What Does sudo Do in Linux?

Definition

sudo (superuser do) is a program that lets an allowed user run specific commands as another user—almost always root—after re-authenticating (unless configured otherwise). It consults /etc/sudoers and optional snippets under /etc/sudoers.d/ to decide who may run what, from which host, and whether a password is required.

How it differs from su

su - starts a full root shell if you know the root password. sudo keeps root locked or unknown while delegating least privilege: grant systemctl restart nginx without granting disk wipe tools. Every sudo invocation can be logged with the real username, aiding audits.

Mechanics you will hit

Invocation	Effect	Caution
`sudo command`	Run one command as root	Shell redirections may run as your user unless grouped carefully
`sudo -i`	Simulate root login shell	Broad power—use sparingly
`sudo -u www-data cmd`	Drop to another user	Still subject to sudoers rules
`sudo -l`	List allowed commands	Great first step on unfamiliar systems

Editing policy safely

Never edit /etc/sudoers with a normal editor without locking—use visudo (or visudo -f /etc/sudoers.d/custom) so syntax is validated before save. A broken sudoers file can lock everyone out of privilege elevation.

Security mindset

NOPASSWD is convenient and risky on workstations with untrusted code. Combine sudo with SSH keys + MFA, central logging, and minimal PATH inside privileged scripts.

Frequently Asked Questions

Q.Why does sudo ask for my password, not root's?

sudo authenticates you to prove physical presence, then checks sudoers to see if your account may run the requested command as root. You typically do not need the root password.

Q.What is the sudo timestamp ticket?

After a successful password, sudo may cache authentication for a few minutes (timestamp_timeout) so repeated sudo commands do not re-prompt. Clear with sudo -k or wait for timeout.

Q.What does sudoers NOPASSWD mean?

The listed user or group may run the matching command(s) without typing a password—convenient for automation but dangerous if malware can invoke those binaries.

Q.Is sudo a security boundary?

It is policy enforcement on top of the kernel, not magic. Misconfigured sudoers (editors, wildcards, shell escapes) can allow privilege escalation—treat reviews as seriously as firewall rules.

Q.Why did my command fail inside sudo?

Environment differences: PATH, HOME, and shell builtins may differ. Use full paths for scripts, or sudo -H / sudo -E deliberately when you understand the implications.

Q.How is doas different from sudo?

OpenBSD's doas is a smaller alternative with simpler configuration. Many Linux systems still standardize on sudo and sudoers.d snippets.

Q.Should I disable the root account?

Many distros ship without a known root password and expect sudo. Ensure at least one user can sudo before locking root, and keep recovery console access documented.

Q.Where are sudo attempts logged?

Typically syslog (auth.log, secure, or journald) with lines containing sudo: and the invoking user—ship these logs to your SIEM for tamper-resistant auditing.