sudo is a security mechanism used in Linux systems to execute commands with high privileges, allowing authorized users to run commands as root without logging into the root account, improving security and auditability. 1. sudo determines user permissions by checking the /etc/sudoers file, and uses the user's own password when authenticating. 2. Users must be joined to the sudo group (Debian/Ubuntu) or wheel group (Red Hat series) to use sudo. 3. The configuration should be done through the sudo visudo command to prevent syntax errors from causing the system to be unable to manage. 4. You can set fine permission rules, such as only allowing restart of specific services. 5. Best practices include following the principle of least permissions, avoiding the use of sudo su-, regularly reviewing permissions, and utilizing log audits. 6. Frequently asked questions include user not adding sudoers files, password entry errors, environment variable resets, and script execution risks. Correct configuration and use of sudo can effectively ensure system safety and operation traceability.

Using sudo on a Linux system is a fundamental skill for anyone managing or interacting with Unix-like operating systems. It allows users to perform tasks with elevated (typically root) privileges without needing to log in as the root user, which improves security and accountability.

What Is sudo ?

sudo stands for "superuser do" (or "substitute user do"). It enables authorized users to run commands as another user — usually the root user — with elevated permissions. Instead of sharing the root password, system administrators can grant specific users or groups the ability to execute certain commands via sudo , and all actions are logged for audit purposes.

For example:

 sudo apt update

This runs the apt update command with root privileges, even if you're logged in as a regular user.

How sudo Works

When you run a command with sudo , the system checks the /etc/sudoers file (and files in /etc/sudoers.d/ ) to determine whether you're allowed to run that command. If allowed, sudo prompts you for your own password (not the root password), then executes the command with elevated privileges.

Key points:

• You must be listed in the sudoers configuration to use sudo .
• On most modern distributions (like Ubuntu), users in the sudo group are automatically granted sudo access.
• After authenticating, sudo typically caches your credentials for 5–15 minutes, so you won't be prompted again immediately.

Configuring sudo Access

To grant a user sudo privileges, add them to the sudo group (on Debian/Ubuntu systems):

 sudo usermod -aG sudo username

On Red Hat-based systems (like CentOS or Fedora), the group might be wheel :

 sudo usermod -aG wheel username

Never edit /etc/sudoers directly with a regular text editor. Always use:

 sudo visudo

This command opens the file in a safe way, checking syntax before saving to prevent lockouts.

You can also create custom rules. For example, to allow a user to restart only the Apache service:

 username ALL=(ALL) /bin/systemctl restart apache2

Best Practices When Using sudo

• Use the principle of least privilege : Only grant sudo access to what's necessary.
• Avoid sudo su - or sudo bash : These give full root access and bypass command logging.
• Review what commands are allowed : Use sudo -l to list your allowed commands.
• Log usage matters : All sudo commands are logged (typically in /var/log/auth.log or /var/log/secure ), so misuse can be traced.
• Don't disable sudo entirely : While some prefer su , sudo offers better control and auditing.

Common Pitfalls

• "User is not in the sudoers file" : This means the user hasn't been granted sudo access. Fix it via visudo or group membership.
• Forgotten password prompts : sudo asks for your password, not root's. If it fails, double-check your user password.
• Environment confusion : Some environment variables are reset by sudo for security. Use sudo -E to preserve them (if needed and safe).
• Running scripts with sudo : Be cautious — ensure scripts are trusted and don't contain unintended commands.

Basically, sudo is a powerful, secure way to manage administrative tasks on Linux — as long as it's configured and used responsible. Understanding who can run what, and how logging and timeouts work, helps maintain both usability and system integrity.

The above is the detailed content of Understanding and Using `sudo` on a Linux System. For more information, please follow other related articles on the PHP Chinese website!