By Tony Tran and Josh Barnett
Not using CentOS 7?
Choose a different version or distribution.
Introduction
When you first start using a fresh Linux server, adding and removing users is often one of the first things you’ll need to do. In this guide, you will learn how to create user accounts, assign sudo privileges, and delete users on a CentOS 7 server.
Prerequisites
To complete this tutorial, you will need:
- A CentOS 7 server with a non-root
sudo-enabled user. If you are logged in as root instead, you can drop the sudo portion of all the following commands. For guidance, please see our tutorial Initial Server Setup with CentOS 7.
Adding Users
Throughout this tutorial we will be working with the user sammy. Please substitute with the username of your choice.
You can add a new user by typing:
sudo adduser sammy
Next, you’ll need to give your user a password so that they can log in. To do so, use the passwd command:
sudo passwd sammy
You will be prompted to type in the password twice to confirm it. Now your new user is set up and ready for use! You can now log in as that user, using the password that you set up.
Note: if your SSH server disallows password-based authentication, you will not yet be able to connect with your new username. Details on setting up key-based SSH authentication for the new user can be found in step 4 of Initial Server Setup with CentOS 7.
Granting Sudo Privileges to a User
If your new user should have the ability to execute commands with root (administrative) privileges, you will need to give the new user access to sudo.
We can do this by adding the user to the wheel group (which gives sudo access to all of its members by default).
To do this, use the usermod command:
sudo usermod -aG wheel sammy
Now your new user is able to execute commands with administrative privileges. To do so, simply type sudo ahead of the command that you want to execute as an administrator:
sudo some_command
You will be prompted to enter the password of your user account (not the root password). Once the correct password has been submitted, the command you entered will be executed with root privileges.
Managing Users with Sudo Privileges
To see which users are part of the wheel group (and thus have sudo), you can use the lid function. lid is normally used to show which groups a user belongs to, but with the -g flag, you can reverse it and show which users belong in a group:
sudo lid -g wheel
Output sammy(uid=1001)
The output will show you the usernames and UIDs that are associated with the group. This is a good way of confirming that your previous commands were successful, and that the user has the privileges that they need.
Deleting Users
If you have a user account that you no longer need, it’s best to delete the old account.
If you want to delete the user without deleting any of their files, type:
sudo userdel sammy
If you want to delete the user’s home directory along with the user account itself, type:
sudo userdel -r sammy
With either command, the user will automatically be removed from any groups that they were added to, including the wheel group if they were given sudo privileges. If you later add another user with the same name, they will have to be added to the wheel group again to gain sudo access.
Conclusion
You should now have a good grasp on how to add and remove users from your CentOS 7 server. Effective user management will allow you to separate users and give them only the access that is needed for them to do their job. You can now move on to configuring your CentOS 7 server for whatever software you need, such as a LAMP or LEMP web stack.
For more information about how to configure sudo, check out our guide on how to edit the sudoers file.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
Still looking for an answer?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
I get this when I try to use sudo with the created user :(
sudo: effective uid is not 0, is sudo installed setuid root?
I can see the user when I run sudo lid -g wheel and it has UID=1000
This guide got me 90% of the way to adding a user with sudo privileges on the default centOS 6.6 install. I know the article is for centOS 7, but all I had to do to get my created user sudo access was:
visudo
...
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL <--- UNCOMMENT THIS LINE
Tiny nit-pick, but on CentOS systems adduser is just a symlink to useradd:
# file $(which adduser)
/sbin/adduser: symbolic link to `useradd'
And various Debian-based distros have a custom script for adduser which behaves entirely differently to useradd:
# file $(which adduser)
/usr/sbin/adduser: a /usr/bin/perl script, ASCII text executable
So I always try and use useradd to keep things as consistent as possible, does anybody else find the same thing?
Here is some info on sudoers and how to use it, why to use it and so on.
The sudoers file in Linux defines which users and groups have sudo privileges, specifying who can execute commands as the root user or another specified user. This file allows system administrators to control permissions and can be configured to include specific settings like passwordless sudo access and custom rules for commands.
Here’s a breakdown of the sudoers file, its usage, and customization options:
1. The Basics of sudoers Access
The main sudoers file is located at /etc/sudoers, and it’s edited using the visudo command:
visudo
Using visudo is recommended because it locks the file during editing and performs a syntax check, preventing configuration errors that could block sudo access.
In sudoers, each line defines rules with this structure:
<user_or_group> <host> = (<run_as_user>) <command>
<user_or_group>: Specifies the user (likeusername) or group (%groupname) to givesudoaccess.<host>: Defines the host on which this rule applies (usuallyALL).<run_as_user>: Specifies the user as whom commands will run (oftenALLto allow any user).<command>: Defines allowed commands. Setting this toALLallows any command.
Example
To grant sudo access to a user admin, the rule would look like:
admin ALL=(ALL) ALL
This allows admin to run any command as any user on any host.
2. Using sudoers.d for Modular Configuration
Rather than editing the main /etc/sudoers file directly, you can place configuration files in the /etc/sudoers.d directory. Files in this directory are loaded along with /etc/sudoers, which makes managing permissions easier and safer.
- Create a File in
/etc/sudoers.d:
sudo visudo -f /etc/sudoers.d/username
- Add Rules in the New File:
username ALL=(ALL) ALL
Each file in /etc/sudoers.d should have only the specific rules you want to add or override. This approach is useful in multi-user or automated environments where different teams may need distinct permissions.
3. Granting Passwordless sudo Access
By default, users are prompted for a password when running a command with sudo. To allow passwordless sudo, add the NOPASSWD directive:
username ALL=(ALL) NOPASSWD: ALL
This allows username to execute any command without entering a password.
Limiting Passwordless Commands
You can restrict passwordless access to specific commands. For example, if you want username to restart the web server without a password:
username ALL=(ALL) NOPASSWD: /usr/sbin/service apache2 restart
This rule only applies to /usr/sbin/service apache2 restart and still requires a password for other commands.
4. Common sudoers Examples
Here are a few configurations you might find useful:
- Granting Group Access: Use
%groupnameto apply rules to all users in a group. For example, to allow users in thedevelopersgroup to run any command:
%developers ALL=(ALL) ALL
Limiting Commands for Security: Restrict access to specific administrative commands without allowing unrestricted sudo access:
username ALL=(ALL) /bin/systemctl restart nginx, /bin/systemctl restart apache2
Combining NOPASSWD with Limited Commands: For a safer setup, allow passwordless access only to a few commands:
username ALL=(ALL) NOPASSWD: /usr/sbin/reboot, /usr/sbin/poweroff
5. Testing and Verifying sudoers Configuration
After adding or modifying sudoers rules, it’s a good idea to test them by switching to the user and running a test command:
sudo -l
The sudo -l command lists available sudo privileges for the current user, helping verify that the configuration works as expected.
By using sudoers.d for modular rule management, NOPASSWD for controlled passwordless access, and group-based permissions, you can securely configure sudo privileges tailored to each user or team’s needs.
This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.