# sudo — Run Commands with Root Privileges

> Practical guide to sudo: run commands as root or another user, open shells, control the timestamp and configure sudoers safely with visudo.

Source: https://www.jpkc.com/db/en/cheatsheets/shell-system/sudo/

<!-- PROSE:intro -->
sudo ("superuser do") runs individual commands with elevated privileges – usually as root – without you logging in as root for good. Who may do what is governed by `/etc/sudoers`, and every invocation is logged: that makes sudo accountable and noticeably safer than an open root login via `su`. This guide walks you through the calls that matter, from the everyday command to granting permissions. One warning up front: rules like `NOPASSWD: ALL` effectively turn an account into passwordless root – grant privileges sparingly and edit sudoers only with `visudo`.
<!-- PROSE:intro:end -->

## Basic Usage

`sudo <command>` — Run a command as root. Prompts for the current user's password.

```bash
sudo apt update
```

`sudo -u <user> <command>` — Run a command as a specific user instead of root.

```bash
sudo -u www-data php artisan migrate
```

`sudo -g <group> <command>` — Run a command with a specific primary group.

```bash
sudo -g docker docker ps
```

`sudo !!` — Re-run the previous command with sudo (bash history expansion).

```bash
sudo !!
```

## Shell & Environment

`sudo -i` — Start a login shell as root. Loads root's environment (.profile, .bashrc, etc.).

```bash
sudo -i
```

`sudo -s` — Start a shell as root using the current user's shell. Does not load root's environment.

```bash
sudo -s
```

`sudo su -` — Switch to root with a full login shell. Equivalent to 'sudo -i'.

```bash
sudo su -
```

`sudo -E <command>` — Preserve the current user's environment variables when running the command.

```bash
sudo -E env | grep PATH
```

`sudo env VAR=value <command>` — Pass specific environment variables to the command run as root.

```bash
sudo env RAILS_ENV=production rails s
```

## Session Management

`sudo -v` — Validate (refresh) the sudo timestamp without running a command. Extends the session.

```bash
sudo -v
```

`sudo -k` — Invalidate the sudo timestamp immediately. Next sudo will require password.

```bash
sudo -k
```

`sudo -K` — Remove the sudo timestamp entirely (stronger than -k).

```bash
sudo -K
```

## Listing & Checking Permissions

`sudo -l` — List the commands the current user is allowed to run with sudo.

```bash
sudo -l
```

`sudo -l -U <user>` — List the sudo permissions for a specific user (requires root).

```bash
sudo -l -U deploy
```

`sudo -n <command>` — Non-interactive mode. Run command without prompting for password. Fails if password is required.

```bash
sudo -n systemctl reload nginx
```

## sudoers Configuration

`visudo` — Safely edit /etc/sudoers with syntax checking. Always use visudo, never edit directly.

```bash
sudo visudo
```

`visudo -f /etc/sudoers.d/<file>` — Edit a specific drop-in sudoers file. Preferred way to add custom rules.

```bash
sudo visudo -f /etc/sudoers.d/deploy
```

`<user> ALL=(ALL:ALL) ALL` — Grant a user full sudo access. Paste into sudoers via visudo.

```bash
jpk ALL=(ALL:ALL) ALL
```

`<user> ALL=(ALL) NOPASSWD: ALL` — Grant full sudo access without password prompt. Use with caution.

```bash
deploy ALL=(ALL) NOPASSWD: ALL
```

`<user> ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx` — Allow a specific command without password. Principle of least privilege.

```bash
deploy ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx
```

`%<group> ALL=(ALL:ALL) ALL` — Grant all members of a group full sudo access. % prefix indicates a group.

```bash
%sudo ALL=(ALL:ALL) ALL
```

## Options & Flags

`sudo -H <command>` — Set HOME to the target user's home directory (root by default).

```bash
sudo -H pip install package
```

`sudo -p '<prompt>' <command>` — Use a custom password prompt.

```bash
sudo -p 'Enter your password: ' apt upgrade
```

`sudo -- <command>` — Stop processing sudo options. Useful when the command starts with a dash.

```bash
sudo -- -mycommand
```

`sudo -b <command>` — Run the command in the background.

```bash
sudo -b rsync -av /src/ /dst/
```

<!-- PROSE:outro -->
## Conclusion

sudo is the standard tool for running individual actions with root privileges instead of working as root permanently – for everyday use, `sudo <command>`, a root shell opened on demand (`sudo -i`/`-s`) and a glance at your own rights with `sudo -l` cover most needs. Three things are worth internalising: **always** edit sudoers with `visudo` (or `visudo -f` for drop-ins under `/etc/sudoers.d/`) – a syntax error in `/etc/sudoers` can render sudo unusable and lock you out of your own system. Grant rights following the principle of least privilege: a concrete command path rather than `ALL`, because `NOPASSWD: ALL` turns an account into passwordless root and defeats the protection entirely. And lean on sudo's advantage over `su`: every invocation is auditable and ends up in the log.

## Further Reading

- [Ubuntu Server docs: About sudo](https://documentation.ubuntu.com/server/how-to/security/console-security/) – official Ubuntu guidance on console security and elevated access
- [Debian Wiki: sudo](https://wiki.debian.org/sudo) – notes on setting up and using sudo on Debian
<!-- PROSE:outro:end -->

## Related Commands

- [su](https://www.jpkc.com/db/en/cheatsheets/shell-system/su/) – switch to another user, including a full root login
- [id](https://www.jpkc.com/db/en/cheatsheets/shell-system/id/) – show your own or another user's UID, GID and group memberships
- [useradd](https://www.jpkc.com/db/en/cheatsheets/shell-system/useradd/) – create and configure new user accounts