On Linux servers, you work with user permissions that determine what you can and cannot do. Root is the all-powerful superuser, while sudo gives you temporarily elevated privileges. At Theory7, we always advise to handle these rights safely. In this guide, we explain everything about root, sudo, and best practices.

What is root?

Root is the superuser account on Linux with unlimited rights. This means that root has access to all files and settings on the system. Root can:

• Read and modify all files
• Install or remove any software
• Change system configuration
• Start and stop all services
• Manage other users

This makes root a powerful but also dangerous user. A mistake as root can destroy your entire system. For example, accidentally deleting crucial system files can lead to an unusable system. Therefore, we advise never to work permanently as root. Instead, you can use sudo to obtain temporary elevated privileges.

Logging in as root

Direct root login via SSH

ssh root@server-ip

This only works if root login is allowed in sshd_config. However, it is not recommended to use this method due to security risks. It is better to log in as a normal user and then use sudo.

Switching to root from a normal user

su -

Enter the root password. The - ensures a full login shell with the correct environment variables. This is useful if you want to start a session with the root environment.

Root shell via sudo

sudo -i

This opens a root shell if you have sudo rights. This is a safe way to work as root without having to enter the root password.

What is sudo?

Sudo (superuser do) allows authorized users to execute commands as root or another user. The benefits of sudo over working directly as root are numerous:

• Logging: All sudo commands are logged, which helps track system activity.
• Temporary: Rights expire after a short time, reducing the chance of abuse.
• Granular control: Allow specific commands so that users only have access to what they need.
• No root password: Users do not need to know the root password, which increases security.

Using sudo

Basic syntax

sudo command

For example:

sudo apt update

You will be prompted for your own password (not the root password). This increases security because only authorized users have access to elevated privileges.

Command as another user

sudo -u www-data command

This is useful for testing web server permissions. For example, if you have a web application running under the user www-data, you can use this command to check if the application functions correctly with the right permissions.

Open root shell

sudo -i

Or for a temporary root shell:

sudo -s

The difference is that -i gives a full login shell with the root environment, while -s keeps you in the current shell.

Create a sudo user

Step 1: Create user

sudo adduser newuser

Follow the prompts for password and details. It is important to choose a strong password to ensure the security of your system.

Step 2: Add to sudo group

On Ubuntu/Debian:

sudo usermod -aG sudo newuser

On CentOS/RHEL:

sudo usermod -aG wheel newuser

Step 3: Test

Log in as the new user and test:

su - newuser
sudo whoami

The output should be root, confirming that the user has been successfully added to the sudo group.

Sudoers configuration

The sudoers file determines who can do what. Never edit directly, use visudo:

sudo visudo

This checks the syntax before saving the file, preventing you from locking yourself out by making a mistake.

Basic sudoers rules

# User can do everything
user ALL=(ALL:ALL) ALL

# Group can do everything
%sudo ALL=(ALL:ALL) ALL

# User can do everything without password
user ALL=(ALL) NOPASSWD: ALL

# User can only specific commands
user ALL=(ALL) /usr/bin/apt, /usr/bin/systemctl

Explanation of the syntax

WHO WHERE=(AS_WHO) WHAT

• WHO: User or %group
• WHERE: On which hosts (ALL for all)
• AS_WHO: Execute as which user
• WHAT: Which commands are allowed

Best practices

Never work permanently as root

Log in as a normal user and use sudo when needed. This minimizes the risk of unintended damage to your system.

Use sudo instead of su

Sudo logs everything and does not require a shared root password. This increases security and makes it easier to trace who did what.

Limit sudo rights

Give users only the rights they need. This can be set up like this:

webmaster ALL=(www-data) /usr/bin/composer, /usr/bin/php

This allows the user webmaster to only execute the specified commands as the user www-data.

Set a sudo timeout

In sudoers:

Defaults timestamp_timeout=5

After 5 minutes, the password must be re-entered. This prevents unauthorized access to elevated privileges if you leave your computer for a moment.

Check who has sudo rights

getent group sudo
# or on CentOS
getent group wheel

This gives you an overview of which users have sudo rights, so you can manage them if necessary.

Troubleshooting

User is not in the sudoers file

The user does not have sudo rights. As root or with an existing sudo user:

sudo usermod -aG sudo username

Forgot sudo password

Your sudo password is your own password, not root. If you forgot it, log in as root to reset it:

passwd username

Sudoers syntax error

If visudo reports a syntax error:

sudo visudo -c

This shows the location of the error so you can correct it.

Related articles

• Basic Linux commands for hosting
• SSH connecting from Windows (PuTTY)
• Using WP-CLI via SSH
• VPS first steps after purchase

Need help?

We are here for you! Are you facing any issues or have questions? Our support team is happy to assist you personally. Send us a message via the ticket system - we usually respond within a few hours and are happy to help.