Learn how to grant, restrict and audit sudo rights so users can perform administrative tasks without exposing the whole system. 16.11.2025 | reading time: 2 min Sudo lets a user run specific commands with elevated privileges; configured poorly it becomes a big risk, configured well it solves real operational needs. Hands-on example Create a user, add him to the distribution sudo group and then show a fine-grained sudoers entry: ```sudo adduser devjoe sudo usermod -aG sudo devjoe # verify membership id devjoe # sample output uid=1001(devjoe) gid=1001(devjoe) groups=1001(devjoe),27(sudo) # restrict a single command via visudo snippet # add file /etc/sudoers.d/devjoe # content: devjoe ALL=(root) NOPASSWD: /usr/bin/systemctl restart apache2 # check allowed commands from root's view sudo -l -U devjoe # sample output User devjoe may run the following commands on this host: (root) NOPASSWD: /usr/bin/systemctl restart apache2``` Practical considerations Use `visudo` to avoid syntax errors and prefer small files under `/etc/sudoers.d` so changes are auditable; prefer group-based grants on workstations and restrictive Cmnd_Alias entries on servers; avoid NOPASSWD for broad privileges and tune `timestamp_timeout` to limit unattended sudo windows. Logging and troubleshooting Audit sudo activity in `/var/log/auth.log` or `/var/log/secure` depending on the distro, and use `sudo -l -U username` to verify effective rights; when a user reports authorization failures check group membership, sudoers syntax and SELinux or AppArmor denials which may block execution. Related authorization methods Consider complementary tools: `polkit` for GUI and daemon permissions, `su` for full-session switches, and filesystem ACLs when command-level control is insufficient; each tool has different threat models and operational trade-offs. Next steps Start by practicing safe, minimal grants on a test host and iterate toward an auditable sudoers.d layout; deeper mastery of privilege delegation is a strong skill for any sysadmin seeking certification or career growth, and bitsandbytes.academy offers intensive exam preparation for CompTIA Linux+ and LPIC-1. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities setup scripting
