What’s the difference between sudo su vs just su?
I see a lot of posts out there that say you type in sudo su to get an interactive prompt with root privileges, and I see equally many posts debating the pros and cons over sudo -i vs sudo su . Here I’m sitting scratching my head over why people don’t just write su . After all su is short for subsitute user and switches to root by default, so is there really any need at all to write sudo su ?
5 Answers 5
If you can use simply su , you should.
But, in most modern (desktop-) Linux distributions (for example Ubuntu) the root user is disabled and has no password set. Therefore you cannot switch to the root user with su (you can try). You have to call sudo with root privileges: sudo su .
-1 for «If you can simply use su, you should»; this is subjective at best, and bad advice at worst. Ideally, the use of sudo instead of su allows significantly more control over what a user is able to do with elevated privileges; and su without an extra dash is generally bad practice as it preserves the environment.
sudo su , sudo -i and all other sudo requires the users password.
su requires the root password.
@ElectricCoffee Both are unsafe: Having a root shell is unsafe; One slip of the fingers can cause a lot of damage. sudo is more secure that su, as sudo uses users password (note only those with appropriate privileges can use sudo), therefore we do not have to distribute a new root password every time someone leaves the group.
@ElectricCoffee: Someone who has a sudo rule to run «su» with no password (or with their own password) has been explicitly given that permission by the sudoers configuration. The argument would be that a user’s password is more secure than a shared root password. The same complexity rules can be enforced in both cases, but with each user having their own password, rotation does not require communicating the password out to those who need that password. One could use the rootpw or targetpw option on a sudo rule if one really wanted to retain classic su behavior with sudo’s benefits.
Both programs are suid root. There is no reason to ever type sudo su except for the situation where one is unfamiliar with the -i and -E options to sudo, or otherwise in the habit of doing things as root without understanding why they’re done. The su commands passes through a few hard-coded environment vars (or, on recent Linux, can use -p to pass through the entire environment), while sudo can control exactly which variables pass through (try $DISPLAY for a useful example). The su command can only prompt for the target user’s password (assuming a default pam stack), while sudo can be configured to authenticate as the source or target user, or neither, or always root — and can do so per command. The su command resets $HOME , while sudo can decide based on the ruleset available. And that’s one more forked process that doesn’t need to exist. Meanwhile, sudo logs the commands that it runs, so as long as you’re not just doing sudo -i or otherwise launching a shell, you can get a way better audit trail with sudo. When you run a command using sudo, it removes both . and empty elements in $PATH and then checks those last if they were present, preventing people from sticking a shell script named «ls» in /tmp and similar shenanigans. 🙂
Basically, sudo su is like nailing one hand behind sudo’s back and gaining nothing. 🙂
On some systems, su to root is not enabled for normal users, so sudo su is required.
it’s worked just fine on all the systems I’ve tested it on.. Linux and BSD alike, hence the confusion
@roaima sudo -i does not inherit the root PATH. Try echo $PATH and then sudo -i echo $PATH , then do sudo -i and once at a root prompt, do echo $PATH .
[user@host] /home/user$ sh -c ‘echo $PATH’ /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/quest/bin:/usr/local/sec:/var/cfengine/bin [user@host] /home/user$ sudo -i sh -c ‘echo $PATH’ /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/quest/bin:/usr/local/sec:/var/cfengine/bin:/var/cfengine/bin:/root/bin
The main difference between these commands is in the way they restrict access to their functions.
su (which means «substitute user» or «switch user») — does exactly that, it starts another shell instance with privileges of the target user. To ensure you have the rights to do that, it asks you for the password of the target user. So, to become root, you need to know root password. If there are several users on your machine who need to run commands as root, they all need to know root password — note that it’ll be the same password. If you need to revoke admin permissions from one of the users, you need to change root password and tell it only to those people who need to keep access — messy.
sudo (hmm. what’s the mnemonic? Super-User-DO?) is completely different. It uses a config file (/etc/sudoers) which lists which users have rights to specific actions (run commands as root, etc.) When invoked, it asks for the password of the user who started it — to ensure the person at the terminal is really the same «joe» who’s listed in /etc/sudoers. To revoke admin privileges from a person, you just need to edit the config file (or remove the user from a group which is listed in that config). This results in much cleaner management of privileges.
As a result of this, in many Debian-based systems root user has no password set — i.e. it’s not possible to login as root directly.
Also, /etc/sudoers allows to specify some additional options — i.e. user X is only able to run program Y etc.
The often-used sudo su combination works as follows: first sudo asks you for your password, and, if you’re allowed to do so, invokes the next command (su) as a super-user. Because su is invoked by root, it does not require you to enter the target user’s password. So, sudo su allows you to open a shell as another user (including root), if you’re allowed super-user access by the /etc/sudoers file.
Exploring the differences between sudo and su commands in Linux
If you’re confused about what su and sudo commands do for you, this brief guide will help you sort them out.
This article explores the differences between the sudo and su commands in Linux. You can also watch this video to learn about these commands. Becoming root permanently with su is a well-known ‘no-no’ in the *nix universe. Why? Because becoming root with su means that you are root, which is the same as logging into a terminal as the root user with root’s password. And that’s dangerous for many reasons.
Working as root means that you have the power to:
- Remove any or all files
- Change the permissions of any or all files
- Change the runlevel of the system
- Alter user accounts
- Mount or unmount filesystems
- Remove or install software
- Create, remove, and alter file systems
Basically, you can do anything to the system as the root user. It is the all-powerful administrative account. And, unlike other more chatty operating systems, you won’t see a, «Are you sure?» dialog to be sure that the rm -rf * command you just issued was in /opt/tmp rather than at / . As you can imagine, errors made as the root user can be irreversible and devastating. There is an alternative: sudo .
sudo
sudo , which is an acronym for superuser do or substitute user do, is a command that runs an elevated prompt without a need to change your identity. Depending on your settings in the /etc/sudoers file, you can issue single commands as root or as another user. To continue running commands with root power, you must always use the sudo command. For example, if you want to install the Nginx package, you run:
But you will see an error if you are not root or in the sudo group. Instead, if you run this command:
You will be asked to type your password, and then you can run the command if you are a part of the sudo group.
A simple way to switch to an interactive session as a root user is the following:
Great Linux resources
The theory behind using sudo is that the act of issuing the sudo command before any command you run makes you think more about what you’re doing and hopefully make fewer mistakes with an account that possesses unlimited power.
su
su , on the other hand, is an acronym for switch user or substitute user. You are basically switching to a particular user and you need the password for the user you are switching to. Most often, the user account you switch to is the root account but it can be any account on the system.
In the above example, you are switching to root and you need the root password. The ( — ) switch provides you with root’s environment (path and shell variables) rather than simply giving you root user power for a single command while keeping your own environment.
For the second example, you are switching to bryant, and so you need bryant’s password unless you are root.
If you want to switch to the bryant user account including bryant’s path and environment variables, use the ( — ) switch:
The ( — ) switch has the same effect as logging into a system directly with that user account. In essence, you become that user.
Wrap up
Recapping what you’ve learned.
- sudo lets you issue commands as another user without changing your identity
- You need to have an entry in /etc/sudoers to execute these restricted permissions
- sudo -i brings you to an interactive session as root
- su means to switch to a particular user
- Just typing su switches to the root user
- sudo will ask for your password, while su will ask for the password for the user whom you are switching to
But when do you use one, not another? Since the sudo policy is defined in /etc/sudoers , this can give powerful permission controls. Since sudo can pretty much do everything that su can, I would say it is best to stick with sudo unless you are working with some legacy codes that require the su command.