The clean way to grant sudo is to add the user to the admin group: sudo on Debian and Ubuntu, wheel on RHEL, Fedora, and Arch.
sudo usermod -aG sudo deploy # Debian / Ubuntu
sudo usermod -aG wheel deploy # RHEL / Fedora / Arch
The -a (append) is essential, as covered in add a user to a group: plain -G would wipe their other groups. The user must log out and back in for the new group to apply.
Verify it
sudo -lU deploy # what is deploy allowed to run?Once they log back in, sudo whoami from their account should print root.
Scope it instead of granting everything
Full membership in sudo/wheel means run-anything-as-root. Often you want less than that, for example "this person may restart nginx but not become root". Do that with a sudoers drop-in, edited through visudo:
sudo visudo -f /etc/sudoers.d/deploy# /etc/sudoers.d/deploy
deploy ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx
That grants exactly those two commands as root and nothing else. The format is user host=(runas) commands. Drop-in files in /etc/sudoers.d/ are the right place for this; never hand-edit the main /etc/sudoers directly.
Group the rule for a team
For several people, point the rule at a group (prefixed with %) instead of repeating it per user:
# /etc/sudoers.d/web-ops
%webops ALL=(ALL) /usr/bin/systemctl * nginx
Then add people to webops with usermod -aG. One rule, managed by group membership.
FAQ
See also
- How to edit the sudoers file safely (visudo): the syntax-checked way to write these rules.
- How to add a user to a group: the -aG mechanics and the -a trap.
- How to set up passwordless sudo: NOPASSWD and when it is justified.
- How to disable root login: the reason to give sudo in the first place.
Sources
Authoritative references this article was fact-checked against.
