Why do I have to sudo to do anything outside of my /home directory?


I just installed my first Linux desktop (64-bit Ubuntu 12.04) and am playing around with it:

myUser@myMachine:~$ cd /opt/
myUser@myMachine:/opt$ mkdir lemmiwinks
mkdir: cannot create directory `lemmiwinks': Permission denied

This works if I first try to sudo as root:

myUser@myMachine:/opt$ sudo mkdir lemmiwinks
[sudo] password for myUser: 
myUser@myMachine:/opt$ ls

What's going on here? Why do I have to sudo to gain access to /opt (or any other non-/home/myUser directories?

How do I create and give permissions to new users that can access /opt? Can I do this for myUser as well? Thanks in advance!


The /opt directory is most likely owned by root which is the super user on the system. On my ubuntu linux system, which will be very similar to yours, it's like so when I do a long listing for /opt as a non-root user:

~ $ ls -l /|grep opt
drwxr-xr-x   8 root root  4096 Jan  6  2012 opt

linux permissions have in general three categories of permissions: for the owner, a group of others who also have special permissions for that directory/file , and lastly everyone else.

first section of that listing above 'drwxr-xr-x' shows the permissions then the 'root root' shows owner (root) and group (root), then a size and date, followed by the name (opt)

from that the drwxr-xr-x shows first the type of resource, in this case 'd' for directory then read|write|execute (rwx) permissions for each of owner, group, and others in that order.

So in this case the owner (root) has read, write and execute permissions on /opt but the members of the group (root) have only read and execute permissions as do others.

It's that no write permissions for the group and others (the r-xr-x part) that prevent you running as 'myUser' from making a new directory in /opt

/opt is usually a place where third party software is installed, so it's not clear why you would want new users to be able to write to /opt since they could then for instance modify other software in /opt.

All users can by default, given the r-x permissions for everyone on /opt as shown, access /opt and read from it but not write to it.

However if you really want 'new users' to be able to write in /opt you have at least a couple of options:

  • you can change the everyone permissions on /opt to rwx (not advisable); or
  • you can change the group ownership of /opt to somethings else say 'optgroup' and make the group permissions rwx (leaving everyone else at r-x) and then add your new users to the group 'optgroup' that you created;

Be very cautious about giving permissions to new users for places they should not be able to alter.

Read more about linux file permissions at http://www.tuxfiles.org/linuxhelp/filepermissions.html


Thanks @sdjuan (+1) - awesome, awesome answer. Can you please see my comment underneath AthomSteve's answer? I have the same question for you! Thanks again! – pnongrata – 2013-04-14T11:12:37.697

@pnongrata an example is writing to /opt with permissions set as described above, needs elevated permissions which you can get by doing sudo to use the super user permissions to do that task. When you sudo you then are able to use root permissions. One thing to try is do whoami when logged in as your normal user and then do a sudo whoami to see who you become with the sudo. I hope that helps. – sdjuan – 2013-04-15T04:48:06.240


sudo is essentially the same thing as clicking OK in Windows 7, or Vista's UAC. You are granting yourself on-demand admin.

To grant other users access to the folders (edit, create etc) then just give them the level of access you wish them to have, or admin as well. The will have to sudo as well.

You can disable sudo, by always running as an elevated user, but it is not recommended. Part of the security of Linux, OS X and Windows 6+ is that you should never be running as admin, when you get a prompt for elevation, you should know that you requested the operation and then approve or deny accordingly. Without this, then you may have an odd software install or running without your explicit permission or knowledge. This can be the form of malware, a virus, or just a plugin for word, or your browser that you do not want running or installed. Also, once something has found a way to run on a system without express permission certain malware can then use this low level find information to escalate itself or other software. Hacking by social engineering for example can start at this level of access.

Also, Windows is the same, by default you have full access to %UserProfile%* but not to another user or the root of C:\ without elevating and allowing the operation.

Thanks @AthomSteve (+1) - can you please elaborate on what you mean by "...Without this, then you may have [an] odd software install..." and perhaps give a concrete example as well? Thanks again! – pnongrata – 2013-04-14T11:11:43.270

@pnongrata, added my intent. – Austin T French – 2013-04-14T15:04:27.273


You have to be root (superuser) to mess with system files and folders the same way you have to give administrative permissions to do the same in Windows. sudo stands for superuser do, but you can su to use the terminal (and every program you start from it) as root, that way you don't have to type sudo before every high-level command. exit to go back to myUser. I'm not sure about your distro, but in Debian there's a root terminal too, which, for your intents and purposes, has the same effect of using su.

That's just how things work. Linux was always meant to be a multi-user system, so you can think of it as a consequence of that, but it's also for your own good, since using a root account to do everyday stuff might end up badly.


Thanks @Alex (+1) - Can you please see my comment underneath AthomSteve's answer? I have the same question for you! Thanks again! – pnongrata – 2013-04-14T11:16:36.073

@pnongrata If you'd let your little cousin sit in front of your computer, what would you like him to be able to do? I would like him to be able to use the software in my computer, listen to my songs and write documents, do paintings etc... However, I would not like him messing with system settings and doing stuff that could make my computer malfunction. I'm sure he wouldn't do it on purpose, but he might do it by mistake. With a software it's the same thing - I want it to be able to communicate with other software and files, but I don't want it messing with system settings and such. – Alex – 2013-04-14T15:31:19.037


Some color:

The /opt/ filesystem is usually used for third party packages. A full package is installed in /opt/packagename or whatever. This is a bit different than, say, /usr or /usr/local, where a bunch of files are intermixed.

So, why is /opt/ locked down? In general shared binary areas are locked. If I hate bob, I don't want to install an 'official' package that wipes out his home dir.

The other reason is disk space. If I'm a sysadmin, I don't want anyone installing things that can break my computer. Do you trust everyone that can write in /opt that they won't break other things? Can the users write too much and overflow the /opt partition? Or even accidentally delete other files and break other apps?

If you want to give people access to /opt, I would make a UNIX group, Idunno optadm or whatever, and make that the group perms on /opt, then give specific users membership in that group if you trust them not to hose it much. Also, make sure /opt is on it's own partition. You don't want some person playing in /opt make it that you break other parts of the system because they were installing some game.

Thanks @Rich Homolka (+1) - 2 follow ups for you: (1) besides putting /opt in its own partition, what other (common) partitioning strategies are there for typical (best practice) Linux systems? And (2) can you please see my comment underneath AthomSteve's answer? I have the same question for you! Thanks again! – pnongrata – 2013-04-14T11:15:38.727

@pnongrata by "odd software install" ... pieces missing, important files deleted. Other files overwritten. If you give people perms to install, you're giving them perms to change. – Rich Homolka – 2013-04-14T17:34:59.107