linux

How to Install sudo on Debian

Install sudo on Debian 11, 12, or 13 with apt install sudo, add your user to the sudo group, verify with sudo -l, and edit sudoers safely with visudo. Covers minimal installs without sudo, su as root, and fixing common errors.

Published

Updated

Read time 6 min read

Reviewed byDeepak Prasad

How to Install sudo on Debian

sudo lets approved users run commands as root (or another account) without sharing the root password. On many Debian servers—especially minimal or netinst images—the sudo package is not installed until you add it. After install, you typically add your user to the sudo group so /etc/sudoers rule %sudo ALL=(ALL:ALL) ALL applies.

This guide covers install sudo on Debian for Debian 11 (Bullseye), 12 (Bookworm), and 13 (Trixie): install with apt, grant privileges with usermod, verify with sudo -l, configure drop-ins under /etc/sudoers.d/, and fix common errors. For day-to-day sudo options after setup, see the sudo command cheat sheet. I ran these steps on Debian 13 and kept real terminal output below.

Tested on: Debian 13 (trixie); kernel 6.12.94+deb13-amd64; amd64; sudo 1.9.16p2-3+deb13u2.

IMPORTANT
You need root access to install sudo the first time—use the root account, su -, or the installer’s root shell. A normal user cannot run sudo apt install sudo until sudo exists and they are in group sudo.

When Debian ships without sudo

Situation What you have Typical fix
Desktop / full install sudo often pre-installed Add your user to group sudo if needed
Minimal / cloud image Only root or su apt install sudo as root, then usermod -aG sudo
Installer choice Root-only workflow Install sudo later from Debian Wiki — sudo

Debian uses group sudo, not wheel (common on Fedora/RHEL). On the test host:

bash 
getent group wheel 2>/dev/null || echo "no wheel group"
text 
no wheel group

Check whether sudo is installed

bash 
. /etc/os-release && echo "$PRETTY_NAME"
command -v sudo || echo "sudo: not installed"
dpkg -l sudo 2>/dev/null | grep ^ii
sudo --version 2>/dev/null | head -3
apt-cache policy sudo | head -8

On Debian 13 with sudo already present:

text 
Debian GNU/Linux 13 (trixie)
/usr/bin/sudo
ii  sudo  1.9.16p2-3+deb13u2  amd64  Provide limited super user privileges to specific users
Sudo version 1.9.16p2
Sudoers policy plugin version 1.9.16p2
Sudoers file grammar version 50
sudo:
  Installed: 1.9.16p2-3+deb13u2
  Candidate: 1.9.16p2-3+deb13u2

If command -v sudo prints nothing, continue to the install section as root.

Install sudo from Debian apt

Switch to root when you do not have sudo yet (su command):

bash 
su -
# enter root password
apt update
apt install -y sudo
exit

Or run the install in one shot:

bash 
su -c 'apt update && apt install -y sudo' root
text 
Reading package lists...
sudo is already the newest version (1.9.16p2-3+deb13u2).

Fresh install on a system without the package pulls sudo from main plus PAM and related libraries:

text 
Depends: libpam0g, libpam-modules, libapparmor1, libaudit1, libselinux1, libssl3t64, zlib1g, ...

Confirm the binary:

bash 
which sudo
sudo --version | head -1
text 
/usr/bin/sudo
Sudo version 1.9.16p2

Add your user to the sudo group

Debian’s default rule in /etc/sudoers:

bash 
grep -E '^%sudo|^root' /etc/sudoers
getent group sudo
text 
root	ALL=(ALL:ALL) ALL
%sudo	ALL=(ALL:ALL) ALL
sudo:x:27:

Add an existing user (replace youruser):

bash 
sudo usermod -aG sudo youruser

Using adduser and usermod for a new account:

bash 
sudo adduser deploy --gecos ""
sudo usermod -aG sudo deploy
id deploy
text 
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),27(sudo)
HINT
Group changes are not live in an existing shell. Log out and back in, open a new SSH session, or run su - youruser before testing sudo. This fixes the common “user is not in the sudoers file” report right after usermod.

Verify sudo works

After a new login:

bash 
groups
sudo -l
sudo whoami

For a user in %sudo, sudo -l prompts for your user password and lists allowed commands. On a configured system you should see rules derived from %sudo ALL=(ALL:ALL) ALL.

bash 
sudo whoami
text 
root

Run a package command to confirm integration with apt:

bash 
sudo apt update 2>&1 | tail -3

Configure sudoers safely

Edit the main file only with visudo—it runs a syntax check before saving:

bash 
sudo visudo -c
text 
/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK

List drop-in directory:

bash 
ls -la /etc/sudoers.d/
text 
drwxr-xr-x  2 root root 4096 Jun 29 01:48 .
-r--r-----  1 root root 1068 Apr 11 08:21 README

