | grep joshuaTo force removal of a logged-in user, use the -f flag (use with caution):
userdel -rf joshuaVerify User Deletion
Confirm the user no longer exists:
id joshuaExpected output:
id: 'joshua': no such user
Troubleshooting Common Issues
These are the most common problems when configuring sudo on Arch Linux.
User Is Not in the Sudoers File
If you see this error when running a sudo command:
joshua is not in the sudoers file. This incident will be reported.
This means the user has no sudo privileges. Check their group membership:
id joshuaIf wheel is missing from the groups, add them:
usermod -aG wheel joshuaIf the user is already in the wheel group, verify the wheel line is uncommented in sudoers:
grep "^%wheel" /etc/sudoersIf this returns nothing, run visudo and uncomment the wheel line.
Syntax Error in Sudoers File
If visudo reports a syntax error when saving, it will prompt you:
>>> /etc/sudoers: syntax error near line 125 <<< What now? (e)dit, (x)exit, (Q)quit
Press e to return to the editor and fix the error. Common mistakes include:
- Missing spaces around
=or: - Typos in usernames or group names
- Missing parentheses around
(ALL:ALL)
Never press Q to quit without saving if you have made changes, as this could leave you locked out of sudo access.
Locked Out of Sudo Access
If you cannot use sudo and need to fix the configuration, you have two options:
Option 1: Log in as root directly
If you know the root password, switch to a TTY (press Ctrl+Alt+F2), log in as root, and fix the sudoers file with visudo.
Option 2: Boot from live USB
If root login is disabled, boot from an Arch Linux live USB, mount your root partition, and edit the sudoers file:
mount /dev/sdXn /mnt
visudo -f /mnt/etc/sudoersReplace /dev/sdXn with your actual root partition (use lsblk to identify it).
Password Not Accepted for Sudo
If sudo asks for a password and the correct password is rejected:
- Verify you are entering the user's password, not root's password
- Check that the account is not locked:
passwd -S joshua(should showPfor password set, notLfor locked) - Try resetting the password as root:
passwd joshua
Additional Resources
For comprehensive documentation on sudo configuration, refer to the Arch Wiki sudo page. The Arch Wiki covers advanced topics including:
- Custom timeout settings for password caching
- Configuring sudoers.d drop-in files
- Environment variable handling
- Logging and auditing sudo usage
You can also consult the manual pages for detailed command options:
man sudo
man useradd
man usermod
man gpasswd
man userdel
man visudoConclusion
You now have the tools to manage user privileges on Arch Linux. Creating a regular user with useradd --create-home, granting sudo access via the wheel group, and using visudo to safely edit the sudoers file form the core skills for day-to-day administration. Always verify changes with id and sudo -lU commands before logging out as root, and keep the root password accessible in case you need to recover from a misconfiguration.