Exploring the differences between sudo and su commands in Linux
This article explores the differences between the
su commands in Linux. You can also watch this video to learn about these commands. Becoming root permanently with
su is a well-known 'no-no' in the *nix universe. Why? Because becoming root with
su means that you are root, which is the same as logging into a terminal as the root user with root's password. And that's dangerous for many reasons.
[ You might also enjoy: Linux command line basics: sudo ]
Working as root means that you have the power to:
- Remove any or all files
- Change the permissions of any or all files
- Change the runlevel of the system
- Alter user accounts
- Mount or unmount filesystems
- Remove or install software
- Create, remove, and alter file systems
Basically, you can do anything to the system as the root user. It is the all-powerful administrative account. And, unlike other more chatty operating systems, you won't see a, "Are you sure?" dialog to be sure that the
rm -rf * command you just issued was in
/opt/tmp rather than at
/. As you can imagine, errors made as the root user can be irreversible and devastating. There is an alternative:
sudo, which is an acronym for superuser do or substitute user do, is a command that runs an elevated prompt without a need to change your identity. Depending on your settings in the
/etc/sudoers file, you can issue single commands as root or as another user. To continue running commands with root power, you must always use the sudo command. For example, if you want to install the Nginx package, you run:
$ dnf install nginx
But you will see an error if you are not root or in the sudo group. Instead, if you run this command:
$ sudo dnf install nginx
You will be asked to type your password, and then you can run the command if you are a part of the sudo group.
A simple way to switch to an interactive session as a root user is the following:
$ sudo -i
The theory behind using sudo is that the act of issuing the sudo command before any command you run makes you think more about what you're doing and hopefully make fewer mistakes with an account that possesses unlimited power.
su, on the other hand, is an acronym for switch user or substitute user. You are basically switching to a particular user and you need the password for the user you are switching to. Most often, the user account you switch to is the root account but it can be any account on the system.
For example, if you type:
$ su -
In the above example, you are switching to root and you need the root password. The (
-) switch provides you with root's environment (path and shell variables) rather than simply giving you root user power for a single command while keeping your own environment.
$ su bryant
For the second example, you are switching to bryant, and so you need bryant's password unless you are root.
If you want to switch to the bryant user account including bryant's path and environment variables, use the (
$ su - bryant
-) switch has the same effect as logging into a system directly with that user account. In essence, you become that user.
Recapping what you've learned.
sudolets you issue commands as another user without changing your identity
- You need to have an entry in
/etc/sudoersto execute these restricted permissions
sudo -ibrings you to an interactive session as root
sumeans to switch to a particular user
- Just typing
suswitches to the root user
sudowill ask for your password, while
suwill ask for the password for the user whom you are switching to
[ Want to learn more about security? Check out the IT security and compliance checklist. ]
But when do you use one, not another? Since the
sudo policy is defined in
/etc/sudoers, this can give powerful permission controls. Since
sudo can pretty much do everything that
su can, I would say it is best to stick with
sudo unless you are working with some legacy codes that require the