Open Ticket 
+373 79 600002 
Telegram Live Chat 
F.A.Q 
English
Русский 
Română 
Deutsch 
Français 
Türkçe 
Español 
Português 
Українська 
български 
Polski 
Indonesia 
中文 (中国) 
Administration 
LinuxHow to Add a User to the Root Group and Grant Privileges in Linux
Granting elevated privileges in Linux means giving a user account the ability to execute commands that require superuser-level access — either by adding them to a privileged group such as `sudo` or `wheel`, or by explicitly configuring entries in the `/etc/sudoers` file. The safest and most auditable method is always `sudo`-based delegation, not direct membership in the `root` group.
This guide covers every practical path: adding users to the `sudo` or `wheel` group, editing the `sudoers` file with `visudo`, scoping privileges to specific commands, revoking access cleanly, and understanding exactly why direct `root` group membership is a security liability in production environments.
Understanding the Linux Privilege Model
Linux enforces a strict separation between privileged and unprivileged execution contexts. Every process runs under a UID (User ID), and UID 0 — the `root` user — bypasses virtually all permission checks enforced by the kernel. This is not just a convention; it is enforced at the syscall level.
Key privilege mechanisms you need to understand:
- Root user (UID 0): Unrestricted access to all files, devices, kernel parameters, and system calls. A single misconfigured command run as root can irreversibly damage a running system.
- sudo: A setuid binary that allows a permitted user to execute a command as another user (typically root), subject to policy defined in `/etc/sudoers`. Every invocation is logged to syslog or journald.
- The `sudo` group (Debian/Ubuntu): Members of this group are granted full sudo access by a default rule in `/etc/sudoers`.
- The `wheel` group (RHEL/CentOS/Fedora/AlmaLinux): The functional equivalent of the `sudo` group on Red Hat-based distributions.
- The `root` group (GID 0): Membership here does NOT grant root-level command execution. It only allows access to files owned by the `root` group with group-read or group-write permissions. This is frequently misunderstood.
Root Group vs. sudo Group: A Critical Distinction
| Property | `root` group (GID 0) | `sudo` / `wheel` group |
|---|---|---|
| — | — | — |
| Grants UID 0 execution | No | Yes (via sudo) |
| Allows reading root-owned group-readable files | Yes | No (unless also root) |
| Logged in audit trail | No | Yes (syslog/journald) |
| Requires password confirmation | No | Yes (by default) |
| Recommended for admin delegation | No | Yes |
| Risk level | High (silent file access) | Controlled |
| Typical use case | Legacy setups, specific file ACLs | All modern admin delegation |
Adding a user to the `root` group does not make them root. It silently grants read/write access to any file where the `root` group has permissions — which on a misconfigured system can include sensitive configuration files, private keys, or cron directories. This is why it is dangerous and rarely the correct solution.
Prerequisites
Before proceeding, confirm the following:
- You have an active session with root or sudo privileges.
- The target user account already exists. If it does not, create it:
“`bash
sudo adduser username
“`
On minimal systems or RHEL-based distributions, use `useradd` with explicit options:
“`bash
sudo useradd -m -s /bin/bash username
sudo passwd username
“`
- You know your distribution's privileged group name (`sudo` on Debian/Ubuntu, `wheel` on RHEL/CentOS/AlmaLinux/Fedora).
If you are managing a VPS Hosting environment, these steps apply identically whether you are on a bare metal server or a virtual machine — the Linux privilege model is OS-level, not hypervisor-level.
Step 1: Add the User to the sudo or wheel Group
This is the correct, recommended method for granting administrative access on all modern Linux distributions.
On Debian, Ubuntu, and Derivatives
The `sudo` group is pre-configured in `/etc/sudoers` with a rule that grants full sudo access:
“`bash
sudo usermod -aG sudo username
“`
The `-aG` flag is critical: `-a` means append (do not remove existing group memberships), and `-G` specifies the supplementary group. Omitting `-a` will replace all supplementary groups with only the specified one — a common and destructive mistake.
