Back to problems

problem hub

Read-only first

User is not in sudoers

Check identity, groups, and sudo policy before editing sudoers or adding broad admin access.

Safest first command

id username

Before you run this

Expected output: UID, primary group, and supplementary groups for the target account.

When not to use it: Do not edit sudoers directly with a plain text editor; use visudo and confirm the account should have admin rights.

Expected output example

uid=1001(alice) gid=1001(alice) groups=1001(alice),27(sudo)

How to read the result

Membership in sudo or wheel may grant access depending on policy. Absence from the group does not explain custom sudoers rules; use sudo -l where safe.

What to check next

User is not in sudo or wheel group

Means: The account may not have group-based sudo rights.

Next step: Check group membership and sudo policy.

Show User Groups

sudo -l denies access

Means: Policy does not grant this user the requested command.

Next step: Review sudoers safely with visudo workflow.

List Effective sudo Privileges

Group has unexpected members

Means: Access may be too broad or stale.

Next step: Audit group membership before changing policy.

List sudo Group Members

sudoers decision tree

Confirm the target account, group membership, and effective sudo policy before editing. The correct fix may be group membership, a sudoers rule, or denying access.

  1. id username
  2. groups username
  3. sudo -l
  4. getent group sudo

Bad fixes to avoid

Do not add users to sudo because an application failed. Do not edit /etc/sudoers without visudo. Do not grant NOPASSWD broadly to make one command work.

Common causes

  • User not in sudo/wheel group
  • Custom sudoers rule missing
  • Wrong account checked
  • Directory identity source mismatch
  • Sudoers syntax problem

What not to change yet

  • Do not edit sudoers without visudo.
  • Do not grant broad sudo to bypass diagnosis.
  • Do not remove access during an active incident without a second admin path.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills