The commands su, su - (or su --login), and sudo su are used in Unix-like operating systems to switch users. However, they function differently and understanding these nuances is crucial for system administration and security.
Table of contents
su Command
The su command (short for “substitute user” or “switch user”) allows you to become another user. By default, it does not fully simulate a login. This means it preserves much of your original environment, including the current directory and most environment variables (except HOME and SHELL). If you simply type su, it attempts to switch to the root user.
su - or su --login Command
Adding the - or --login option to su makes it simulate a full login for the target user. This means:
- The environment is cleared and re-initialized as if the user had logged in directly.
- The current directory is changed to the target user’s home directory (usually
/rootfor the root user). - The target user’s shell startup files (e.g.,
.profile,.bashrc) are executed.
su - is equivalent to su --login.
sudo su Command
The sudo su command combines sudo (superuser do) with su. It first authenticates you as a user with sudo privileges (usually requiring your password). Then, it executes su as the root user. sudo su - is similar, but simulates a full login for the root user after the sudo authentication.
Key Differences and Security Considerations
The primary differences lie in how the environment is handled and which user’s password is required for authentication:
su/su -: Requires the target user’s password (typically the root password when switching to root).sudo su/sudo su -: Requires the invoking user’s password (if they havesudoprivileges).
Using sudo su can be preferable in environments where direct root access is restricted. It allows authorized users to gain root privileges without needing to know the root password.
Example
If you run su -, your prompt will likely change to something like root@hostname:/root#, indicating you are in the root user’s home directory with root privileges. With a simple su, your prompt might not change, and you might remain in your original working directory.
Dnes
Choosing the right command depends on the specific task and security requirements. Consider the following:
- For quick tasks that don’t require a complete root environment,
sudo commandis often sufficient and more secure. - When needing a persistent root shell with a clean environment,
su -orsudo su -is appropriate. - Avoid storing passwords directly in scripts or command history.
By understanding the differences between these commands, system administrators can effectively manage user privileges and maintain system security.
Dnes
Furthermore, it’s vital to understand the implications of each command on system logging and auditing. When using sudo, actions are typically logged under the invoking user’s name, providing a clear audit trail. In contrast, su actions are often attributed solely to the target user, potentially making it harder to track the original user responsible for a specific action.
Another crucial point is the handling of environment variables. When using su without the - option, many environment variables remain unchanged. This can sometimes lead to unexpected behavior if the target user’s environment is significantly different from the original user’s. For instance, if the PATH variable is not correctly set, commands may not be found, even if they exist in the target user’s environment.
Therefore, when using su, it’s often best practice to explicitly source the target user’s environment files after switching users. This can be achieved by running commands like source /home/targetuser/.bashrc or source /home/targetuser/;profile. However, keep in mind that this approach may not fully replicate the behavior of a full login shell.
