Skip to main content
Controlling who can perform administrative tasks is crucial for system security. In this guide, you’ll learn how to grant and restrict sudo access on Linux, manage entries in /etc/sudoers, and apply fine-grained policies for different users and groups.

Using sudo

By default, only the root (superuser) can modify system-critical files and settings. Prefixing a command with sudo elevates it to root privileges: 
$ sudo apt update
When running sudo for the first time, you’ll be prompted for your password—not the root password.

Granting sudo via the wheel group

Many Linux distributions allow members of the wheel group to use sudo: 
$ groups
aaron family wheel
To add a user (e.g., trinity) to wheel: 
$ sudo gpasswd -a trinity wheel
Now trinity can execute any command with sudo, which is easy but lacks fine control.

Fine-grained control with /etc/sudoers

Instead of a broad group assignment, define precise policies in /etc/sudoers. Never edit that file directly! Always use visudo, which validates syntax. 
$ sudo visudo
Inside, you’ll find a line like: 
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
A malformed /etc/sudoers can lock out all sudo access. Always use visudo to edit safely.

Breakdown of a sudoers entry

PartDescriptionExample
User/GroupRule applies to this user (e.g., trinity) or group (%devs)trinity
%developers
HostHosts where the rule is valid (ALL for every host)ALL
Run asUser(s) the command may run as (in parentheses)(ALL), (aaron,john)
CommandsWhich commands are allowed/bin/ls, /usr/bin/vim

Defining custom sudoers policies

Below are sample entries to append near the end of /etc/sudoers via visudo: 
# 1. Allow trinity to run any command as any user (including root)
trinity ALL=(ALL) ALL

# 2. Grant all members of 'developers' the same privilege
%developers ALL=(ALL) ALL

# 3. Permit trinity to run any command, but only as aaron or john
trinity ALL=(aaron,john) ALL

# 4. Shortcut: run as root (default) without specifying run-as list
trinity ALL=ALL

# 5. Restrict trinity to only run /bin/ls and /bin/stat as root
trinity ALL=(ALL) /bin/ls, /bin/stat

# 6. Same as above, omitting the run-as list (defaults to root)
trinity ALL= /bin/ls, /bin/stat

Running commands as another user

Beyond root, you can invoke commands as any user: 
$ sudo -u trinity ls /home/trinity
Desktop  Documents  Downloads  Music  Pictures

Handling “Permission denied” errors

If a user invokes a disallowed command, sudo reports: 
$ sudo echo "Test passed?"
Sorry, user trinity is not allowed to execute '/bin/echo Test passed?' as root on server01.

Disabling the password prompt

To let a user run commands without entering their password, add NOPASSWD:: 
# Allow trinity to run any command without a password
trinity ALL=(ALL) NOPASSWD: ALL
Use NOPASSWD: sparingly; it increases convenience but may reduce auditability.

Watch Video

Practice Lab