On RHEL, CentOS, AlmaLinux, Rocky Linux, and Fedora
Use the `wheel` group instead:
“`bash
sudo usermod -aG wheel username
“`
On older CentOS 6 systems, the `wheel` group rule in `/etc/sudoers` may be commented out. Verify it is active:
“`bash
sudo grep -i wheel /etc/sudoers
“`
You should see an uncommented line like:
“`
%wheel ALL=(ALL) ALL
“`
If it is commented out, uncomment it using `visudo` (covered in Step 2).
Verifying Group Membership
Group changes take effect at the next login. To verify immediately without logging out:
“`bash
groups username
“`
Or inspect `/etc/group` directly:
“`bash
grep -E '^sudo:|^wheel:' /etc/group
“`
To apply the new group to an existing session without re-logging in, the user can run:
“`bash
newgrp sudo
“`
Note that `newgrp` spawns a new shell with the updated group context — it does not modify the parent session.
Step 2: Configure Granular Privileges via the sudoers File
For production systems, full unrestricted sudo access is often excessive. The `/etc/sudoers` file allows you to scope privileges precisely — by command, by target user, by host, and with or without password prompts.
Always edit `/etc/sudoers` using `visudo`. This tool locks the file against concurrent edits and performs syntax validation before saving. A syntax error in `/etc/sudoers` can lock every user out of sudo on the system — `visudo` prevents this.
“`bash
sudo visudo
“`
Granting Full sudo Access to a Specific User
Add this line at the end of the file (or in a drop-in file under `/etc/sudoers.d/`):
“`
username ALL=(ALL:ALL) ALL
“`
Breaking down the syntax:
- `username` — the account this rule applies to.
- First `ALL` — applies on all hostnames (relevant for shared sudoers files distributed via configuration management).
- `(ALL:ALL)` — the user may run commands as any user (first `ALL`) and any group (second `ALL`).
- Final `ALL` — all commands are permitted.
Granting Access to Specific Commands Only (Least Privilege)
This is the pattern you should use in production. For example, to allow a user to restart Nginx and nothing else:
“`
username ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx
“`
Or to allow managing a specific service with password confirmation:
“`
username ALL=(root) /usr/bin/systemctl restart nginx, /usr/bin/systemctl stop nginx
“`
Pitfall: Always use absolute paths in sudoers rules. Relative paths are rejected by sudo and will silently fail or cause errors.
Using Drop-in Files in /etc/sudoers.d/
Rather than editing the main `sudoers` file directly, place user-specific rules in `/etc/sudoers.d/`:
“`bash
sudo visudo -f /etc/sudoers.d/username
“`
Add your rule, save, and verify the file has correct permissions:
“`bash
sudo chmod 440 /etc/sudoers.d/username
“`
This approach integrates cleanly with configuration management tools like Ansible, Puppet, and Chef, and makes privilege auditing significantly easier.
Granting NOPASSWD Access (Use with Caution)
For automated scripts or service accounts that need to run privileged commands without interactive prompts:
“`
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp
“`
Security note: `NOPASSWD` eliminates the authentication barrier. Only use it for tightly scoped commands on accounts with strong SSH key-based authentication. Never grant `NOPASSWD: ALL` on a production server.
Step 3: Test the Configuration
After making changes, test before ending your current privileged session — if you have made an error, you still have your existing session to correct it.
Switch to the target user and verify:
“`bash
su – username
sudo whoami
“`
Expected output: `root`
To list all commands the user is permitted to run:
“`bash
sudo -l -U username
“`
This is an essential diagnostic command. It shows the effective sudoers policy for any user without requiring you to log in as them.
Step 4: Adding a User to the root Group (Explicit Warning)
If a specific legacy application or file permission requirement genuinely demands `root` group membership — and you have exhausted alternatives like ACLs and capability sets — the command is:
“`bash
sudo usermod -aG root username
“`
What this actually does: The user gains access to files where the `root` group has read or write permissions. On a default Linux installation, this includes files in `/etc/`, `/root/`, and potentially `/var/` depending on distribution-specific packaging decisions.
