sudo ("substitute user, do") runs a command as another user, usually root, after the calling user has authenticated and is authorised to do so. Compared with su, which opens a full shell as another user, sudo is fine-grained: an administrator can allow specific users to run specific commands as specific users, with or without requiring a password.
sudo command # run as root
sudo -u alice command # run as user alice
sudo -i # interactive root shell
sudo -s # non-login root shell
sudo !! # re-run last command with sudo
sudo -v # refresh the credential cache
sudo -l # list allowed commands
Configuration lives in /etc/sudoers and /etc/sudoers.d/, edited only with visudo (which checks syntax before saving). Typical entries include %sudo ALL=(ALL) ALL (members of group sudo can run anything as anyone), %wheel ALL=(ALL) ALL (Red Hat convention), and finer-grained rules granting specific commands.
sudo also handles environment sanitisation, logging (to the journal or syslog), and TTY binding to prevent certain kinds of privilege-escalation tricks. It has largely replaced su as the primary way to perform privileged operations on modern Linux systems.
Related terms: Root
Discussed in:
- Chapter 9: Users, Groups, and Permissions — sudo: Controlled Privilege
Also defined in: Textbook of Linux