diff --git a/installer.sh b/installer.sh
old mode 100644
new mode 100755
index c3d98e8..3f090b4
--- a/installer.sh
+++ b/installer.sh
@@ -95,7 +95,7 @@ install_packages() {
   log "Installing Debian packages..."
   apt-get update
   apt-get install -y \
-    ca-certificates curl jq openssl sqlite3 \
+    ca-certificates curl jq openssl sqlite3 sudo \
     nginx \
     php-fpm php-cli php-sqlite3 php-curl php-mbstring php-xml php-zip \
     python3 python3-dev python3-pip python3-venv python3-virtualenv python3-scapy \
@@ -1193,12 +1193,50 @@ BASH
   chmod +x /usr/local/bin/baldcanary
 }
 
+ensure_sudo_available() {
+  log "Checking sudo support..."
+
+  if ! command -v sudo >/dev/null 2>&1; then
+    log "sudo is not installed. Installing sudo..."
+    apt-get update
+    apt-get install -y sudo
+  fi
+
+  if [[ ! -d /etc/sudoers.d ]]; then
+    log "Creating /etc/sudoers.d..."
+    mkdir -p /etc/sudoers.d
+    chmod 750 /etc/sudoers.d
+  fi
+
+  if [[ ! -f /etc/sudoers ]]; then
+    fail "/etc/sudoers does not exist after installing sudo. Cannot safely continue."
+  fi
+
+  if ! grep -Eq '^[[:space:]]*#includedir[[:space:]]+/etc/sudoers.d' /etc/sudoers; then
+    log "Enabling /etc/sudoers.d include in /etc/sudoers..."
+    printf '\n#includedir /etc/sudoers.d\n' >> /etc/sudoers
+  fi
+
+  if ! command -v visudo >/dev/null 2>&1; then
+    fail "visudo is not available after installing sudo. Cannot safely continue."
+  fi
+}
+
 write_sudoers() {
   log "Allowing web admin to disable Admin Mode safely..."
+
+  ensure_sudo_available
+
   cat > /etc/sudoers.d/baldcanary <<'EOF'
 www-data ALL=(root) NOPASSWD: /usr/local/bin/baldcanary admin off
 EOF
+
   chmod 440 /etc/sudoers.d/baldcanary
+
+  if ! visudo -cf /etc/sudoers >/dev/null; then
+    rm -f /etc/sudoers.d/baldcanary
+    fail "sudoers validation failed. Removed /etc/sudoers.d/baldcanary."
+  fi
 }
 
 write_ssl() {