What this does not do: It does not grant the ability to run commands as root. It does not enable `sudo`. It does not change the user's UID.
Recommended alternative: Use POSIX ACLs to grant access to a specific file rather than adding a user to the `root` group:
“`bash
sudo setfacl -m u:username:r /etc/specific-config-file
“`
This grants read access to exactly one file without any group-level exposure.
Step 5: Revoking Privileges
Privilege revocation must be immediate and verifiable. Do not rely on the user logging out — remove the group membership and verify.
Remove from the sudo Group (Debian/Ubuntu)
“`bash
sudo deluser username sudo
“`
Or using the portable `gpasswd` method (works on all distributions):
“`bash
sudo gpasswd -d username sudo
“`
Remove from the wheel Group (RHEL-based)
“`bash
sudo gpasswd -d username wheel
“`
Remove a sudoers.d Drop-in File
“`bash
sudo rm /etc/sudoers.d/username
“`
Verify Revocation Immediately
“`bash
sudo -l -U username
“`
The output should show no matching entries or explicitly state the user may not run sudo.
Edge case: If the user has an active session, group membership changes do not affect that session until they log out and back in. To force immediate effect, kill their active sessions:
“`bash
sudo pkill -u username
“`
On systems running Dedicated Servers with multiple concurrent administrators, this step is non-negotiable when revoking access for a departing team member.
Step 6: Auditing sudo Usage
Every `sudo` invocation is logged. On systemd-based systems:
“`bash
sudo journalctl -u sudo
“`
Or via traditional syslog:
“`bash
sudo grep sudo /var/log/auth.log # Debian/Ubuntu
sudo grep sudo /var/log/secure # RHEL/CentOS
“`
A typical log entry looks like:
“`
Jan 15 14:32:01 hostname sudo: username : TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/bin/systemctl restart nginx
“`
This records the originating user, the terminal, the working directory, the target user, and the exact command. This audit trail is invaluable for incident response and compliance requirements.
For enhanced auditing, consider enabling `sudo` logging to a dedicated log file by adding to `/etc/sudoers`:
“`
Defaults logfile="/var/log/sudo.log"
Defaults log_input, log_output
“`
`log_input` and `log_output` record the full I/O of every sudo session — particularly useful when investigating what a privileged user actually did during a session.
Security Hardening: Beyond Basic sudo Configuration
Administrators managing VPS with cPanel or custom Linux stacks should apply these additional controls:
Restrict sudo to specific TTYs:
“`
Defaults requiretty
“`
This prevents sudo from being invoked from non-interactive scripts or cron jobs unless explicitly permitted.
Set a sudo session timeout:
“`
Defaults timestamp_timeout=5
“`
This sets the credential cache to 5 minutes. Setting it to `0` requires a password for every single sudo invocation.
Limit sudo to specific source IPs (for multi-user servers):
“`
username 192.168.1.0/24=(ALL) ALL
“`
Use `sudo` with environment sanitization:
By default, sudo resets the environment to a safe state. Verify `env_reset` is active in your sudoers file:
“`
Defaults env_reset
“`
Disable root SSH login: Once sudo is configured, disable direct root login via SSH in `/etc/ssh/sshd_config`:
“`
PermitRootLogin no
“`
This forces all administrative actions through auditable sudo sessions rather than anonymous root logins. This is a baseline requirement for any server exposed to the internet, including those running Shared Web Hosting stacks or multi-tenant environments.
