This document provides a complete beginner-friendly guide to understanding and using the sudo command in Linux-based systems. It is tailored for Level 1 (L1) learners and junior cybersecurity/system administration professionals.
sudo stands for "superuser do". It allows a permitted user to execute a command as the superuser or another user, as specified by the security policy (usually /etc/sudoers).
Use Case: It is used to perform administrative tasks without switching to the root account.
- Maintains system security by limiting root access
- Tracks which user ran privileged commands (audit-friendly)
- Prevents mistakes by enforcing controlled access to powerful commands
- Encourages least privilege principle
sudo [option] [command]Example:
sudo apt updateThis updates the package list using elevated permissions.
| Task | Command | Scenario |
|---|---|---|
| Update packages | sudo apt update |
Keeping system packages updated |
| Install software | sudo apt install nmap |
Installing a new tool like Nmap |
| Edit system file | sudo nano /etc/hosts |
Modify system-level config files |
| Reboot system | sudo reboot |
Restarting system remotely |
| Change ownership | sudo chown user:group file.txt |
Grant ownership of a file |
| Add a user | sudo useradd devuser |
Add new user to system |
- User types command with
sudo - System checks
/etc/sudoersfor permission - If permitted, the system prompts for the user’s password
- If password is correct and permission granted, command runs as root
- Audit logs are updated with execution details
sudo usermod -aG sudo usernamesudo -lShows what commands the user is allowed to run with sudo.
sudo adduser devadmin
sudo usermod -aG sudo devadminThis user can now use sudo.
sudo adduser internuserThis user cannot run administrative commands unless explicitly added to sudo group.
- Use
sudoonly when necessary - Avoid running full shells as root:
sudo -iorsudo su - Monitor
/var/log/auth.logfor sudo activities - Configure minimal privilege using
visudo
Monitoring sudo usage is critical for auditing and maintaining security. Here’s how to enable and track sudo activities in a simple way:
sudo cat /var/log/auth.log | grep sudoPurpose: Displays all sudo activity including who used it and what command was run.
sudo tail -f /var/log/auth.log | grep sudoPurpose: Continuously monitor sudo usage as it happens.
Edit .bashrc to add:
alias sudolog='grep sudo /var/log/auth.log'Then reload:
source ~/.bashrcPurpose: Simplifies checking sudo logs with sudolog command.
sudo ausearch -m USER_CMD -x sudoPurpose: Queries auditd logs for all sudo commands.
Note:
auditdmay need to be installed and started for this to work:
sudo apt install auditd
sudo systemctl enable auditd && sudo systemctl start auditd| Feature | sudo |
su |
|---|---|---|
| Runs single command as root | ✅ | ❌ |
| Requires user’s password | ✅ | ❌ (asks root password) |
| Audit logging | ✅ | ❌ |
| Temporary root shell | ❌ | ✅ |
To allow a user to run only the reboot command:
sudo visudoAdd this line:
username ALL=(ALL) NOPASSWD: /sbin/reboot| Issue | Cause | Resolution |
|---|---|---|
user is not in the sudoers file |
Not part of sudo group |
Use root to add user to group |
command not found |
Misspelled or uninstalled | Double-check spelling and path |
Permission denied |
Wrong file permissions | Use ls -l and correct ownership |
Understanding sudo is critical for L1 Linux and cybersecurity practitioners. It enforces control, improves auditability, and limits damage from mistakes. Learn to use it wisely.
Maintained by: Vaishnavu C V Principal CyberSecurity Engineer | Ethical Hacker | Cyber Range Mentor