sudo — Run Commands with Root Privileges
Practical guide to sudo: run commands as root or another user, open shells, control the timestamp and configure sudoers safely with visudo.
sudo ("superuser do") runs individual commands with elevated privileges – usually as root – without you logging in as root for good. Who may do what is governed by /etc/sudoers, and every invocation is logged: that makes sudo accountable and noticeably safer than an open root login via su. This guide walks you through the calls that matter, from the everyday command to granting permissions. One warning up front: rules like NOPASSWD: ALL effectively turn an account into passwordless root – grant privileges sparingly and edit sudoers only with visudo.
Basic Usage
sudo <command> — Run a command as root. Prompts for the current user's password.
sudo apt updatesudo -u <user> <command> — Run a command as a specific user instead of root.
sudo -u www-data php artisan migratesudo -g <group> <command> — Run a command with a specific primary group.
sudo -g docker docker pssudo !! — Re-run the previous command with sudo (bash history expansion).
sudo !!Shell & Environment
sudo -i — Start a login shell as root. Loads root's environment (.profile, .bashrc, etc.).
sudo -isudo -s — Start a shell as root using the current user's shell. Does not load root's environment.
sudo -ssudo su - — Switch to root with a full login shell. Equivalent to 'sudo -i'.
sudo su -sudo -E <command> — Preserve the current user's environment variables when running the command.
sudo -E env | grep PATHsudo env VAR=value <command> — Pass specific environment variables to the command run as root.
sudo env RAILS_ENV=production rails sSession Management
sudo -v — Validate (refresh) the sudo timestamp without running a command. Extends the session.
sudo -vsudo -k — Invalidate the sudo timestamp immediately. Next sudo will require password.
sudo -ksudo -K — Remove the sudo timestamp entirely (stronger than -k).
sudo -KListing & Checking Permissions
sudo -l — List the commands the current user is allowed to run with sudo.
sudo -lsudo -l -U <user> — List the sudo permissions for a specific user (requires root).
sudo -l -U deploysudo -n <command> — Non-interactive mode. Run command without prompting for password. Fails if password is required.
sudo -n systemctl reload nginxsudoers Configuration
visudo — Safely edit /etc/sudoers with syntax checking. Always use visudo, never edit directly.
sudo visudovisudo -f /etc/sudoers.d/<file> — Edit a specific drop-in sudoers file. Preferred way to add custom rules.
sudo visudo -f /etc/sudoers.d/deploy<user> ALL=(ALL:ALL) ALL — Grant a user full sudo access. Paste into sudoers via visudo.
jpk ALL=(ALL:ALL) ALL<user> ALL=(ALL) NOPASSWD: ALL — Grant full sudo access without password prompt. Use with caution.
deploy ALL=(ALL) NOPASSWD: ALL<user> ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx — Allow a specific command without password. Principle of least privilege.
deploy ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx%<group> ALL=(ALL:ALL) ALL — Grant all members of a group full sudo access. % prefix indicates a group.
%sudo ALL=(ALL:ALL) ALLOptions & Flags
sudo -H <command> — Set HOME to the target user's home directory (root by default).
sudo -H pip install packagesudo -p '<prompt>' <command> — Use a custom password prompt.
sudo -p 'Enter your password: ' apt upgradesudo -- <command> — Stop processing sudo options. Useful when the command starts with a dash.
sudo -- -mycommandsudo -b <command> — Run the command in the background.
sudo -b rsync -av /src/ /dst/Conclusion
sudo is the standard tool for running individual actions with root privileges instead of working as root permanently – for everyday use, sudo <command>, a root shell opened on demand (sudo -i/-s) and a glance at your own rights with sudo -l cover most needs. Three things are worth internalising: always edit sudoers with visudo (or visudo -f for drop-ins under /etc/sudoers.d/) – a syntax error in /etc/sudoers can render sudo unusable and lock you out of your own system. Grant rights following the principle of least privilege: a concrete command path rather than ALL, because NOPASSWD: ALL turns an account into passwordless root and defeats the protection entirely. And lean on sudo's advantage over su: every invocation is auditable and ends up in the log.
Further Reading
- Ubuntu Server docs: About sudo – official Ubuntu guidance on console security and elevated access
- Debian Wiki: sudo – notes on setting up and using sudo on Debian