Fix 'Permission denied' when running sudo commands on Ubuntu 22.04

Quick answer for advanced users

Boot into recovery mode, remount root as read-write (mount -o remount,rw /), then run visudo to fix /etc/sudoers, or add your user back to the sudo group with usermod -aG sudo yourusername.

What's going on here?

You try sudo apt update and get back Permission denied — even though you're using sudo. It's maddening. The culprit is almost always one of two things: your user account isn't in the sudo group, or the /etc/sudoers file got borked. I've seen this happen after a failed usermod command, a botched Ansible playbook, or someone editing sudoers with a regular text editor instead of visudo. If you edit sudoers without visudo, it's easy to introduce a syntax error that locks everyone out.

This error can also pop up if the /etc/sudoers file has wrong permissions — it must be 0440. If it's world-writable, sudo flat-out refuses to run. Yes, even root gets denied. I saw that once on a server where someone chmod'd the whole /etc directory.

Step-by-step fix

1. Boot into recovery mode. Reboot your machine and hold Shift (BIOS) or press Esc repeatedly (UEFI) during boot. Select 'Advanced options for Ubuntu' then 'Recovery mode'. Select 'root' from the recovery menu.
2. Remount root as read-write. By default, recovery mode mounts root as read-only. Run:
   

   mount -o remount,rw /

3. Check sudoers syntax. Run visudo -c. If it reports a syntax error, run visudo and fix the line. Common mistake: a missing %sudo ALL=(ALL:ALL) ALL line. If you need to start fresh, you can copy a default sudoers file:
   

   cp /etc/sudoers.dist /etc/sudoers 2>/dev/null || echo "No backup found"

   If there's no backup, create a minimal working sudoers:
   

   echo 'root ALL=(ALL:ALL) ALL' | tee /etc/sudoers
   echo '%sudo ALL=(ALL:ALL) ALL' | tee -a /etc/sudoers

4. Set correct permissions. Run:
   

   chmod 0440 /etc/sudoers

5. Verify your user is in the sudo group. Run groups yourusername. If sudo isn't listed, add your user:
   

   usermod -aG sudo yourusername

6. Reboot. Run reboot. After recovery mode exits, try sudo -v to test.

Alternative fixes if the main one fails

• Use the 'pkexec' workaround. If sudo is completely hosed but you still have a GUI session, try pkexec visudo. It prompts for your password and launches the editor as root — but only if polkit is configured right. On Ubuntu 22.04, this works out of the box.
• Edit sudoers from a live USB. Boot from an Ubuntu live USB, mount your root partition to /mnt, then edit /mnt/etc/sudoers with nano. Don't forget to unmount before rebooting.
• Reset the sudo group membership via chroot. From a live USB, mount your root partition to /mnt, then chroot into it: chroot /mnt. Then run usermod -aG sudo yourusername. Exit chroot, unmount, reboot.

Prevention tips

Never edit /etc/sudoers with a regular editor. Always use visudo. It checks syntax before saving. If it finds an error, it won't let you save the broken file. On Ubuntu 22.04, visudo uses nano by default — that's fine, just don't bypass it.

Backup your sudoers file. Run cp /etc/sudoers /etc/sudoers.bak after every successful edit. Trust me, you'll thank yourself later.

Use sudo -l to test. Before logging out, run sudo -l to confirm your user can run sudo. If it fails, fix it immediately while you're still in the session.

One more thing: if you're using Ansible or Puppet to manage sudoers, always include a validate parameter in the template task. Something like validate: 'visudo -cf %s'. That'll save you from pushing a broken config to every server at 3 AM.