Introduction
This guide will teach you about root access, the sudo command, how to perform tasks with sudo, and the distinctions between sudo and root access. Instructions for creating a sudo user for various operating systems are also provided below.
What is Root?
root
On Unix-like systems such as Linux, refers to the superuser account It is the most privileged account on the system, having the most access permissions. It is used for system management. Regardless of the account’s name, this root/superuser account has a user identifier (UID) of zero.
The root user has complete access to the system (root privileges). It has the ability to edit fundamental system components, upgrade the system, change system configuration, and start, stop, and restart all operating system services.
The terminal command prompt symbol changes from to when you log in as root. $
to #
. For example:
$ echo 'This is a normal user shell'
# echo 'This is a root shell'
What is Sudo?
The sudo
(superuser do) command is a command-line utility that allows a user to run commands as root or another user. It provides an efficient method for granting specified users access to execute specific system commands or run scripts as the root user.
Although similar to su
, sudo
requires the logged-in user’s password for authentication rather than the target user’s password like su
does. Sudo, like su
, does not launch a root shell; instead, it executes the program or command with elevated privileges.
A system administrator can use sudo, to do the following tasks:
- Allow users or groups of users to perform certain commands with elevated or root access.
- View a list of all users who have used sudo.
- Control which commands a user is allowed to use on a host system.
Sudo logs all commands and arguments run in the /var/log/auth.log
file, which may be studied if something goes wrong.
Sudo Vs. Root
The principle of least privilege is an information and computer security concept that maintains that programs and users should be granted the bare minimum of access necessary to complete a task.
When logged in as root, every command put into the terminal is executed with the system’s maximum privileges, which violates the concept of least privilege. When unintentional, a simple operation like rm might be used to destroy fundamental root directories or files without informing the user. For example, suppose you attempted to remove a root directory such as /etc using:
$ rm -rf /etc
You will be refused access since you are logged in as a regular user. When logged in as root, no prompts will be displayed, and the whole folder will be removed, which will very certainly destroy your system because specific configuration files required for system operation are kept in the /etc directory. You may potentially format a disk incorrectly and the system will not prompt you.
Because the application is executing with the maximum privileges, a little error in the application might destroy some system data.
Sudo allows for fine-grained access control. It only gives enhanced permissions to the program that requires them. Instead of working with a root shell, you know which program is executing with elevated rights (running every command with root privileges). By changing your sudoers file, you may also configure sudo to run commands as another user, define which users and groups are authorized to run commands with sudo, and establish timeouts for executing applications with root capabilities.
As a result, performing commands with the root shell is not recommended since the risks of damaging your system are substantially higher. If you need root access to perform a command, use sudo to ensure that just that command runs with root capabilities.
Run Commands as Sudo
To run commands as sudo, precede them with sudo
:
$ sudo command
It will question you for a password, which you should input and then press ENTER:
$ sudo command
[sudo] password for user:
Create a Sudo User on AlmaLinux, CentOS, Fedora, Rocky Linux, and VzLinux
This section applies to:
- AlmaLinux
- CentOS 7 and later
- Fedora 31 and later
- Rocky Linux
- VzLinux
Procedure:
1. Use the adduser
command to create a new user account.

# adduser example_user
2. Create a strong password for the new user passwd
.
# passwd example_user
Changing password for user example_user.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
3. With, add the new user to the wheel group usermod
.
# usermod -aG wheel example_user
4. Examine the sudoers file using visudo
.
# visudo
5. Locate the wheel group. If the line is disabled, remove the comment. When you’re ready to save the file, it should look like this.
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
6. Save and close vi. Enter ESC, : W Q, and ENTER.
Always use visudo to change /etc/sudoers
, never directly. Because a misconfigured sudoers file might harm your system, the visudo
. program conducts syntax checking before submitting your changes to the file. If you make a mistake, you’ll see it after you quit visudo.
visudo: >>> /etc/sudoers: syntax error near line 64 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
7. Switch to the new user.
# su - example_user
8. Verify that you are the new user using whoami
, then try sudo whoami
, which should return root.
$ whoami
example_user
$ sudo whoami
[sudo] password for example_user:
root
Create a Sudo User on Arch Linux
This section applies to any recent Arch Linux release.
