Enabling Claude Code to Use sudo on Ubuntu

When using the Claude Code CLI, there are tasks that require root privileges, such as apt install and systemctl. This post explains how to configure Claude Code to use sudo while maintaining security.

Problem

When executing a sudo command in Claude Code:

sudo: a terminal is required to read the password

Claude Code's bash session is not an interactive terminal, so you cannot enter a password.

Incorrect Solution

# 절대 하지 마세요
yohan ALL=(ALL) NOPASSWD: ALL

While convenient, this is a fatal security risk. If the account is compromised, an attacker immediately gains root privileges. There have been actual cases of servers being hacked due to this setting.

Correct Solution

Maintain password authentication while ensuring convenience with credential caching.

1. sudoers Configuration

sudo visudo

Add to the Defaults section:

Defaults timestamp_timeout=60
Defaults !tty_tickets

The second setting is key. By default, credentials are separated per tty, so even if you do sudo -v in the terminal, it will not apply to Claude Code's bash session.

2. Claude Code Execution

sudo -v && claude --dangerously-skip-permissions

If you cache the credential with sudo -v and then run Claude Code, the sudo command will be executed internally without a password.

3. Verification

In Claude Code:

Run sudo whoami

If root is printed, you have succeeded.

Security Comparison

It is still dangerous if an intrusion occurs during the 60 minutes that the credential is cached. However, it is the difference between "leaving the door always open" and "opening and closing it briefly."

To be more conservative, reduce the time to something like timestamp_timeout=15.

Summary

# /etc/sudoers 설정
Defaults timestamp_timeout=60
Defaults !tty_tickets
 
# 실행
sudo -v && claude --dangerously-skip-permissions

With this configuration, Claude Code can perform system administration tasks while avoiding the security risk of NOPASSWD.

Note: After 60 minutes, you must renew the credential with sudo -v again.