Frequently Asked Question

What are sudo best practices? Why not just become root?

sudo exists to give named users, on a per-command and per-host basis, the ability to run specific things with elevated privilege, while logging every invocation in /var/log/auth.log or the journal. That last property is the one that "just use root" throws away: when something breaks at 03:00 you want to know who did what and when, and a shared root shell with a shared password is a forensic black hole.

The configuration file is /etc/sudoers, edited only via visudo to catch syntax errors before they lock you out, with extra rules in drop-in files under /etc/sudoers.d/. Best practice is to grant the narrowest rule that does the job: prefer alice ALL=(www-data) NOPASSWD: /usr/sbin/nginx -t over alice ALL=(ALL) ALL; group operators with %admin and %dba rather than naming individuals; and avoid NOPASSWD for anything that could spawn a shell (vi, less, find -exec). Set Defaults timestamp_timeout=5 or even 0 so an idle terminal cannot be used to escalate.

For a defender, sudo's accountability is its real value. Pair it with a centralised log collector so the audit trail does not live only on the machine an attacker would try to wipe, and review who has sudo access at least monthly. The single privilege that most often turns a contained compromise into a catastrophe is wildcard sudo on a forgotten developer account.