1. Install sudo because it isn’t included in the original installation. If you haven’t updated in a while, remember to do so.
# pacman --sync sudo
2. Create a new user account with useradd
.
# useradd --create-home example_user
3. Set a strong password for the new user with passwd
.
# passwd example_user
4. Add the new user to the wheel group with usermod
.
# usermod --append --groups wheel example_user
5. Edit the sudoers file with visudo
.
# visudo
6. Look for the wheel group at the bottom of the file in the ‘User privilege definition’ section. Remove the comment at the start of the line so that it appears like this:
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
7. Save and close vi. Enter ESC, : W Q, and ENTER.
Always use visudo to change /etc/sudoers
, never directly. Because a misconfigured sudoers file might harm your system, the visudo
. program conducts syntax checking before submitting your changes to the file. If you make a mistake, you’ll see it after you quit visudo.
visudo: >>> /etc/sudoers: syntax error near line 64 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
8. Switch to the new user.
# su - example_user
9. Verify that you are the new user using whoami
, then try sudo whoami
, which should return root.
$ whoami
example_user
$ sudo whoami
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for example_user:
root
Create a Sudo User on Debian & Ubuntu
This section applies to:
Procedure:
- Debian 9 “Stretch” and later
- Ubuntu 16.04 and later
1. Install the sudo command. Some installation packages do not include sudo. If it does not, use sudo to install it.
apt.# apt install sudo
2. Use the adduser
command to create a new user account. For the new user, create a strong password. You can enter entries for the user information fields or hit ENTER to leave them empty.
# adduser example_user
Adding user `example_user' ...
Adding new group `example_user' (1001) ...
Adding new user `example_user' (1001) with group `example_user' ...
Creating home directory `/home/example_user' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for example_user
Enter the new value, or press ENTER for the default
Full Name []: Example User
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
3. Include the new user in the sudo group.
# adduser example_user sudo
4. Switch to the new user to test.
# su - example_user
Verify that you are the new user using whoami
, then try sudo whoami
, which should return root.
$ whoami
example_user
$ sudo whoami
[sudo] password for example_user:
root
Create a Sudo User on FreeBSD
This section applies to FreeBSD 11 and later.
Procedure:
1. If sudo is already present on your machine, install it from the ports collection. To install sudo from ports, follow these steps:
# cd /usr/ports/security/sudo/
# make install clean
You may also use pkg to install the binary sudo
package:
# pkg install sudo
2. Set up a new user account for sudo use:
# adduser
To create the user, answer the questions on the dialog. In this guide, we’ll utilize example_user.
3. Add the user to the wheel group, which restricts who may use su
to get root access.
# pw group mod wheel -m example_user
4. visudo
. may be used to edit the sudoers file.
# visudo
5. Locate the wheel group. If the line is disabled, remove the comment. When you’re ready to save the file, it should look like this.
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
6. Save and close vi. Enter ESC, : W Q, and ENTER.
Always use visudo to change /etc/sudoers
, never directly. Because a misconfigured sudoers file might harm your system, the visudo
. program conducts syntax checking before submitting your changes to the file. If you make a mistake, you’ll see it after you quit visudo.
visudo: >>> /etc/sudoers: syntax error near line 64 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
7. Switch to the new user.
# su - example_user
8. Verify that you are the new user using whoami
, then try sudo whoami
, which should return root.
$ whoami
example_user
$ sudo whoami
[sudo] password for example_user:
root
More about the sudoers
File
Sudo employs the sudoers
security policy and maintains a specific configuration file /etc/sudoers
. This file controls access privileges and password prompt timeouts.
Note: You must have elevated privileges to view the sudoers file
Open the /etc/sudoers
file; it should look like this:
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/
sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
The line:
root ALL=(ALL:ALL)ALL
signifies that the root user has complete access to the system and can execute any command.
%sudo ALL=(ALL:ALL)ALL
Allows all members of the sudo group to run any command.
Note: ‘%’ in the sudoers file represents a group
As you can see from the first line in the /etc/sudoers
file:
# This file MUST be edited with the 'visudo' command as root
Do not attempt to edit the sudoers file directly. Use the visudo
command with root privileges.
