Adding a user to the sudo group is the normal way to give full administrator sudo access on Ubuntu and Debian systems. On RHEL-family systems such as RHEL, CentOS, Rocky Linux, AlmaLinux, and Fedora, the equivalent group is usually wheel.
This article focuses only on group-based sudo access. Use this method when the user should be allowed to run administrative commands through the distribution's existing sudo group rule.
If you need custom sudo permissions, such as allowing one user to run only /usr/bin/systemctl restart nginx, use a sudoers drop-in instead. That separate method is covered in how to add user to sudoers file with examples.
sudo usermod -aG sudo username. The user must start a new login session before the new group membership is active.
Sudo Group vs Sudoers File
Use the right method for the access you want to grant:
| Requirement | Recommended method |
|---|---|
| Give a trusted user full admin sudo access on Ubuntu/Debian | Add the user to the sudo group |
| Give a trusted user full admin sudo access on RHEL-like systems | Add the user to the wheel group |
| Allow only specific commands | Use a file under /etc/sudoers.d/ |
| Allow passwordless sudo for selected commands | Use a sudoers rule with NOPASSWD: |
| Avoid editing sudo policy manually | Use existing sudo or wheel group rule |
Group-based sudo is simple and broad. Sudoers-file rules are more precise and should be used when you need least-privilege access.
1. Check the Existing Sudo Group Rule
On Ubuntu/Debian, the sudo group is normally authorized by a rule in /etc/sudoers.
getent group sudoTested output:
sudo:x:27:golinuxcloudYou can also check the sudoers group rule:
sudo grep -E '^%sudo|^%wheel' /etc/sudoers /etc/sudoers.d/* 2>/dev/nullTested output:
/etc/sudoers:%sudo ALL=(ALL:ALL) ALLThis means members of the sudo group can run commands as any user and any group after sudo authentication.
For general Linux command reference, see the Linux commands cheat sheet.
2. Create a Test User
If the user already exists, skip this step. The test below used a temporary user named glc_sudo_demo.
sudo useradd -m -s /bin/bash glc_sudo_demo
id glc_sudo_demoTested output:
uid=1001(glc_sudo_demo) gid=1001(glc_sudo_demo) groups=1001(glc_sudo_demo)For more user creation examples, see how to create users in Linux and the useradd command examples.
3. Add User to Sudo Group with usermod
Use usermod -aG to append the user to the sudo group.
sudo usermod -aG sudo glc_sudo_demoThen verify the group membership:
groups glc_sudo_demo
id -nG glc_sudo_demoTested output:
glc_sudo_demo : glc_sudo_demo sudo
glc_sudo_demo sudoThe -a option is important. It appends the new group instead of replacing the user's existing supplementary groups. The -G sudo option selects the supplementary group to add.
See the usermod command examples for more account modification options.
usermod -G sudo username without -a unless you intentionally want to replace the user's supplementary groups. In most cases, use usermod -aG sudo username.
4. Add User to Sudo Group with gpasswd
gpasswd is another safe way to add an existing user to a group.
sudo gpasswd -a glc_sudo_demo sudoTested output:
Adding user glc_sudo_demo to group sudoThis command is easy to read: add user glc_sudo_demo to group sudo.
For broader group management examples, see how to add a user to a group in Linux.
5. Add User to Sudo Group with adduser
Ubuntu and Debian also support the friendly adduser syntax:
sudo adduser username sudoUse this form when you prefer Debian's adduser helper. It adds an existing user to an existing group. Replace username with the real account name.
For more examples, see the adduser command guide.
6. Add User to Wheel Group
RHEL-family distributions commonly use the wheel group for administrator sudo access.
sudo usermod -aG wheel usernameOr use gpasswd:
sudo gpasswd -a username wheelThen verify membership:
groups usernameThe sudoers rule is commonly written for %wheel, which means members of the wheel group can use sudo. See the sudo command examples for more sudo usage patterns.
7. Verify Sudo Access for the User
Use sudo -l -U username to list what sudo allows for a user.
sudo -l -U glc_sudo_demoTested output:
Matching Defaults entries for glc_sudo_demo on server1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User glc_sudo_demo may run the following commands on server1:
(ALL : ALL) ALLThe line (ALL : ALL) ALL confirms broad sudo access through the sudo group rule.
You can also check sudo access with the methods in check sudo access for a user in Linux.
8. Make the New Sudo Group Active
After adding a user to sudo or wheel, the user should log out and log back in. Existing shells may still have the old group list.
To verify from a new session:
id -nG
sudo -lIf the user still cannot run sudo, check these items:
- The user was added to the correct group for that distribution.
- The sudoers rule for
%sudoor%wheelexists and is not commented incorrectly. - The user started a new login session after the group change.
- The command is being run as the intended user.
Frequently Asked Questions
1. What is the command to add a user to the sudo group on Ubuntu?
2. What is the difference between sudo group and sudoers file?
3. Why does a user still get permission denied after being added to sudo group?
4. Should I add a user to root group instead of sudo group?
5. What group gives sudo access on RHEL, CentOS, Rocky Linux, or AlmaLinux?
6. How do I check if a user has sudo access?
Summary
Use the sudo group on Ubuntu/Debian and the wheel group on RHEL-family systems when you want to give a trusted user full administrator sudo access. The safest common command is sudo usermod -aG sudo username on Ubuntu/Debian or sudo usermod -aG wheel username on RHEL-like systems.
If you need limited access to specific commands, do not use this group method. Create a sudoers rule instead, as shown in how to add user to sudoers file.