Add a drop-in under /etc/sudoers.d/

Prefer small files in /etc/sudoers.d/ over editing /etc/sudoers directly (Debian Wiki, visudo best practice):

bash 
sudo visudo -f /etc/sudoers.d/deploy-backup

Example: allow one command without a password (narrow scope only):

text 
deploy ALL=(root) NOPASSWD: /usr/bin/rsync

If you create the file with tee, fix permissions—visudo -c fails on world-readable drop-ins:

bash 
echo 'deploy ALL=(root) NOPASSWD: /usr/bin/whoami' | sudo tee /etc/sudoers.d/deploy-test >/dev/null
sudo chmod 0440 /etc/sudoers.d/deploy-test
sudo visudo -c
sudo rm /etc/sudoers.d/deploy-test

Wrong mode:

text 
/etc/sudoers.d/deploy-test: bad permissions, should be mode 0440

Correct mode:

text 
/etc/sudoers: parsed OK
/etc/sudoers.d/deploy-test: parsed OK

Work as root without sudo

When sudo is missing or broken, use su (su command):

bash 
su -c 'whoami' root
which su
text 
root
/usr/bin/su

su requires the target account’s password (usually root). sudo uses your user password and is auditable in syslog—preferred for daily administration once configured.

Update sudo

bash 
sudo apt update
sudo apt install --only-upgrade sudo
sudo --version | head -1

Check installed version with list installed packages on Debian:

bash 
dpkg -l sudo | grep ^ii

Uninstall sudo

Only when you intentionally want root-only administration:

bash 
su -
apt remove --purge sudo

Keep console or su access before removing sudo. Other packages may recommend sudo (for example some game launchers); they still run without it if you use root.

Troubleshooting

Symptom Likely cause Fix
sudo: command not found Package not installed As root: apt install sudo
user is not in the sudoers file User not in group sudo usermod -aG sudo USER; re-login
sudo: a password is required Normal behavior Enter your user password, not root’s
sudo: unable to resolve host ... /etc/hosts missing hostname Add 127.0.1.1 hostname to /etc/hosts
visudo / sudo parse error Bad syntax or file mode visudo -c; chmod 0440 on /etc/sudoers.d/*
Installed sudo but still denied Old shell session Log out and in; verify with groups and id
Cannot install sudo as normal user Chicken-and-egg Use su - or root login first (Unix.SE discussion)

References

Summary

Install sudo on Debian with apt install sudo as root (or via su -), add accounts to group sudo with usermod -aG sudo USER, then log in again and confirm with sudo whoami. Edit policy using visudo and /etc/sudoers.d/ files at mode 0440. On minimal systems without sudo, use su until the package is installed—then switch to sudo for routine tasks and see the sudo command guide for options.

Frequently Asked Questions

1. How do I install sudo on Debian?

As root, run apt update && apt install -y sudo. If you are a normal user without sudo yet, switch to root with su - (root password), install the package, add your account to group sudo with usermod -aG sudo USER, then log out and back in.

2. Why is sudo not installed on my Debian system?

Minimal and some netinst installs omit sudo by design—you work as root or use su until you install it. The installer may also skip sudo when you choose not to set up a standard user account with elevated privileges.

3. How do I add a user to sudo on Debian?

Run sudo usermod -aG sudo username (or as root: usermod -aG sudo username). The user must start a new login session—log out, reconnect SSH, or reboot—before sudo recognizes the new group membership.

4. What is the difference between the sudo group and wheel on Debian?

Debian grants full sudo access through group sudo and the %sudo line in /etc/sudoers. RHEL-style wheel is not used by default on Debian—getent group wheel usually returns nothing unless you create it yourself.

5. How do I fix sudo is not in the sudoers file?

Your user is not in group sudo and has no sudoers entry. As root, run usermod -aG sudo USER, re-login, or add a line with visudo. Never edit /etc/sudoers with a normal text editor without visudo -c.

6. How do I edit sudoers safely on Debian?

Always use sudo visudo for /etc/sudoers or sudo visudo -f /etc/sudoers.d/filename for drop-ins. After creating a file under /etc/sudoers.d/, set mode 0440 with chmod. Validate with sudo visudo -c.

7. Can I use sudo without a password on Debian?

Yes, with a targeted sudoers rule such as NOPASSWD for specific commands—but granting passwordless ALL is risky. Prefer group sudo with password prompt, or limit NOPASSWD to one command path in /etc/sudoers.d/.

8. How do I remove sudo from Debian?

As root: apt remove --purge sudo. Ensure you still have root console or su access before removing it. Removing sudo does not remove users from group sudo, but they lose the sudo command until you reinstall.
Omer Cakmak

Linux Administrator

Highly skilled at managing Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat servers. Proficient in bash scripting, Ansible, and AWX central server management, he handles server operations on …

Related Articles

linux

How to Install AWS CLI on Debian

Install AWS CLI on Debian 11, 12, or 13 with the official awscli-exe-linux bundle, apt install awscli on …

6 min readlinux

How to Install Flatpak on Debian

Install Flatpak on Debian 11, 12, or 13 with apt install flatpak, add the Flathub remote, install sandboxed …

6 min readlinux

How to Install Go on Debian

Install Go on Debian 11, 12, or 13 with apt install golang-go, the official go.dev Linux tarball under …

6 min read