Introduction to sudo command
sudo command in Linux stands for Super User DO. It allows you to execute a command as another user, including the superuser. sudo is an efficient way to access the root privileges and execute the command as the root user. Â With sudo, you can access the root privileges without knowing the root password or logging as the root user. The user needs to have the sudo privileges to run the sudo
command.
How to install sudo
In most of the Linux distributions, sudo is pre-installed on the system. However, if you do not find the sudo package on the system, you can install it from the default package management repositories.
To install sudo on CentOS, Fedora, and RHEL
# yum install sudo
To install sudo on Ubuntu and Debian
# apt install sudo
Syntax for sudo command
The security policy determines whether or not a user has sudo privileges. The default security policy is sudoers configured in the file /etc/sudoers.
The general syntax for sudo
command is as follows:
$ sudo [options] command
Some of the options available in sudo
command are:
- -V: display version information of sudo
- -h: display help message and exit
- -l: list user's privileges or check a specific command
- -k: reset the user's timestamp
- -u: run the command as a different user
Different examples to use sudo command
1. Use sudo to run command as a root user
By default, when no user is specified, the sudo runs a command as a root user. It is mostly used to run the command which needs root permission.
$ sudo command
Sample Output:
When listing the root directory, the permission was denied because only the root user can list the root directory. But, after using the sudo
command, we can list the root directory.
Similarly, when you want to install, remove, or update the package in the system, you will need the root privilege. You can use sudo
command to install the package without logging in as a root user.
2. Use sudo to run command as a different user
The -u
or --user
option allows you to run a command as the specified user name or user ID. So, you can run the command as a user other than the root.
$ sudo -u user command
OR
$ sudo --user=user command
Sample Output:
golinux@ubuntu-PC:~$ sudo -u deepak whoami
deepak
You can also change the password of another user without logging in.
golinux@ubuntu-PC:~$ sudo passwd deepak
New password:
Retype new password:
passwd: password updated successfully
3. List user privileges with sudo command
The -l
or --list
option is used to list user's privileges on the output. You can use this option twice for a longer format.
$ sudo -l
OR
$ sudo --list
Sample Output:
It shows the user golinux can run all the commands with sudo on the system.
deepak@ubuntu:~$ sudo -l
[sudo] password for deepak:
Matching Defaults entries for deepak on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User deepak may run the following commands on ubuntu:
(ALL : ALL) ALL
Use -l
twice for longer output:
deepak@ubuntu:~$ sudo -ll
Matching Defaults entries for deepak on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User deepak may run the following commands on ubuntu:
Sudoers entry:
RunAsUsers: ALL
RunAsGroups: ALL
Commands:
ALL
It also checks for a specific command in the system. Let's check the command adduser
and nmap
using sudo -l
.
As you can see, it does not run the command but only checks where it is located in the system.
golinux@ubuntu-PC:~$ sudo -l adduser
/usr/sbin/adduser
4. Display privileges for another user with sudo command
You can use -U
or --other-user
option with -l
option to display the user privileges of the given user.
$ sudo -l -U user
OR
$ sudo -l --other-user user
Sample Output:
As you can see, the user deepak does not have sudo
privileges but the root user can run all the commands.
5. sudo command to add a user to the sudo group
When you add a user to the sudo group, that user will be able to run all commands with sudo. You can add a user to the sudo group with the following command on Ubuntu and Debian.
$ sudo usermod -aG sudo user
Sample Output:
On RHEL, CentOS, and Fedora, you can use:
$ sudo usermod -aG wheel user
6. sudo command to add users to the sudoers file
The user and group sudo privileges are defined in the /etc/sudoers file. The user who is listed in the sudoers file has sudo privileges and can run sudo
command. You can add a user in the sudoers file by using visudo
command.
$ sudo visudo
Sample Output:
You need to add [username] ALL=(ALL:ALL) ALL
on the User privilege specification as shown in the image below.
7. Run command in the background with sudo
The -b
or --background
option can be used to run the given command in the background. When you use this option, you cannot use shell job control to manipulate the process.
$ sudo -b command
OR
$ sudo --background command
8. Update sudoers files using sudo command
Normally visudo is used to add/remove/modify sudoers entry in /etc/sudoers
but if you intend to add another file inside /etc/sudoers.d
then you can edit files in the terminal using -e
or --edit
option with sudo command. This is the recommended way when we are updating sudoers entry for any user to avoid any syntax errors.
$ sudo -e file
OR
$ sudo --edit file
Sample Output:
You can only edit files on the directory which is non-writable. It opens a nano editor to edit a file.
$ sudo -e /etc/sudoers.d/01-sudo-rule
This will create a new sudo rule inside /etc/sudoers.d
based on the content added in this file. Now if you didn't followed proper syntax while adding sudo rules, then after svaing the file, you won't be able to access the file again or you may not able to save the file itself. Here is a sample error when I intentionally gave a wrong syntax in my sudoers file
deepak@ubuntu:~$ sudo -e /etc/sudoers.d/01-sudo-rule
>>> /etc/sudoers.d/01-sudo-ssh: syntax error near line 2 <<<
sudo: parse error in /etc/sudoers.d/01-sudo-rule near line 2
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
9. sudo command to update the user's cached credentials
The -v
or --validate
option tells sudo to update the user's cached credentials. It updates user's timestamp without running a command.
$ sudo -v
OR
$ sudo --validate
Sample Output:
It does not print any output but displays an error if the user does not have sudo privileges.
golinux@ubuntu-PC:~$ sudo -v [sudo] password for golinux:
10. sudo command to invalidate user's cached credentials
The -k
or --reset-timestamp
option remove the user's timestamp or cached credentials. So, when you run the sudo
command next time, you will require a password. It allows a user to revoke sudo permissions from a .logout file.
$ sudo -k
OR
$ sudo --reset-timestamp
Sample Output:
11. sudo command to remove the user's timestamp completely
The -K
or --remove-timestamp
is similar to -k
option except that it removes the user's timestamp or cached credentials completely. Not all security policies support credential caching.
$ sudo -K
OR
$ sudo --remove-timestamp
sudo command vs su command
Both sudo
and su
command are used to access the privileges of other accounts, including the root. su
command is used to switch the user account whereas sudo
command is used to run the command as the root user or a different user. Generally, with su
command, you will need the password of the target user. But, sudo asks for the password of the current user.
For more details on su
command, please read 9 su command examples in Linux [Cheat Sheet]
Conclusion
In this tutorial, we discussed the usages and the most common examples of sudo
command in Linux. We hope you have learned how to use sudo
command and execute the commands as another user with sudo privileges. If you still have any confusion, do let us know in the comment section.
What's Next
9 su command examples in Linux [Cheat Sheet]
How to add user to sudoers with best practices & examples
4 easy methods to check sudo access for user in Linux
Further Reading