Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Sudo is a powerful but imperfect Linux tool.
- These tips can help make using sudo easier and safer.
- Always use caution when monkeying with sudo.
I started using Linux prior to the advent of sudo. Back then, any time I needed to run admin tasks, I had to first su to the root user, run the task, and then exit the root user. Because root was enabled, some users would simply log in as root and forgo a standard user account altogether. That’s a security risk no one should take.
And then came the sudo command.
Also: 7 most Windows-like Linux distros – if you’re ready to ditch Microsoft
Sudo is a tool that temporarily elevates standard users to admin privileges so they can run commands like apt-get upgrade without having to invoke the root user. In fact, sudo makes it possible to disable the root account, which is good for security.
But sudo isn’t perfect. Here are five ways to improve sudo and make your Linux life a bit easier.
1. Use visudo for editing the sudo configuration file
Sudo has a configuration file, which is /etc/sudoers. This is where you can configure sudo for things like limited access, user or group access, and more. The thing is, you don’t want to edit the sudoers file using a standard text editor (such as nano). The reason for this is that if you fubar the sudoers file, you could wind up unable to run any elevated task (such as editing the sudoers file to fix the problem). To avoid this, use visudo (sudo visudo). The visudo tool always verifies any changes you’ve made. If there are any issues, visudo will let you know and prevent you from saving the malformed file.
2. Prevent unlimited access to users
You probably don’t want all of your users to have access to every admin command. For example, you might want to prevent users from removing admin-protected files (such as those in /etc), to preserve the stability of your system (i.e, keep users from breaking it). To do that, you configure users or groups in the sudoers file with the ! character. For example, if you want to block a specific user from running the rm command, you would add a line like this:
USERNAME ALL=(ALL) !/usr/bin/rm
Where USERNAME is the name of the user.
Also: Want to learn Linux? These 5 games make it fun – and they’re free
This can also be used for groups.
3. Grant sudo access to groups instead of users
Speaking of groups, it’s always easier to manage privilege and access with groups instead of a long list of users. Consider this: You have five family members who access one Linux machine, and you want to block them all from using the rm command. You could create the group norm (for no rm), add all five users to that group, and then grant access to that group in the same way you did above (only using the group name instead of the username).
4. Do not grant all root privileges
Most users don’t realize that it could be a security issue to grant all users all root privileges. What happens if a ne’er-do-well gains access to a user account on your system? If that intruder knows the user’s password, they can run any command that requires sudo access. Granting all root privileges to a user looks like this in the sudoers file:
USERNAME ALL=(ALL:ALL) ALL
Where USERNAME is the name of the user in question.
Also: New to Linux? 5 desktop environments I recommend you try first – and why
Instead, grant access to specific directories that aren’t /sbin, which contain many of the executable binaries for admin tasks. Instead, you might want to limit that user to /usr/sbin/, /usr/bin, and /opt/ like so:
USER ALL=(ALL) PASSWD: /usr/sbin/, /usr/bin/, /opt/
Do note the trailing “/” for each directory, which is necessary.
5. Enable asterisks when typing sudo passwords
This one falls into the “make sudo easier” category. Sometimes, when I type my user password, I don’t know if I got it right. If I know how many characters I typed, at least I can make an educated guess as to whether or not I’ve typed the right number of characters. At the same time, I might hit a key on my keyboard in such a way that it doesn’t register. If I enable asterisks when typing, I know that the key is registered.
To enable asterisks when typing sudo passwords, open the sudo config file (sudo visudo) and change the following line:
Defaults env_reset
To:
Defaults env_reset, pwfeedback
Now, when you type your sudo password, you’ll see an asterisk appear for each typed character.
6. Increase the password timeout
When you type your sudo password, you won’t have to type it again for a set period of time. Each distribution might have a different idea of what that timeout should be, but you might not think it’s long enough. If you’re the only one who uses your Linux machine, and you frequently run admin commands, you might want to extend that timeout to, say, 30 minutes. To do that, run the sudo visudo command and go back to the Defaults env_reset line. Change that line so it looks like:
Defaults env_reset, timestamp_timeout=XX
Where XX is the time in minutes. For example, to change that time out to 30 minutes, the line would look like this:
Defaults env_reset, timestamp_timeout=30
7. Enable insults for incorrect password attempts
This one is just for fun. If you incorrectly type your sudo password, you can enable it such that it will insult you when you do. The insults are all in good fun, so you don’t have to worry that sudo is going to know what buttons to push to make you spiral. To add this feature, go back to the sudoers file and the Defaults like. Change that line to look like this:
Defaults env_reset, insults
Also: How much RAM does your Linux PC really need in 2025? I did the math
If you’ve decided to add the other features, that line might look like this:
Defaults env_reset,pwfeedback, timestamp_timeout=30, insults
Now, sudo will have a bit of fun with you.