Exploring the differences between sudo and su commands in Linux

This article explores the differences between the sudo and su commands in Linux. You can also watch this video to learn about these commands. Becoming root permanently with su is a well-known 'no-no' in the *nix universe. Why? Because becoming root with su means that you are root, which is the same as logging into a terminal as the root user with root's password. And that's dangerous for many reasons.

[ You might also enjoy: Linux command line basics: sudo ]

Working as root means that you have the power to:

• Remove any or all files
• Change the permissions of any or all files
• Change the runlevel of the system
• Alter user accounts
• Mount or unmount filesystems
• Remove or install software
• Create, remove, and alter file systems

Basically, you can do anything to the system as the root user. It is the all-powerful administrative account. And, unlike other more chatty operating systems, you won't see a, "Are you sure?" dialog to be sure that the rm -rf * command you just issued was in /opt/tmp rather than at /. As you can imagine, errors made as the root user can be irreversible and devastating. There is an alternative: sudo.

sudo

sudo, which is an acronym for superuser do or substitute user do, is a command that runs an elevated prompt without a need to change your identity. Depending on your settings in the /etc/sudoers file, you can issue single commands as root or as another user. To continue running commands with root power, you must always use the sudo command. For example, if you want to install the Nginx package, you run:

$ dnf install nginx

But you will see an error if you are not root or in the sudo group. Instead, if you run this command:

$ sudo dnf install nginx

You will be asked to type your password, and then you can run the command if you are a part of the sudo group.

A simple way to switch to an interactive session as a root user is the following:

$ sudo -i

The theory behind using sudo is that the act of issuing the sudo command before any command you run makes you think more about what you're doing and hopefully make fewer mistakes with an account that possesses unlimited power.

su

su, on the other hand, is an acronym for switch user or substitute user. You are basically switching to a particular user and you need the password for the user you are switching to. Most often, the user account you switch to is the root account but it can be any account on the system.

For example, if you type:

$ su -

In the above example, you are switching to root and you need the root password. The (-) switch provides you with root's environment (path and shell variables) rather than simply giving you root user power for a single command while keeping your own environment.

$ su bryant

For the second example, you are switching to bryant, and so you need bryant's password unless you are root.

If you want to switch to the bryant user account including bryant's path and environment variables, use the (-) switch:

$ su - bryant

The (-) switch has the same effect as logging into a system directly with that user account. In essence, you become that user.

Wrap up

Recapping what you've learned.

• sudo lets you issue commands as another user without changing your identity
• You need to have an entry in /etc/sudoers to execute these restricted permissions
• sudo -i brings you to an interactive session as root
• su means to switch to a particular user
• Just typing su switches to the root user
• sudo will ask for your password, while su will ask for the password for the user whom you are switching to

[ Want to learn more about security? Check out the IT security and compliance checklist. ] 

But when do you use one, not another? Since the sudo policy is defined in /etc/sudoers, this can give powerful permission controls. Since sudo can pretty much do everything that su can, I would say it is best to stick with sudo unless you are working with some legacy codes that require the su command.