This document provides a complete guide to understanding sudo, the sudoers file, and various methods of privilege escalation in Linux systems.
sudo stands for "superuser do". It allows a permitted user to execute a command as another user, typically as the root user, without logging in as root.
sudo command
Example:
sudo apt update
/etc/sudoers to control permissions.Privilege escalation refers to techniques used to gain elevated access to system resources.
Sudo is the legitimate method for vertical escalation in Linux.
The configuration file that controls sudo behavior is:
/etc/sudoers
NEVER edit it directly with regular editors (nano, vi, etc.) as syntax errors can lock you out of sudo.
Use:
sudo visudo
/etc/sudoers in a syntax-checking editor.vi or the editor set in $EDITOR.To set nano as default:
sudo EDITOR=nano visudo
Sudoers entries follow this structure:
user host = (runas_user) command
john ALL=(ALL) ALL
Meaning: user john can run any command as any user on any host.
john ALL=(ALL) ALL
john ALL=(ALL) /usr/bin/systemctl restart apache2
john ALL=(www-data) /usr/bin/php
%admin ALL=(ALL) ALL
%groupname: Apply to all users in that group.Example for allowing developers group to restart a service:
%developers ALL=(ALL) /bin/systemctl restart nginx
john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart apache2
john ALL=(ALL) !/bin/rm
john ALL=(ALL) NOPASSWD: /sbin/reboot, /sbin/shutdown
sudo -i
Or:
sudo su -
sudo -u username command
Example:
sudo -u www-data whoami
sudoedit /etc/hostname
or using visudo-style safety:
sudo -e /etc/hostname
visudo to edit sudoers.NOPASSWD unless truly needed./bin/systemctl)./var/log/auth.log on Debian/Ubuntu).Sudo logs commands in:
/var/log/auth.log # Debian/Ubuntu
/var/log/secure # RHEL/CentOS
journalctl _COMM=sudo # Systemd-based systems
grep sudo /var/log/auth.log
man sudoman sudoersvisudo Documentation✅ Use this guide as a system administrator reference to control user access, elevate privileges securely, and avoid misconfigurations in Linux sudoers setup.