sudo system
you are not root. but you can pretend to be.
The sudo man page is 800 lines long. You need one word — the one you already type before half your commands without fully understanding what it does.
You’ve been typing sudo in front of things for years. Something didn’t work. You added sudo. It worked. You moved on. You have no idea what just happened. You don’t know what permissions you just escalated, how long those permissions last, or why your coworker’s machine doesn’t even ask for a password anymore. You just know that sudo is the magic word that makes “Permission denied” go away.
On Windows, the equivalent is UAC — User Account Control. That dialog that pops up and says “Do you want to allow this app to make changes to your device?” with a Yes and a No button. You click Yes. Every time. Without reading it. Every. Single. Time. You’ve trained yourself to reflexively click through the one security barrier between you and catastrophe. It’s Pavlovian at this point. The dialog appears, your finger moves to Yes, and the app does whatever it wants. You’re not making a security decision — you’re dismissing a notification.
sudo is more honest. It asks for your password, not a yes/no click. It logs what you did. It can be configured to control exactly who can run what. It’s the difference between a bouncer checking IDs and a door that says “push to open.”
Unless you’re running Windows then wtf none of this applies to you. But hey, come to the dark side, go install WSL2 and you can follow along. We’ll wait. Impatiently.
If you’re lazy like me (all sysadmins are!) then click here for the sudo cheat sheet.
Run a command as root
sudo apt update
That’s it. sudo runs the command that follows it as root. You type your password (not root’s password — yours), and the command executes with full root privileges. Your password is cached for 15 minutes by default, so you don’t have to retype it for every command in a burst.
You already know this. But do you know what happens if you just type:
sudo
Nothing useful. It prints a usage message. sudo is not a shell. It’s a prefix. It escalates the single command that comes after it.
Run a command as another user
sudo -u postgres psql
-u lets you run a command as any user, not just root. This is how you interact with service accounts without knowing their password or switching to them permanently. Your DBA uses this twelve times a day.
sudo -u www-data cat /var/www/html/.htaccess
Read a file that only the web server user can read. No chmod, no copying, no “temporarily change the permissions and forget to change them back.”
Get a root shell
Sometimes you need to run five commands in a row as root. Typing sudo five times is tedious.
Login shell (full root environment)
sudo -i
Drops you into a root shell as if you logged in as root. Sets root’s HOME, loads root’s .bashrc, changes to root’s home directory. Your prompt changes to root@hostname:~#. Type exit when you’re done.
Shell with your environment
sudo -s
Opens a root shell but keeps your current environment variables, working directory, and shell config. Use this when you need root but want to stay where you are.
Run a single command in a login shell
sudo -i command
Runs one command in root’s full environment without dropping you into a shell. Useful when the command depends on root’s PATH or environment.
The “I forgot sudo” trick
You ran a command. It failed because you forgot sudo. You don’t want to retype the whole thing.
sudo !!
!! is bash history expansion for “the last command.” sudo !! reruns it with root privileges. You’ll use this at least once a week. Probably more. (We covered this on the bash page too, but it’s worth repeating because it’s that useful.)
Check what you’re allowed to do
sudo -l
Lists every command you’re allowed to run via sudo and on which hosts. If your sysadmin has locked you down to specific commands, this tells you exactly what you can and can’t do.
sudo -l -U deploy
Check what another user is allowed to do. For when you’re the sysadmin trying to audit permissions.
Preserve environment variables
sudo -E command
By default, sudo strips most environment variables for security (your PATH, HOME, etc. get reset). -E preserves your entire environment. Useful when a command needs environment variables you’ve set — like HTTP_PROXY or custom paths.
sudo -E env | grep PROXY
Verify that your proxy settings survived the escalation.
Edit files safely (sudoedit)
sudoedit /etc/hosts
Opens the file in your default editor with root privileges, but the editor itself runs as you, not root. This is safer than sudo vim /etc/hosts because a compromised editor plugin can’t run arbitrary code as root.
Equivalent to sudo -e /etc/hosts. Same thing, different spelling.
Reset your cached credentials
sudo -k
Forgets your cached password immediately. The next sudo will ask for your password again. Use this when you’re stepping away from your terminal on a shared machine, or when you’re paranoid (which, in security, is just called “professional”).
sudo -K
Capital K. Removes the timestamp file entirely. More thorough than -k but the practical effect is the same — you’ll be prompted next time.
Run something in the background with sudo
sudo nohup ./long-running-script.sh &
Runs a root-level process in the background that survives your terminal closing. For deployments, maintenance scripts, or anything that takes longer than your attention span.
The flags that actually matter
| Flag | What it does |
|---|---|
-u USER |
Run as USER instead of root. |
-i |
Login shell — full root environment. |
-s |
Shell — root shell, keeps your environment. |
-l |
List what commands you’re allowed to run. |
-E |
Preserve your environment variables. |
-e / sudoedit |
Edit a file safely (editor runs as you). |
-k |
Kill cached credentials (re-prompt next time). |
-n |
Non-interactive — fail instead of prompting for password. |
-b |
Run command in background. |
“But I just log in as root—”
No. Stop.
“I just su to root.” su requires knowing the root password. On a team, that means sharing the root password. Among multiple people. Who might leave the company. sudo uses your own password and logs exactly who ran what. When the auditor asks “who deleted /var/log,” you have an answer.
“I set NOPASSWD for everything.” Congratulations, you’ve turned sudo into a formality. Any process running as your user can now silently escalate to root. Any compromised script, any malicious cron job, any typo in a shell script — full root access, no questions asked. You traded three seconds of typing your password for a permanent security hole.
“Windows UAC is the same thing.” UAC is a yes/no dialog that most users have trained themselves to click through. It doesn’t log what was escalated. It doesn’t restrict which programs can request elevation. It doesn’t let you grant specific users access to specific commands. It’s a speed bump on a highway with no speed limit.
“I disabled the sudo password timeout.” The 15-minute timeout exists so that if you walk away from your terminal, your cached credentials expire. Disabling it means anyone who sits down at your unlocked terminal has permanent root access. Including your cat. Especially your cat.
“On my home machine it doesn’t matter.” It matters when you sudo rm -rf / instead of sudo rm -rf ./tmp. It matters when a script you downloaded runs sudo and you don’t notice. It matters because good habits on your home machine become good habits on production servers.
sudo cheat sheet
You made it. Or you skipped straight here. Either way, no judgment. Copy and paste these. Pin them. Tattoo them on your forearm. Whatever works.
| What you’re doing | Command |
|---|---|
| Run a command as root | sudo command |
| Run as another user | sudo -u user command |
| Root login shell | sudo -i |
| Root shell (keep environment) | sudo -s |
| Repeat last command with sudo | sudo !! |
| Check your sudo permissions | sudo -l |
| Edit a file safely | sudoedit /etc/filename |
| Preserve environment variables | sudo -E command |
| Forget cached credentials | sudo -k |
| Run in background as root | sudo nohup command & |
The one command:
sudo -l— find out what you’re actually allowed to do. Most people have no idea what their sudo policy permits. Now you will.