How to Add User to Sudoers in Debian
The sudo
command allows trusted users to run commands as another user, by default root.
This guide explains how to add a user to sudoers in Debian (including Debian 12 Bookworm and Debian 13 Trixie) in two ways: by adding the user to the sudo group, or by creating a custom rule in the sudoers configuration.
Quick Reference
| Task | Command |
|---|---|
| Install sudo as root | apt update && apt install sudo |
| Add user to sudo group | sudo usermod -aG sudo username |
| Verify group membership | groups username |
| Verify sudo access | sudo whoami |
| Edit sudoers safely | sudo visudo |
| Edit sudoers with nano | sudo EDITOR=nano visudo |
| Add custom rule file | sudo visudo -f /etc/sudoers.d/username |
Before You Begin
Run the commands in this guide as root or as an existing sudo user. If sudo is not installed and you know the root password, switch to a root login shell:
su -Install the sudo package:
apt update
apt install sudoWhen you are logged in as root, omit sudo from the commands below.
Adding User to the sudo Group
The quickest and easiest way to grant sudo privileges to a user is to add the user to the “sudo” group. Members of this group can execute any command as root via sudo and are prompted to authenticate themselves with their password when using sudo.
We are assuming that the user you want to assign to the group already exists .
Run the command below as root or another sudo user to add the user to the sudo group :
sudo usermod -aG sudo usernameReplace username with the name of the user that you want to grant access to. If you are logged in as root, run the command without sudo.
Granting sudo access using this method is sufficient for most use cases.
The group membership change takes effect in new login sessions. Log out and back in as that user, or use su - username to open a new session, then verify access by running:
sudo whoamiYou will be asked to enter the password. If the user has sudo access, the command will print “root”. Otherwise, you will get an error saying “user is not in the sudoers file”.
Adding User to the sudoers File
The users’ and groups’ sudo privileges are defined in the /etc/sudoers file. This file allows you to grant customized access to commands and set custom security policies.
You can configure user access by editing the sudoers file or creating a new configuration file in the /etc/sudoers.d directory. Files inside this directory are included in the sudoers file.
Always use the visudo command to edit the /etc/sudoers file. This command checks the file for syntax errors when you save it. If there are any errors, the file is not saved. If you edit the file with a regular text editor, a syntax error may result in losing sudo access.
visudo checks the SUDO_EDITOR, VISUAL, and EDITOR environment variables
before falling back to the configured system editor list. To open the file with nano
, run:
sudo EDITOR=nano visudoLet us say you want to allow the user to run sudo commands without being asked for a password. To do that, open the /etc/sudoers file:
sudo visudoScroll down to the end of the file and add the following line:
username ALL=(ALL) NOPASSWD:ALLSave the file and quit the editor
. Replace username with the username you want to grant access to.
Another typical example is to allow the user to run only specific commands via sudo
. For example, to allow only the mkdir
and rmdir
commands you would use:
username ALL=(ALL) NOPASSWD:/bin/mkdir,/bin/rmdirInstead of editing the main sudoers file, you can create a separate rule file in the /etc/sudoers.d directory. Use visudo -f so the file is validated before it is saved:
sudo visudo -f /etc/sudoers.d/usernameThen add the rule:
username ALL=(ALL) NOPASSWD:ALLThis approach makes the management of sudo privileges more maintainable. The name of the file is not important, but it is a common practice to name the file after the username.
Before closing the editor, make sure the file saves without syntax errors. You can then verify the user’s privileges with sudo whoami in a new login session.
Troubleshooting
“user is not in the sudoers file”
The user has not been added to the sudo group or the sudoers file yet. Run sudo usermod -aG sudo username and make sure the user starts a new login session for the change to take effect.
Group change does not take effect immediatelyusermod -aG sudo modifies group membership in /etc/group, but the running session is not updated. The user must log out and log back in, or run su - username to start a new session with the updated groups.
visudo opens an unexpected editorvisudo checks SUDO_EDITOR, VISUAL, and EDITOR, then falls back to the system editor list. To use nano for one invocation, run sudo EDITOR=nano visudo.
Syntax error in /etc/sudoers
Always use visudo to edit the sudoers file because it validates the file before saving. If you accidentally saved a broken file, log in as root or boot into recovery mode and remove the faulty line.
FAQ
What is the difference between adding a user to the sudo group and editing the sudoers file?
Adding to the sudo group grants full unrestricted sudo access with a password prompt. Editing the sudoers file lets you define fine-grained rules for specific commands, passwordless access, or access as a particular user.
Do I need to restart the system after adding a user to the sudo group?
No. The user just needs to start a new login session. Log out and back in, or use su - username to open a session with the updated group membership.
What does NOPASSWD:ALL mean in the sudoers file?
It allows the user to run any sudo command without entering a password. Use this carefully because it removes the password confirmation step that protects against accidental privilege escalation.
Is it safe to edit /etc/sudoers directly with a text editor?
No. A syntax error in /etc/sudoers can lock you out of sudo entirely. Always use visudo, which validates the file before saving.
Where should I add custom sudo rules, in /etc/sudoers or /etc/sudoers.d/?
Prefer /etc/sudoers.d/ for custom rules. Creating a separate file per user or application makes the configuration easier to manage and review, and avoids touching the base sudoers file.
Conclusion
The simplest way to grant sudo access in Debian is to add the user to the “sudo” group with sudo usermod -aG sudo username. For more granular control, such as limiting commands or allowing passwordless execution, use visudo to add a custom rule under /etc/sudoers.d/. For the Ubuntu equivalent, see How to Add User to Sudoers in Ubuntu
.
Linuxize Weekly Newsletter
A quick weekly roundup of new tutorials, news, and tips.
About the authors
Dejan Panovski
Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.
View author page