Table of Contents
Introduction to sudo command
sudo command in Linux stands for Super User DO. It allows you to execute a command as another user, including the superuser. sudo is an efficient way to access the root privileges and execute the command as the root user. With sudo, you can access the root privileges without knowing the root password or logging as the root user. The user needs to have the sudo privileges to run the
How to install sudo
In most of the Linux distributions, sudo is pre-installed on the system. However, if you do not find the sudo package on the system, you can install it from the default package management repositories.
To install sudo on CentOS, Fedora, and RHEL
# yum install sudo
To install sudo on Ubuntu and Debian
# apt install sudo
Syntax for sudo command
The security policy determines whether or not a user has sudo privileges. The default security policy is sudoers configured in the file /etc/sudoers.
The general syntax for
sudo command is as follows:
$ sudo [options] command
Some of the options available in
sudo command are:
- -V: display version information of sudo
- -h: display help message and exit
- -l: list user's privileges or check a specific command
- -k: reset the user's timestamp
- -u: run the command as a different user
Different examples to use sudo command
1. Use sudo to run command as a root user
By default, when no user is specified, the sudo runs a command as a root user. It is mostly used to run the command which needs root permission.
$ sudo command
When listing the root directory, the permission was denied because only the root user can list the root directory. But, after using the
sudo command, we can list the root directory.
Similarly, when you want to install, remove, or update the package in the system, you will need the root privilege. You can use
sudo command to install the package without logging in as a root user.
2. Use sudo to run command as a different user
--user option allows you to run a command as the specified user name or user ID. So, you can run the command as a user other than the root.
$ sudo -u user command
$ sudo --user=user command
golinux@ubuntu-PC:~$ sudo -u deepak whoami deepak
You can also change the password of another user without logging in.
golinux@ubuntu-PC:~$ sudo passwd deepak New password: Retype new password: passwd: password updated successfully
3. List user privileges with sudo command
--list option is used to list user's privileges on the output. You can use this option twice for a longer format.
$ sudo -l
$ sudo --list
It shows the user golinux can run all the commands with sudo on the system.
deepak@ubuntu:~$ sudo -l [sudo] password for deepak: Matching Defaults entries for deepak on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User deepak may run the following commands on ubuntu: (ALL : ALL) ALL
-l twice for longer output:
deepak@ubuntu:~$ sudo -ll Matching Defaults entries for deepak on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User deepak may run the following commands on ubuntu: Sudoers entry: RunAsUsers: ALL RunAsGroups: ALL Commands: ALL
It also checks for a specific command in the system. Let's check the command
As you can see, it does not run the command but only checks where it is located in the system.
golinux@ubuntu-PC:~$ sudo -l adduser /usr/sbin/adduser
4. Display privileges for another user with sudo command
You can use
--other-user option with
-l option to display the user privileges of the given user.
$ sudo -l -U user
$ sudo -l --other-user user
As you can see, the user deepak does not have
sudo privileges but the root user can run all the commands.
5. sudo command to add a user to the sudo group
When you add a user to the sudo group, that user will be able to run all commands with sudo. You can add a user to the sudo group with the following command on Ubuntu and Debian.
$ sudo usermod -aG sudo user
On RHEL, CentOS, and Fedora, you can use:
$ sudo usermod -aG wheel user
6. sudo command to add users to the sudoers file
The user and group sudo privileges are defined in the /etc/sudoers file. The user who is listed in the sudoers file has sudo privileges and can run
sudo command. You can add a user in the sudoers file by using
$ sudo visudo
You need to add
[username] ALL=(ALL:ALL) ALL on the User privilege specification as shown in the image below.
7. Run command in the background with sudo
--background option can be used to run the given command in the background. When you use this option, you cannot use shell job control to manipulate the process.
$ sudo -b command
$ sudo --background command
8. Update sudoers files using sudo command
Normally visudo is used to add/remove/modify sudoers entry in
/etc/sudoers but if you intend to add another file inside
/etc/sudoers.d then you can edit files in the terminal using
--edit option with sudo command. This is the recommended way when we are updating sudoers entry for any user to avoid any syntax errors.
$ sudo -e file
$ sudo --edit file
You can only edit files on the directory which is non-writable. It opens a nano editor to edit a file.
$ sudo -e /etc/sudoers.d/01-sudo-rule
This will create a new sudo rule inside
/etc/sudoers.d based on the content added in this file. Now if you didn't followed proper syntax while adding sudo rules, then after svaing the file, you won't be able to access the file again or you may not able to save the file itself. Here is a sample error when I intentionally gave a wrong syntax in my sudoers file
deepak@ubuntu:~$ sudo -e /etc/sudoers.d/01-sudo-rule >>> /etc/sudoers.d/01-sudo-ssh: syntax error near line 2 <<< sudo: parse error in /etc/sudoers.d/01-sudo-rule near line 2 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin
9. sudo command to update the user’s cached credentials
--validate option tells sudo to update the user's cached credentials. It updates user's timestamp without running a command.
$ sudo -v
$ sudo --validate
It does not print any output but displays an error if the user does not have sudo privileges.
golinux@ubuntu-PC:~$ sudo -v [sudo] password for golinux:
10. sudo command to invalidate user’s cached credentials
--reset-timestamp option remove the user's timestamp or cached credentials. So, when you run the
sudo command next time, you will require a password. It allows a user to revoke sudo permissions from a .logout file.
$ sudo -k
$ sudo --reset-timestamp
11. sudo command to remove the user’s timestamp completely
--remove-timestamp is similar to
-k option except that it removes the user's timestamp or cached credentials completely. Not all security policies support credential caching.
$ sudo -K
$ sudo --remove-timestamp
sudo command vs su command
su command are used to access the privileges of other accounts, including the root.
su command is used to switch the user account whereas
sudo command is used to run the command as the root user or a different user. Generally, with
su command, you will need the password of the target user. But, sudo asks for the password of the current user.
For more details on
su command, please read 9 su command examples in Linux [Cheat Sheet]
In this tutorial, we discussed the usages and the most common examples of
sudo command in Linux. We hope you have learned how to use
sudo command and execute the commands as another user with sudo privileges. If you still have any confusion, do let us know in the comment section.
9 su command examples in Linux [Cheat Sheet]
How to add user to sudoers with best practices & examples
4 easy methods to check sudo access for user in Linux