Fix 'Permission Denied' for sudo on Ubuntu 22.04

The 30-Second Fix: Check Your Group Membership

If you're seeing 'Permission Denied' right after typing sudo apt update or any sudo command, the most common cause is simple: your user account isn't in the sudo group. This happens a lot on fresh installs or when someone sets up a user manually.

1. Open a terminal. Run this command to see which groups your user belongs to:
   

   groups $USER

2. Look for the word sudo in the output. If it's missing, that's your problem.
3. To add yourself to the sudo group, run this as a user who already has sudo access (like the root user or another admin):
   

   sudo usermod -aG sudo yourusername

   Replace yourusername with your actual username.
4. Log out and log back in (or reboot). Then check again:
   

   groups $USER

   You should now see sudo listed.

Expected outcome after this step: Running sudo apt update should work without any error. If you still see 'Permission Denied', move to the moderate fix.

One thing to watch: if your user was never added to the sudo group during setup, you might need to boot into recovery mode or use the root account to fix it. I've seen too many people skip this step and waste hours.

The 5-Minute Fix: Check the sudoers File Syntax

If you're in the sudo group but still getting 'Permission Denied', the /etc/sudoers file might be broken or misconfigured. This often happens after someone manually edits it and makes a syntax mistake. On Ubuntu, that file is strict—one typo and sudo stops working for everyone.

1. First, try to run any sudo command. If it says something like 'sudo: unable to stat /etc/sudoers' or just 'Permission Denied', we need to check the file.
2. Open the sudoers file using the safe command visudo. Do not open it with a regular text editor—that can break permissions. Run:
   

   sudo visudo

   If this command itself fails (like if sudo is completely broken), skip to the advanced fix.
3. Inside the file, look for a line that reads:
   

   %sudo ALL=(ALL:ALL) ALL

   That's the standard line that gives sudo access to anyone in the sudo group. If it's missing or has extra characters, fix it.
4. Also check for lines that end with a backslash \ or have stray characters. A common mistake is adding a line like:
   

   yourusername ALL=(ALL) ALL

   but misspelling ALL as AL or ALLL. Delete or correct those.
5. Save the file with Ctrl+O, then exit with Ctrl+X. If visudo detects a syntax error, it will warn you—don't ignore it. Choose 'E' to edit again and fix it.

Expected outcome after this step: Your sudo commands should now work. Try sudo -k to clear cached credentials, then run sudo ls /root to test. If it still fails, move to the advanced fix.

A real-world scenario: I once had a user who accidentally added a comment line that started with # but forgot the hash. That single missing character locked the whole system down. Always use visudo—it's not just a suggestion.

The 15+ Minute Fix: Recover sudo Using pkexec or Recovery Mode

If sudo is completely broken—can't even run sudo visudo or sudo apt update—you'll need to recover from outside your normal session. This can happen if the sudoers file is trashed or the sudo binary itself is damaged.

Method A: Use pkexec (if available)

1. pkexec is a Polkit-based tool that often still works when sudo doesn't. Try:
   

   pkexec visudo

   It'll ask for your user password. If it works, fix the sudoers file as described in the moderate fix.
2. If pkexec fails with 'Authentication failed' or 'No session', move to Method B.

Method B: Recovery Mode

1. Reboot your system. During boot, hold down the Shift key (for BIOS) or tap Esc (for UEFI) to get the GRUB menu.
2. Select Advanced options for Ubuntu, then choose a kernel line ending with (recovery mode).
3. From the recovery menu, select root—this drops you to a root shell with full access.
4. Remount the filesystem read-write (it's read-only by default):
   

   mount -o remount,rw /

5. Now check and fix the sudoers file:
   

   visudo

   This will open the file with a safe editor. Make sure the %sudo line is present and correct.
6. If the sudoers file looks fine but sudo still doesn't work, check permissions on the sudo binary:
   

   ls -l /usr/bin/sudo

   It should show -rwsr-xr-x (the 's' in the owner's permissions is critical—it's the setuid bit). If it's missing, fix it:
   

   chmod 4755 /usr/bin/sudo

7. Also verify that /etc/sudoers has the right permissions:
   

   ls -l /etc/sudoers

   It should be -r--r-----. If not, fix it:
   

   chmod 440 /etc/sudoers

8. Exit the root shell by typing exit, then select Resume normal boot from the recovery menu.

Expected outcome after this step: You should be back to a normal login where sudo works. Test with a simple command like sudo whoami—it should output root.

I've used Method B more times than I care to count. It's reliable, but it does require a reboot. If you're on a remote server without console access, you're in a tougher spot—you might need to contact your hosting provider for out-of-band access.

Why This Happens (And How to Avoid It Next Time)

The 'Permission Denied' error with sudo is almost always caused by one of three things:

• User isn't in the sudo group
• Corrupted or misconfigured sudoers file
• Damaged sudo binary or wrong permissions

To avoid this pain in the future, never edit /etc/sudoers directly with a regular text editor. Always use visudo. It validates syntax before saving. Also, if you're adding users to the sudo group, double-check you're using -aG (append) and not -G alone—the latter will remove them from other groups.

One more tip: keep a separate admin user with full sudo rights. If you lock yourself out, that second account can bail you out. I learned that the hard way after a late-night config change gone wrong.