El comando sudo en Linux: ejecutar comandos como superusuario

Introduction

In the Linux world, privilege management is essential to maintain system security and stability. The sudo command allows users to run tasks that require superuser permissions without the need to log in directly as root. This reduces the risk of accidental errors and improves the traceability of actions. In this article we will explore what is sudo, how your authorisation mechanism works, how to set it properly by using the sudoers file and some practical examples of use. In addition, we will review best practices to use sudo safely and avoid common vulnerabilities.

What's sudo?

Sudo, which means "superuser do," is a utility present in almost all Linux distributions. Its main function is to allow an authorized user to run a command with the privileges of another user, usually the root, without knowing the password of that account. Instead, the user introduces his own password, which is verified against the / etc / sudoers configuration file. If authentication is correct and the user has permission for the requested command, sudo temporarily elevates its privileges and executes the order. This policy-based model offers granular control over who can do what and when.

How sudo works

When sudo is invoked, the program first checks the / etc / sudoers file (or the files included in / etc / sudoers.d /) to determine whether the user calling it is authorized to run the specified command. Verification includes comparison of user name, host, and possibly labels such as NOPASSWD or password requirement. If everything matches, sudo requests the user's password (unless NOPASSWD has been configured for that rule). After validating the credential, sudo creates a child process with the target user's UID and GID (usually root) and runs the requested command. Once completed, the process returns to the original privilege level and the action is recorded in the system's log, usually in / var / log / auth.log or / var / log / secure.

Basic Sudoers file configuration

The sudoers file is the heart of sudo policy. Edit it directly with a text editor can be dangerous; therefore it is recommended to use the visudo command, which verifies the syntax before saving the changes. A typical rule has the form:usuario host=(usuario_objeto:grupo_objeto) comando. For example, to allow the juan user to run any command on all machines like root, it would be written:juan ALL=(ALL:ALL) ALL. If you want to be able to restart the apache service without asking for a password, you would add:juan ALL=(ALL) NOPASSWD: /bin/systemctl restart apache2. It is possible to group users by alias and define complex commands with complete routes to avoid ambiguities.

Examples of common use

Update the system:sudo apt update && sudo apt upgrade -y

Install a package:sudo snap install code --classic

See kernel logs:sudo dmesg | less

Change the password of another user:sudo passwd usuario

Mounting a file system:sudo mount /dev/sdb1 /mnt/backup

Each of these examples shows how sudo is placed in front of the command that requires high privileges. It is important to write the complete executable route when using NOPASSWD rules to prevent a malicious user from replacing a binary with PATH.

Good security practices

Use visudo to edit sudoers and avoid syntax errors that can block access.

Limit privileges to the minimum necessary: grant only the specific commands required.

Avoid the use of NOPASSWD except in controlled automation cases and always restrict the command to an exact route.

Review the sudoers file and sudo logs regularly to detect unauthorized uses.

Consider authentication of two factors (2FA) for sudo access by pam _ yubic or similar.

Following these recommendations, the attack surface is significantly reduced and a clear record of who did what action in the system is maintained.

Conclusion

The Sudo command is an essential tool in Linux management, as it provides a balance between usability and security. Understanding its functioning, correctly configuring it and applying good practices allows managers to delegate privileged tasks without compromising the integrity of the system. Whether you are managing a production server or a personal workstation, mastering sudo will give you greater control and tranquility in your Linux environment.