Sudo Command Explained

sudo Command Explained

sudo (substitute user do) allows a permitted user to execute commands as another user — typically root — without knowing that user’s password. It is the standard mechanism for privilege escalation on Ubuntu because it is audited, configurable, and does not require sharing the root password.

Why sudo exists

Ubuntu disables the root account password by default. Direct root login is off, and su - requires knowing the root password. Instead, Ubuntu uses sudo with the sudo group: any user in that group can run commands as root by authenticating with their own password.

Without sudo (dangerous root login):
  irfan logs in → becomes root → mistakes run as root → no audit trail

With sudo (Ubuntu default):
  irfan logs in → runs "sudo command" → provides own password
  → /etc/sudoers checked → allowed? → runs as root → logged to /var/log/auth.log
                                       ↑ full audit trail

How sudo works

# When you run sudo, it:
# 1. Checks /etc/sudoers (and /etc/sudoers.d/) for your permissions
# 2. Prompts for YOUR password (not root's)
# 3. Caches the credential for 15 minutes (by default)
# 4. Runs the command as root (or specified user)
# 5. Logs the action to /var/log/auth.log

# Check if you have sudo access
sudo -l   # Lists what commands you're allowed to run

# Check sudo access for another user
sudo -l -U irfan

sudo -l output showing permissions

Matching Defaults entries for irfan on myserver:
    env_reset, mail_badpass, secure_path=...

User irfan may run the following commands on myserver:
    (ALL : ALL) ALL

Common sudo usage patterns

# Run a command as root
sudo apt update

# Run a command as a different user (not root)
sudo -u www-data php artisan queue:work

# Open a root shell (inherits your environment)
sudo -s

# Open a full root login shell (cleaner environment, like logging in as root)
sudo -i
# or
sudo su -

# Run a command without a password prompt (useful in scripts if configured)
sudo -n apt update    # -n = non-interactive, fails if password required

# Run the last command again with sudo (common mistake recovery)
sudo !!

# Edit a privileged file safely (uses EDITOR, creates temp file)
sudo -e /etc/nginx/nginx.conf
# or equivalently:
sudoedit /etc/nginx/nginx.conf

💡 TIP: Always use sudoedit or sudo -e to edit privileged files rather than sudo nano /etc/...`. The sudoedit approach opens the file as your own user in your editor, then saves back as root. This prevents an attacker from exploiting the editor if it can spawn a shell (like :!bash in vi with root permissions).

# By default, sudo resets environment variables (env_reset in sudoers)
# This is a security feature — prevents environment injection attacks

# Preserve your HOME directory when using sudo
sudo -H command    # Sets HOME to root's home (/root)
sudo command       # HOME stays as /home/irfan (default in Ubuntu)

# Pass a specific environment variable to the sudo command
sudo FOO=bar command

# Preserve the entire environment (security risk — use sparingly)
sudo -E command

# sudo caches your credential for 15 minutes by default
# After that it prompts again

# Reset the sudo timestamp immediately (forget cached credential)
sudo -k

# Extend the timestamp without running a command
sudo -v

# See when the sudo token expires (Linux 5.10+)
sudo --list --reset-timestamp

# "irfan is not in the sudoers file. This incident will be reported."
# Fix: add the user to the sudo group from another admin account
sudo usermod -aG sudo irfan
# User must log out and back in for the group change to apply.

# "sudo: command not found" — sudo is not installed
apt install sudo    # Run as root

# "sudo: unable to resolve host myserver"
# Happens when /etc/hosts doesn't have the hostname
hostname          # e.g., returns "myserver"
grep myserver /etc/hosts    # Should show: 127.0.1.1  myserver
# If missing, add it:
echo "127.0.1.1 $(hostname)" | sudo tee -a /etc/hosts

# View sudo audit log
grep sudo /var/log/auth.log | tail -20