Mastering su vs sudo: When and How to Switch Users on Linux

1 Preparation

To demonstrate user switching, several test users are created. The Linux command to add a user is

useradd

, usually found in the

PATH

. If the command is not found, use the absolute path

/usr/sbin/useradd

. Only the root user can execute

useradd

:

<code>ubuntu@VM-0-14-ubuntu:~$ su -
Password: 
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu</code>

Set a password for the new user with

passwd

:

<code>root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully</code>

Return to the normal user:

<code>root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$</code>

2 su Command Introduction and Main Usage

2.1 Meaning and Basic Options

The

su

command stands for "switch user", not "super user". It changes the current user identity.

Typical usage:

<code>su  <user_name>
su - <user_name></code>

The dash (

-

) triggers a login shell, loading the target user's environment variables; without the dash, a non‑login shell keeps the original environment.

2.2 Example of Environment Difference

Switching to root without a dash:

<code>ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu
HOME=/home/ubuntu
ubuntu@VM-0-14-ubuntu:~$ su
Password: 
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu</code>

Switching with a dash loads root's environment:

<code>ubuntu@VM-0-14-ubuntu:~$ su -
Password: 
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root
HOME=/root</code>

2.3 Switching to a Specific User

Without a username,

su -

defaults to root. To switch to

test_user

:

<code>ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: 
$</code>

2.4 The -c Option

Instead of opening an interactive shell,

su -c "command"

runs a command as the target user and returns immediately:

<code>ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow"
Password: 
... (output of tail) ...</code>

3 sudo Command Introduction and Main Usage

3.1 Basic Purpose

sudo

stands for "super user do" and executes a command with root privileges after verifying the invoking user's password.

Common shortcut

sudo !!

repeats the previous command with

sudo

prefixed.

3.2 Using sudo for Privilege Escalation

Examples:

<code>ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow': Permission denied
ubuntu@VM-0-14-ubuntu:~$ sudo !!
sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$...:18406:0:99999:7:::</code>

Other forms:

<code>sudo su -      # switch to root, prompting for the current user's password
sudo -i        # similar to "sudo su -"
</code>

3.3 sudoers File and visudo

Whether a user can run

sudo

is defined in

/etc/sudoers

. The file must be edited with

visudo

to ensure correct syntax.

<code># User privilege specification
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL</code>

The line for

ubuntu

includes

NOPASSWD

, allowing password‑less sudo.

To grant

test_user

sudo rights, add:

<code>test_user ALL=(ALL:ALL) ALL   # test_user must provide its own password</code>

3.4 Security Considerations

Only trusted users should be given sudo privileges, as they can execute any command as root. The

/etc/sudoers

file can also restrict users to specific commands for tighter security.

4 Comparison of su and sudo

Using

su -

requires knowing the root password, which is risky in multi‑user environments.

Using

sudo su -

or

sudo -i

requires only the invoking user's password, and which users can become root is controlled by the

/etc/sudoers

configuration, making the system more secure.