The sudo Command in Linux: A Comprehensive Guide to Usage and Configuration

Introduction / Purpose

The sudo command is a fundamental tool for managing Linux systems. It allows you to perform tasks that require superuser (root) privileges without constantly logging in as root. This enhances security: all actions performed with sudo are logged, and the user operates with the minimum necessary privileges. After completing this guide, you will be able to safely install software, manage services, and modify system files.

Prerequisites / Preparation

Access to a terminal (Ctrl+Alt+T or SSH connection).
A user account added to the sudo group (usually created during Ubuntu/Debian installation).
Knowledge of that user's password.
To edit the sudoers file, at least one working sudo access.

Step 1: Basic sudo Usage

Before any command that requires elevated privileges, simply prepend sudo. The system will prompt for the current user's password (not the root password!).

Examples:

# Update package list (Debian/Ubuntu)
sudo apt update

# Restart the nginx web server
sudo systemctl restart nginx

# Install a program (example for CentOS)
sudo yum install htop

# Edit a protected file (e.g., network configuration)
sudo nano /etc/network/interfaces

Important: After entering the password, sudo caches the authentication. For 15 minutes (by default), subsequent sudo commands will not prompt for a password.

Step 2: Understanding the Mechanism and Timer

sudo operates on the principle of "trusted delegation". You do not become root, but your command runs with root's UID. Caching is controlled by the timestamp_timeout parameter in /etc/sudoers.

Check remaining cache time: sudo -v (if no password is needed, the time hasn't expired).
Force update the timer (enter password): sudo -k (invalidates the current cache).

Step 3: Configuring Permissions via the sudoers File (visudo)

Never edit /etc/sudoers directly in a text editor. Always use visudo — it checks syntax before saving, preventing loss of system access.

Open the configuration:
```
sudo visudo
```
By default, it will open the nano editor (in Ubuntu) or vi (in CentOS).
Add the user to the sudo group (if not already done). There is usually a line:
```
%sudo   ALL=(ALL:ALL) ALL
```
Ensure your user is in the sudo group (groups $USER).
Configure a passwordless rule for a specific command (e.g., for reboot):
```
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl reboot
```
Note: Specify the full path to the command (which systemctl).
Prohibit execution of dangerous commands (e.g., passwd for other users):
```
username ALL=(ALL) ALL, !/usr/bin/passwd
```
Save and exit. In nano: Ctrl+X, then Y and Enter.

Step 4: Security and Best Practices

Least privilege: Grant users only the permissions necessary for their tasks. Avoid ALL=(ALL) ALL for unnecessary users.
Command path: Always specify absolute paths in sudoers (e.g., /usr/bin/apt, not just apt). This prevents execution of a malicious script with the same name from PATH.
Groups: Use groups (%developers, %admin) to manage permissions instead of individual users.
Auditing: All sudo commands are logged in /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (CentOS). Review them if unauthorized access is suspected.

Step 5: Common Errors and Solutions

Symptom / Error	Cause	Solution
`username is not in the sudoers file`	User not added to the `sudo` group or no entry in `sudoers`.	1. Log in as root (if root password is available) or via system recovery. 2. Add the user: `usermod -aG sudo username`. 3. Log out and back in.
`sudo: command not found`	The `sudo` package is not installed (rare in modern distributions).	Install as root: `apt install sudo` (Debian/Ubuntu) or `yum install sudo` (CentOS).
`sudo: no tty present and no askpass program specified`	Attempting to run `sudo` in a non-interactive script without password input capability.	Use `sudo -S` with password passed via stdin (insecure!) or configure `NOPASSWD` for the specific command in `sudoers`.
`sudo: parsing error in /etc/sudoers near line X`	Syntax error in `sudoers` after editing without `visudo`.	1. Run `sudo visudo -c` to check. 2. Fix the error using `sudo visudo` (if access is still available). 3. If access is lost, boot into single-user mode and fix the file manually.

Verification

Basic test: Run a command that requires privileges, e.g., sudo whoami. If the output is root, everything works.
Check user privileges:
```
sudo -l
```
You will see a list of commands you can run as root and whether a password is required.
Check group:
```
groups
```
The sudo group (or wheel in CentOS) should be in the list.

Potential Issues

Loss of access after editing sudoers: If you make a syntax error and save the file (without visudo), sudo will stop working. You will need system access in recovery mode (single-user mode) to fix the file.
Different command paths: System utilities may reside in different locations across distributions (/usr/sbin/ vs /sbin/). When writing rules in sudoers, use which <command> to determine the full path.
Dependencies on the PATH variable: When run via sudo, the PATH may change. Always specify the full path to the executable in scripts and sudoers rules.
Password timeout too short: To increase the cache time (e.g., to 30 minutes), add to sudoers (via visudo): Defaults timestamp_timeout=30. A value of -1 disables expiration.

F.A.Q.

What is sudo and what is it used for?

How to add a user to the sudo group?

Why does sudo ask for a password only the first time?

How to safely edit the sudoers file?

Hints

Checking for sudo privileges

Basic sudo usage

Launching a root shell (be careful!)

Configuring privileges via sudoers (visudo)

Verifying sudoers configuration