Sudo, also known as SuperUser Do, is a program that lets users execute commands with the specified privileges. In practice, this usually means that users in the sudo group can run programs with root privileges. Adding sudo users in Ubuntu is a very simple process, and most users stop there. But you can also customize the permissions sudo provides to various users and groups, including the sudo group itself. This allows you to assign permissions on a least privilege basis instead of giving blanket root access to all sudo users, which is much more secure. Create a New User Before you start, you can check the members of the sudo group with getent group sudo Additionally, you’ll need root access to add a sudo user. Now, type the following command to create a new user sudo useradd -m kal Note: The -m option in adduser creates a home directory for a new user in Ubuntu automatically. Set a password for the user with sudo passwd kal Add the User to the Sudo Group Now, append the user to the sudo group with sudo usermod -aG sudo kal There are various ways to verify the change. You can run id kal or groups kal and confirm that sudo is listed. Or you can simply use su kal switch to the new account and test directly. For instance, you could run sudo whoami or sudo cat /etc/sudoers. Add the User to the sudoers File By default, all sudo users have super-user privileges. But as stated, this isn’t ideal in terms of security. You can instead assign specific permissions to certain users and groups by editing the /etc/sudoers file. Keep in mind that you should never edit this file with a normal text editor, you should always use visudo. Let’s look at the default configs first, starting with the root ALL=(ALL:ALL) ALL rule. The first parameter (root) specifies the user that the rule applies to. The next parameter (ALL) specifies that this rule applies to all hosts. The second ALL specifies that root user can execute commands as all users. The third ALL specifies that the root user can execute commands as all groups. The fourth ALL specifies that this rule applies to all commands. Similarly, lines beginning with % indicates group rules. Now, let’s say you want to restrict a user in the sudo group from running certain commands with root privileges. You could directly edit the sudoers file and add the following code at the end of the line but that’s not good practice. Instead, I advise creating a new file for the user in the /etc/sudoers.d/ directory and defining the permissions there. sudo visudo /etc/sudoers.d/kal For instance, lets restrict the user kal from using some commands as root. Add the following line in the file and save it to accomplish this. kal ALL=(ALL) ALL, !/usr/bin/rm, !/usr/bin/ls Here, the user kal can run all commands as root except for rm and ls. You can add other commands like this by adding the full path of the command (e.g., which ls), prefixed by an exclamation mark. This way, you can manage which user can run which commands as root.