sudo lets approved users run commands as root (or another account) without sharing the root password. On many Debian servers—especially minimal or netinst images—the sudo package is not installed until you add it. After install, you typically add your user to the sudo group so /etc/sudoers rule %sudo ALL=(ALL:ALL) ALL applies.
This guide covers install sudo on Debian for Debian 11 (Bullseye), 12 (Bookworm), and 13 (Trixie): install with apt, grant privileges with usermod, verify with sudo -l, configure drop-ins under /etc/sudoers.d/, and fix common errors. For day-to-day sudo options after setup, see the sudo command cheat sheet. I ran these steps on Debian 13 and kept real terminal output below.
Tested on: Debian 13 (trixie); kernel 6.12.94+deb13-amd64; amd64; sudo 1.9.16p2-3+deb13u2.
sudo the first time—use the root account, su -, or the installer’s root shell. A normal user cannot run sudo apt install sudo until sudo exists and they are in group sudo.
When Debian ships without sudo
| Situation | What you have | Typical fix |
|---|---|---|
| Desktop / full install | sudo often pre-installed |
Add your user to group sudo if needed |
| Minimal / cloud image | Only root or su |
apt install sudo as root, then usermod -aG sudo |
| Installer choice | Root-only workflow | Install sudo later from Debian Wiki — sudo |
Debian uses group sudo, not wheel (common on Fedora/RHEL). On the test host:
getent group wheel 2>/dev/null || echo "no wheel group"no wheel groupCheck whether sudo is installed
. /etc/os-release && echo "$PRETTY_NAME"
command -v sudo || echo "sudo: not installed"
dpkg -l sudo 2>/dev/null | grep ^ii
sudo --version 2>/dev/null | head -3
apt-cache policy sudo | head -8On Debian 13 with sudo already present:
Debian GNU/Linux 13 (trixie)
/usr/bin/sudo
ii sudo 1.9.16p2-3+deb13u2 amd64 Provide limited super user privileges to specific users
Sudo version 1.9.16p2
Sudoers policy plugin version 1.9.16p2
Sudoers file grammar version 50
sudo:
Installed: 1.9.16p2-3+deb13u2
Candidate: 1.9.16p2-3+deb13u2If command -v sudo prints nothing, continue to the install section as root.
Install sudo from Debian apt
Switch to root when you do not have sudo yet (su command):
su -
# enter root password
apt update
apt install -y sudo
exitOr run the install in one shot:
su -c 'apt update && apt install -y sudo' rootReading package lists...
sudo is already the newest version (1.9.16p2-3+deb13u2).Fresh install on a system without the package pulls sudo from main plus PAM and related libraries:
Depends: libpam0g, libpam-modules, libapparmor1, libaudit1, libselinux1, libssl3t64, zlib1g, ...Confirm the binary:
which sudo
sudo --version | head -1/usr/bin/sudo
Sudo version 1.9.16p2Add your user to the sudo group
Debian’s default rule in /etc/sudoers:
grep -E '^%sudo|^root' /etc/sudoers
getent group sudoroot ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL
sudo:x:27:Add an existing user (replace youruser):
sudo usermod -aG sudo youruserUsing adduser and usermod for a new account:
sudo adduser deploy --gecos ""
sudo usermod -aG sudo deploy
id deployuid=1001(deploy) gid=1001(deploy) groups=1001(deploy),27(sudo)su - youruser before testing sudo. This fixes the common “user is not in the sudoers file” report right after usermod.
Verify sudo works
After a new login:
groups
sudo -l
sudo whoamiFor a user in %sudo, sudo -l prompts for your user password and lists allowed commands. On a configured system you should see rules derived from %sudo ALL=(ALL:ALL) ALL.
sudo whoamirootRun a package command to confirm integration with apt:
sudo apt update 2>&1 | tail -3Configure sudoers safely
Edit the main file only with visudo—it runs a syntax check before saving:
sudo visudo -c/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OKList drop-in directory:
ls -la /etc/sudoers.d/drwxr-xr-x 2 root root 4096 Jun 29 01:48 .
-r--r----- 1 root root 1068 Apr 11 08:21 READMEAdd a drop-in under /etc/sudoers.d/
Prefer small files in /etc/sudoers.d/ over editing /etc/sudoers directly (Debian Wiki, visudo best practice):
sudo visudo -f /etc/sudoers.d/deploy-backupExample: allow one command without a password (narrow scope only):
deploy ALL=(root) NOPASSWD: /usr/bin/rsyncIf you create the file with tee, fix permissions—visudo -c fails on world-readable drop-ins:
echo 'deploy ALL=(root) NOPASSWD: /usr/bin/whoami' | sudo tee /etc/sudoers.d/deploy-test >/dev/null
sudo chmod 0440 /etc/sudoers.d/deploy-test
sudo visudo -c
sudo rm /etc/sudoers.d/deploy-testWrong mode:
/etc/sudoers.d/deploy-test: bad permissions, should be mode 0440Correct mode:
/etc/sudoers: parsed OK
/etc/sudoers.d/deploy-test: parsed OKWork as root without sudo
When sudo is missing or broken, use su (su command):
su -c 'whoami' root
which suroot
/usr/bin/susu requires the target account’s password (usually root). sudo uses your user password and is auditable in syslog—preferred for daily administration once configured.
Update sudo
sudo apt update
sudo apt install --only-upgrade sudo
sudo --version | head -1Check installed version with list installed packages on Debian:
dpkg -l sudo | grep ^iiUninstall sudo
Only when you intentionally want root-only administration:
su -
apt remove --purge sudoKeep console or su access before removing sudo. Other packages may recommend sudo (for example some game launchers); they still run without it if you use root.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
sudo: command not found |
Package not installed | As root: apt install sudo |
user is not in the sudoers file |
User not in group sudo |
usermod -aG sudo USER; re-login |
sudo: a password is required |
Normal behavior | Enter your user password, not root’s |
sudo: unable to resolve host ... |
/etc/hosts missing hostname |
Add 127.0.1.1 hostname to /etc/hosts |
visudo / sudo parse error |
Bad syntax or file mode | visudo -c; chmod 0440 on /etc/sudoers.d/* |
| Installed sudo but still denied | Old shell session | Log out and in; verify with groups and id |
| Cannot install sudo as normal user | Chicken-and-egg | Use su - or root login first (Unix.SE discussion) |
References
- Debian Wiki — sudo
- Cyberciti — install and configure sudo on Debian
- Thomas-Krenn — Creation of sudo user in Debian
- On-site: sudo command, su command, adduser, usermod, useradd, apt command
Summary
Install sudo on Debian with apt install sudo as root (or via su -), add accounts to group sudo with usermod -aG sudo USER, then log in again and confirm with sudo whoami. Edit policy using visudo and /etc/sudoers.d/ files at mode 0440. On minimal systems without sudo, use su until the package is installed—then switch to sudo for routine tasks and see the sudo command guide for options.

