1. Introduction: What Is sudo?
The Basic Meaning and Role of sudo
In Linux and Unix-like systems, sudo is one of the most important commands.
The term sudo stands for “superuser do”, and it is a tool that allows users to temporarily execute commands with administrative (root) privileges.
Normally, regular users are not allowed to perform operations that affect the entire system, such as installing packages or modifying system settings. However, by using the sudo command, these privileged operations can be executed in a controlled and limited manner.
For example, the following command runs apt with root privileges:
sudo apt updateIn this way, sudo plays a critical role as a secure mechanism for using administrative privileges, balancing both system security and usability.
The Difference Between sudo and su
Another command with a similar purpose to sudo is su, but there are clear differences between the two.
sustands for “substitute user” and is used to switch entirely to another user (typically root). When you usesu, you operate as that user for the entire session.- On the other hand,
sudoallows you to remain as your current user while temporarily borrowing administrative privileges for a single command.
In short, su switches users at the session level, while sudo elevates privileges at the command level. From a security perspective, sudo makes it easier to track command history, which is why it has become the standard approach in modern Linux distributions.
Linux Distributions That Commonly Use sudo
The sudo command is enabled by default in many Linux distributions, especially the following:
- Ubuntu-based systems (Ubuntu, Linux Mint, etc.)
→ The root account is disabled by default, and all administrative tasks are performed via sudo. - Debian-based systems
→ sudo may need to be enabled manually, but it is often recommended as a security best practice. - Fedora, CentOS, and Red Hat-based systems
→ Direct root access is possible, but using sudo is still common.
In Ubuntu in particular, the root account is disabled by default, and all administrative operations must be performed using sudo. For this reason, understanding sudo is essential for Ubuntu users.
Why Do People Search for “sudo sudo”?
The keyword “sudo sudo” may look redundant at first glance, but it is often searched for the following reasons:
- Beginners trying to emphasize or better understand the meaning and usage of
sudo - Users encountering errors such as
sudo: sudo: command not found - Confusion after seeing examples where
sudois mistakenly used twice in scripts or pipelines
With these search intentions in mind, the following sections will explain correct usage, configuration methods, and troubleshooting techniques for sudo in detail.
2. Basic Usage of the sudo Command
Basic Syntax of sudo
The basic syntax of sudo is very simple:
sudo [options] commandFor example, to update the system’s package information:
sudo apt updateThis means that the apt update command is executed with root privileges.
Password Authentication and Credential Caching
When you use sudo for the first time, or after a certain amount of time has passed, the system will prompt you to enter your user password. This security mechanism helps prevent accidental misuse or unauthorized access.
After entering your password, it is cached for a fixed period (5 minutes by default on Ubuntu). During this time, subsequent sudo commands do not require re-entering the password. This timeout can be adjusted in the sudoers file.
Commonly Used Options
sudo provides many options to make operations more flexible and convenient. Below are some of the most commonly used ones.
-u (Run as Another User)
By default, commands are executed as root, but with the -u option, you can run a command as any specified user.
sudo -u www-data whoamiThe output will be www-data, confirming that the command was executed as the www-data user.
-s (Start a Shell)
The following command opens a temporary shell with root privileges:
sudo -sBe cautious when working in a root shell.
-i (Simulate a Full Root Login)
This option creates a more complete root environment. Environment variables are switched to those of root, resulting in a root session similar to logging in directly as root.
sudo -i-l (List Allowed Commands)
You can check which commands you are allowed to run with sudo:
sudo -lThis is useful for verifying permission settings and security restrictions.
Important Points for Beginners
- You must include a space after
sudo. For example,sudoaptis incorrect. - When running multiple commands, you need to quote the entire command or separate them with semicolons.
- Launching GUI applications with
sudocan damage configuration files, so it should generally be avoided (for example,sudo gedit).
3. The sudoers File and Access Control
What Is the sudoers File?
The configuration file that controls the behavior of the sudo command is /etc/sudoers. This file defines who can run which commands using sudo.
For example, it allows fine-grained access control such as permitting a user to run only specific commands with sudo.
This flexibility makes it possible to follow the principle of least privilege, granting users only the minimum permissions they need.
Safe Editing with the visudo Command
You should never edit /etc/sudoers directly with a text editor.
