Using the sudo command in Linux: Complete guide for administrators and users

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction

In the Linux world, the sudo command is one of the most powerful and frequently used tools both by system administrators and regular users. It allows executing commands with the privileges of another user, usually the superuser root, without needing to log in directly as root. This provides a balance between security and convenience, as it limits the time and scope of elevated privileges.

What is sudo?

Sudo, acronym for ‘superuser do’, is a program that allows an authorized user to execute a command as another user, according to the policy defined in the /etc/sudoers file. Instead of sharing the root password, sudo prompts for the user’s own password and verifies if they have permission to perform the requested action. This mechanism is based on an access control list that specifies which users or groups may execute which commands, on which hosts, and with what privileges.

Why use sudo instead of root

Using sudo instead of opening a session as root presents several security advantages. First, it reduces the risk of accidental errors: when working with a root shell, any harmful command runs without restrictions; with sudo, each elevated operation must be explicitly authorized. Second, it generates a detailed log: each use of sudo is recorded in system logs, facilitating auditing and detection of suspicious activity. Third, it allows applying the principle of least privilege: a user can obtain only the permissions needed for a specific task, rather than having absolute control over the entire environment.

Basic syntax

The simplest way to use sudo is: sudo command [arguments]. When executed, the system will prompt for the user’s password (unless it has been configured not to require it). If authentication is correct, the command will run with the privileges specified in the sudoers policy. For example, to update the package list on a Debian-based distribution, you write: sudo apt update. If you need to run a command as another user different from root, you use the -u option followed by the username: sudo -u username command.

Most used options

  • -u user: Executes the command as the specified user instead of root.
  • -l: Lists the commands that the user is authorized to run with sudo.
  • -v: Re-validates the password timeout, extending the period without needing to re-enter it.
  • -k: Invalidates the sudo timestamp, forcing the next request to require a password.
  • -b: Runs the command in the background.
  • -H: Sets the HOME environment variable to the target user’s home directory.

Practical examples

  • Updating the system on Ubuntu/Debian: sudo apt update && sudo apt upgrade -y
  • Installing a package on Fedora: sudo dnf install package_name
  • Viewing the sudoers configuration (read-only): sudo -l
  • Running a script with another user’s privileges: sudo -u www-data /var/www/script.sh
  • Mounting a filesystem that requires privileges: sudo mount /dev/sdb1 /mnt
  • Changing the ownership of a file securely: sudo chown user:group file
  • Restarting a system service: sudo systemctl restart service_name

Security best practices

  • Edit the /etc/sudoers file exclusively with visudo, which checks syntax before saving and prevents locking yourself out.
  • Apply the principle of least privilege: grant only the necessary commands to each user or group.
  • Avoid using NOPASSWD except in trusted automated scripts and always limit its scope to specific commands.
  • Keep the system updated to benefit from security patches that affect sudo.
  • Periodically review sudo logs (/var/log/auth.log or /var/log/secure) to detect unusual usage.
  • Configure a reasonable timeout (e.g., 5 minutes) so that sudo credentials expire automatically.
  • Use the -H option when running commands that depend on the HOME variable, preventing programs from reading root’s user configurations.

Troubleshooting common problems

  • ‘user is not in the sudoers file’: This message indicates the user lacks permissions. Solution: add an appropriate rule in sudoers via visudo.
  • ‘a password must be set’: If sudo asks for a password and the user forgets it, they need to recover it or use another configured authentication method.
  • Syntax error in sudoers: Saving a malformed file breaks sudo. Use a recovery console or run pkexec visudo if available.
  • Command not found when using sudo: Check the PATH variable; sometimes root’s environment has a different PATH. Use absolute paths or adjust secure_path in sudoers.
    • This post is also available in ESPAÑOL.

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .