Linux Security

sudo vs root: best practice

Practical Linux guide: sudo vs root: best practice without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Run daily admin with sudo instead of a root login — audit trail, narrower blast radius, and alignment with how Debian/Ubuntu and RHEL ship by default.

1) Why avoid root login

  • sudo logs commands to /var/log/auth.log or journald.
  • Typos run as your user first; you must prefix destructive commands consciously.
  • SSH PermitRootLogin no blocks a huge class of brute-force attacks.

2) Grant sudo to a user (Debian/Ubuntu)

sudo usermod -aG sudo username
# RHEL/Fedora group is usually wheel:
sudo usermod -aG wheel username

3) Limited sudo for scripts

sudo visudo -f /etc/sudoers.d/deploy
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp

4) When root is still used

Single-user recovery, initramfs shells, and some installers require root. Return to sudo for normal ops immediately after.

Verify

sudo -l
whoami
id

5) sudo timeout and insults

Defaults timestamp_timeout=15
Defaults passwd_tries=3

Configure via visudo. Shorter timeout forces re-auth on idle admin shells.

6) Audit sudo usage

grep sudo /var/log/auth.log | tail
journalctl _COMM=sudo --since today

7) su vs sudo -i

sudo -i gives root login environment with audit trail. Plain su - requires root password and bypasses sudo logging — avoid on shared admin teams.

Break-glass root

Keep one console recovery path (provider KVM, IPMI) if sudoers syntax error locks all admins out. Test visudo — it runs syntax check before saving.

8) CIS benchmark alignment

Benchmarks require sudo logging, no root SSH, and wheel/sudo group membership audited quarterly — map directly to commands in this guide.

Prerequisites

Admin user account with known password and SSH key. Access to visudo. Recovery console if sudoers broken. Team policy on password vs key-only sudo.

PAM faillock

sudo faillock --user deploy

Brute-force lockouts affect sudo too — reset with faillock --reset after legitimate lockout from typos.

/etc/sudoers.d drop-in files

sudo visudo -f /etc/sudoers.d/90-deploy

Prefer fragments over editing main sudoers — syntax error in drop-in easier to remove.

Immutable infrastructure angle

Containers and cloud images increasingly use no SSH root and no sudo — apps run unprivileged, changes via new image deploy. Traditional sudo still dominates bare-metal and VPS admin. Map sudoers to LDAP groups in enterprise: %linux-admins ALL=(ALL) ALL in sudoers.d — one HR change updates access everywhere.

pkexec GUI elevation

Desktop polkit elevates GUI apps without terminal sudo — server admins still live in SSH sudo. Audit polkit rules in /etc/polkit-1/rules.d/ separately from sudoers — both grant privilege.

Related guides

best linux root sudo vs

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
Audit installed packages for security
Practical Linux guide: audit installed packages for security without the usual guesswork.
Read guide
Security
AppArmor vs SELinux overview
Practical Linux guide: appArmor vs SELinux overview without the usual guesswork.
Read guide