A syntax error in this file can disable sudo entirely, making system recovery difficult. For this reason, it is strongly recommended to edit it using the visudo command.
sudo visudovisudo performs a syntax check before saving, allowing safe configuration changes.
Basic Syntax and Configuration Examples
The basic syntax of the sudoers file is as follows:
username hostname = (run-as user) allowed commandsExample:
alice ALL=(ALL:ALL) ALLThis configuration allows the user alice to run all commands as any user on all hosts.
A more restricted example:
bob ALL=(ALL) /usr/bin/systemctl restart nginxThis allows the user bob to run only the nginx restart command with sudo.
Group-Based Control: The sudo Group
On many distributions such as Ubuntu, users who belong to the sudo group are allowed to use sudo.
%sudo ALL=(ALL:ALL) ALLUsing %sudo enables group-based permission management.
To add a user to the sudo group:
sudo usermod -aG sudo usernameThe NOPASSWD Option and Security Considerations
If entering a password every time is inconvenient, you can use the NOPASSWD option to skip password authentication.
alice ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginxThis allows alice to restart nginx without entering a password.
However, this increases security risk, so it is critical to limit usage to specific commands only. Using NOPASSWD with ALL is not recommended.
4. Advanced sudo Usage
Running Commands as a Specific User
Although sudo typically runs commands as root, it can also execute commands as other users.
For example, to run a command as the www-data user:
sudo -u www-data whoamiThe output will be www-data.
This is useful for verifying permissions and environment differences between users.
Using sudo with Redirection and Pipes
A common point of confusion for beginners is combining sudo with redirection (>) or pipes (|).
The following command looks correct but does not work as expected:
sudo echo "test" > /etc/test.confWhile echo runs with sudo, the redirection is handled by the shell as a normal user.
The correct approach is to use tee:
echo "test" | sudo tee /etc/test.confUsing sudo in Scripts
When scripts require administrative privileges, add sudo only to the commands that require it.
Example (install.sh):
#!/bin/bash
echo "Installing package..."
sudo apt install -y nginxAnother common pattern is checking whether the script is run as root:
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fiUseful sudo Shortcuts
sudo !!
Re-runs the previous command with sudo.
apt update
sudo !!sudo -k
Clears the cached sudo credentials.sudo -v
Extends the current sudo session.
5. Security and Best Practices
Follow the Principle of Least Privilege
The primary goal of using sudo is to operate the system with the minimum necessary privileges.
- Allow only specific commands via sudo
- Limit use of
NOPASSWD - Manage administrators via groups
Logging and Auditing
sudo logs all executed commands.
/var/log/auth.log(Ubuntu/Debian)journalctl(systemd-based systems)
grep 'sudo' /var/log/auth.logjournalctl _COMM=sudo
Real-World sudo Vulnerability (CVE-2021-3156)
Although sudo is highly reliable, serious vulnerabilities have been discovered in the past.
A notable example is CVE-2021-3156 (Baron Samedit), which allowed local users to gain root privileges under specific conditions.
- Keep sudo updated
- Monitor security advisories
sudo Alternative: doas
Some security-focused environments use doas as a simpler alternative to sudo.
doas apt updateConfiguration example:
permit nopass :wheel6. Common Errors and Troubleshooting
User Not in sudoers File
username is not in the sudoers file. This incident will be reported.This means the user lacks sudo privileges.
sudo usermod -aG sudo usernamePermission Denied with Redirection
echo "test" | sudo tee /etc/test.confBroken sudoers File
pkexec visudosudo: command not found
apt update
apt install sudo7. FAQ
Q1. What is the difference between sudo and su?
A: sudo elevates individual commands, while su switches users entirely.
Q2. Is the root password required for sudo?
A: No. You enter your own user password.
Q3. Where are sudo logs stored?
/var/log/auth.log/var/log/securejournalctl _COMM=sudo
Q4. I broke the sudoers file. What should I do?
Use recovery mode or pkexec visudo.
Q5. Can I get root privileges without sudo?
Yes, but it is not recommended.
Q6. Is it safe to run GUI apps with sudo?
No. Use pkexec instead.
8. Summary
Understand sudo Correctly
sudo is a critical access control mechanism, not just a convenience command.
Proper Usage Prevents Problems
- Use least privilege
- Edit with
visudo - Review logs
Choose the Right Operational Style
Select tools such as sudo or doas based on your security policy.
Final Note
Understanding sudo is a foundational step toward mastering Linux system administration.
