Skip to content
shellmap

sudoRun a command as another user (usually root) — sudo, su, pwsh elevation across all 5 shells

Equivalents in every shell

Bashunix
sudo apt update

From `sudo` package — installed by default on Ubuntu, Debian, Fedora, RHEL, Arch. First-time use prompts for the INVOKER's password (not root's); successful auth caches credentials for ~15 minutes (`Defaults timestamp_timeout`). `sudo -u alice cmd` runs `cmd` as alice (not root); `sudo -i` opens a root login shell; `sudo -E` preserves the caller's environment (overrides `env_reset`). User must be in `/etc/sudoers` or a member of `wheel`/`sudo`/`admin` group.

Zshunix
sudo apt update
Fishunix
sudo apt update

Fish 3.6+ ships a `sudo!!` keybinding (Alt+S) that prepends `sudo` to the previous command — saves keystrokes when you forget. Otherwise identical to bash/zsh.

PowerShellwindows
Start-Process pwsh -Verb RunAs -ArgumentList "-Command", "& { apt update }"

Windows pwsh has NO direct sudo equivalent — Windows uses UAC (User Account Control) which can only elevate at PROCESS START, not mid-session. `Start-Process -Verb RunAs` triggers a UAC prompt and launches an elevated child process. Practical install: `winget install gerardog.gsudo` provides `gsudo cmd` syntax that mimics Linux sudo (still UAC-gated, but inline rather than spawning a new window). pwsh-on-Linux/macOS calls system `sudo` directly.

cmd.exewindows
runas /user:Administrator "cmd /c whoami"

`runas` is the closest cmd-native — prompts for the target user's password (NOT a UAC prompt, an interactive password prompt). For the modern UAC-style "elevate THIS user", `gsudo cmd /c whoami` after installing gsudo. Pure cmd has no inline elevation — must launch from an Administrator cmd window (`runas /user:Administrator cmd.exe` then run inside).

Worked examples

Run a single command as root

Bash
sudo apt update
Fish
sudo apt update
PowerShell
Start-Process pwsh -Verb RunAs -ArgumentList "-Command", "apt update"
cmd.exe
gsudo apt update

Run a command as a specific non-root user

Bash
sudo -u alice whoami
PowerShell
Start-Process -Credential (Get-Credential alice) -FilePath "whoami"
cmd.exe
runas /user:alice "whoami"

Open an interactive root shell

Bash
sudo -i
Fish
sudo -i fish
PowerShell
Start-Process pwsh -Verb RunAs
cmd.exe
runas /user:Administrator cmd.exe

Gotchas

  • Redirects bypass sudo: `sudo echo hi > /etc/protected` FAILS — the redirect `>` is parsed by the INVOKING shell (running as YOU), opens the file as YOU, then sudo runs echo. The file write happens as user, NOT root. Workaround: `echo hi | sudo tee /etc/protected > /dev/null` — tee runs as root, opens the file as root, `>/dev/null` discards the echo. Same for `>>` (append), `2>` (stderr), and process substitution `<(...)`. This is the canonical "write to /etc as root" idiom on every Linux blog.
  • sudo STRIPS most environment variables intentionally — PATH, LD_LIBRARY_PATH, IFS are reset for security (a $PATH-hijack would otherwise let unprivileged users elevate). "command not found under sudo" means the command is in your $PATH but not in sudo's `secure_path` (`/etc/sudoers`). Three workarounds: (a) full path `sudo /usr/local/bin/mytool`; (b) explicit env `sudo env "PATH=$PATH" mytool`; (c) preserve specific var `sudo --preserve-env=PATH mytool`; (d) edit `secure_path` in `/etc/sudoers` (system-wide, requires care).
  • NEVER edit `/etc/sudoers` with a plain text editor — a syntax error LOCKS YOU OUT (sudo refuses to run with a broken config, and you needed sudo to fix it). Always use `sudo visudo` which validates syntax BEFORE saving. For drop-in files: `sudo visudo -f /etc/sudoers.d/myrule` — also validates. If you somehow ship a broken sudoers: boot from rescue media, or use `pkexec` (PolicyKit, an alternative to sudo) if installed.
  • Windows UAC is fundamentally different from sudo — UAC requires GUI consent (you see the "Do you want to allow this app to make changes?" dialog), and elevation is per-PROCESS not per-COMMAND. There is no "remember for 15 minutes" mechanic like sudo's timestamp. Headless Windows (Server Core) and Remote Desktop sessions handle UAC differently — RDP often suppresses the prompt, locking out interactive scripts. Production Windows automation typically runs services AS the elevated user from the start, not via runtime elevation.
  • sudoers `NOPASSWD: ALL` (no password ever, full root) is a common shortcut for CI runners but a CATASTROPHIC misconfiguration on shared / multi-user hosts — a single user compromise = full root. Safer: `NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade -y` (specific command whitelist). Audit existing entries: `sudo grep -r NOPASSWD /etc/sudoers /etc/sudoers.d/ 2>/dev/null`. CIS Benchmark Linux specifically flags any `NOPASSWD: ALL` and any `Defaults !authenticate` as a high-severity finding.

WSL & PowerShell Core notes

pwshpwsh 7 cross-platform: on Linux/macOS, just invoke `sudo` as a normal program — pwsh has no native sudo wrapper. On Windows, `Start-Process -Verb RunAs` triggers UAC; `gsudo` (third-party, MIT-licensed) brings sudo-like ergonomics. The `RunAs` verb is .NET's ProcessStartInfo flag — works in any .NET app, not just pwsh.
WSLWSL inherits Linux sudo semantics inside the VM — `sudo apt update` works. To elevate the WINDOWS-side from WSL: `pwsh.exe Start-Process pwsh -Verb RunAs -ArgumentList ...` or call `gsudo.exe` from a Windows path. The WSL user and the Windows user are separate identities — `sudo` in WSL never affects Windows ACLs.

Common tasks using sudo

Related commands