Privilege Management Across Distributions: Quick Reference
| Distribution | Privileged Group | Default sudoers Rule Active | Package for sudo |
|---|---|---|---|
| — | — | — | — |
| Ubuntu 20.04+ | `sudo` | Yes | `sudo` (pre-installed) |
| Debian 11+ | `sudo` | Yes | `sudo` (install manually) |
| CentOS 7/8 | `wheel` | Yes | `sudo` (pre-installed) |
| AlmaLinux 8/9 | `wheel` | Yes | `sudo` (pre-installed) |
| Rocky Linux 8/9 | `wheel` | Yes | `sudo` (pre-installed) |
| Fedora 38+ | `wheel` | Yes | `sudo` (pre-installed) |
| Arch Linux | `wheel` | No (must uncomment) | `sudo` (install manually) |
| openSUSE | `wheel` | Yes | `sudo` (pre-installed) |
On Arch Linux, after installing `sudo`, you must explicitly uncomment the `%wheel` line in `/etc/sudoers` via `visudo` before group membership has any effect.
Practical Decision Matrix: Which Method to Use
| Scenario | Recommended Approach |
|---|---|
| — | — |
| Developer needs full admin on a dev VPS | Add to `sudo`/`wheel` group |
| Service account needs to restart one daemon | `sudoers` entry with `NOPASSWD` scoped to that command |
| Temporary admin access for a contractor | `sudoers.d` drop-in file (easy to remove) |
| Legacy app requires root group file access | POSIX ACL on specific files (`setfacl`) |
| CI/CD pipeline needs privileged deployment commands | Dedicated service account with scoped `NOPASSWD` rules |
| Shared hosting environment, multiple users | Do not grant sudo; use control panel role-based access |
| Compliance environment requiring full audit trail | sudo with `log_input`/`log_output` enabled |
Key Takeaway Checklist
Before considering privilege escalation complete on any Linux system, verify each of the following:
- [ ] User is added to `sudo` (Debian/Ubuntu) or `wheel` (RHEL-based) — not directly to the `root` group.
- [ ] `visudo` was used for all `/etc/sudoers` edits — never a plain text editor.
- [ ] Privilege scope is as narrow as possible — specific commands rather than `ALL` where feasible.
- [ ] `sudo -l -U username` confirms exactly the intended permissions and nothing more.
- [ ] `PermitRootLogin no` is set in `/etc/sshd_config` on internet-facing servers.
- [ ] sudo audit logging is active and log files are being monitored or forwarded to a SIEM.
- [ ] A revocation procedure is documented and tested — including killing active sessions with `pkill -u`.
- [ ] Drop-in files in `/etc/sudoers.d/` have `440` permissions — world-readable sudoers files are rejected by sudo.
- [ ] `timestamp_timeout` is set to a value appropriate for your security policy.
- [ ] Privilege grants are reviewed on a defined schedule (monthly or per access review cycle).
For teams managing multiple servers — whether on VPS Control Panels or bare metal — centralizing this configuration through Ansible or similar tooling ensures consistency and eliminates manual drift.
Frequently Asked Questions
What is the difference between adding a user to the root group and granting sudo access?
Adding a user to the `root` group (GID 0) grants access to files owned by that group — it does not allow executing commands as root. Granting sudo access (via the `sudo` or `wheel` group, or a sudoers entry) allows the user to run commands with UID 0 privileges, subject to policy and password authentication.
Why should I use `visudo` instead of editing `/etc/sudoers` directly with nano or vim?
`visudo` locks the file to prevent concurrent edits and performs syntax validation before saving. A syntax error saved directly to `/etc/sudoers` can render sudo completely non-functional for all users, potentially locking you out of administrative access on the system entirely.
How do I grant sudo access without requiring a password for a specific command?
Add a `NOPASSWD` rule scoped to the exact command in `/etc/sudoers` or a drop-in file: `username ALL=(ALL) NOPASSWD: /path/to/command`. Always use the absolute path and restrict this to the minimum required commands.
Do group membership changes take effect immediately for logged-in users?
No. A user's supplementary groups are evaluated at login time. An already-logged-in user will not gain or lose group-based sudo access until they start a new session. To force immediate revocation, terminate their active sessions using `sudo pkill -u username`.
How can I verify what sudo permissions a user currently has without logging in as them?
Run `sudo -l -U username` as root or another sudo user. This command displays the complete effective sudoers policy for the specified user, including all permitted commands, NOPASSWD flags, and any applicable defaults.