Difference between Linux commands su and sudo

Posted by netbros on Wed, 03 Nov 2021 02:35:43 +0100

Difference between Linux commands su and sudo


1. Preparation

Because this blog involves user switching, I need to prepare several test users in advance to facilitate subsequent switching.

The command to create a new user in Linux is useradd. In general, the PATH corresponding to this command in the system is in the PATH environment variable. If you directly enter useradd and don't use it, use the method of absolute PATH name: / usr/sbin/useradd.

The useradd new user command can only be executed by the root user. We first switch from the ordinary user ubuntu to the root user (how to switch will be described later):

ubuntu@VM-0-14-ubuntu:~$ su -
Password:                                         # Enter the root login password
root@VM-0-14-ubuntu:~# useradd -m test_user       # With - m parameter
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu                                 # You can see that there are two users under the / home directory

Because it hasn't been given to the new user_ User sets the login password, which makes it impossible for us to switch from ordinary user ubuntu to test_user, so next, we need to set test with root_ User's login password. The passwd command is required:

root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password:                          # Output test_user's password
Retype new UNIX password:       
passwd: password updated successfully

Then, enter exit to exit the root user to the normal user ubuntu:

root@VM-0-14-ubuntu:~# exit

You can see that the front of the command prompt has changed from root to ubuntu, indicating that we are now a ubuntu user.


2. Introduction and main usage of Su command

su means switch user.

After knowing what abbreviation su comes from, the function it provides is obvious, that is, switching users.


2.1 - parameters

The general usage of su is:

su  <user_name>


su - <user_name>

There is only one character difference between the two methods - there will be a big difference:

  • If the - parameter is added, it is a login shell method, which means switching to another user < user_ After name >, the current shell will load < user >_ Name > corresponding environment variables and various settings;
  • If the - parameter is not added, it is a non login shell method, which means that I now switch to < user_ Name >, but the current shell still loads the environment variables and various settings of the user before switching.


Light interpretation will be more abstract, and it will be easier to understand if we look at an example.

2.1.1 su switching

First, we switch from the ubuntu user to the root user in the form of non login shell, and compare the PWD values in the environment variables in the two user states (the su command does not follow any < user_name >, and switches to the root user by default):

ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
PWD=/home/ubuntu                                         # Yes / home/ubuntu
# Omit
ubuntu@VM-0-14-ubuntu:~$ su                              # Non login shell mode
Password:                                                # Enter the root login password
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu                                         # Can I find / home/ubuntu

We did switch to the root user, but the variables in the shell environment have not changed. We still use the environment variables of the previous ubuntu user.


2.1.2 su - switching

Then we switch from the ubuntu user to the root user by login shell, and compare the PWD values in the environment variables of the two users:

ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
PWD=/home/ubuntu                               # Yes / home/ubuntu
# Omit
ubuntu@VM-0-14-ubuntu:~$ su -                  # Login shell mode
root@VM-0-14-ubuntu:~# env | grep root
PWD=/root                                      # Has become / root

You can see that if you switch users by login shell, the environment variables in the shell also change.

Summary: which method is used to switch users to see their personal needs:

  • If you don't want to make your settings under the current user unavailable because you switch to another user, use the non login shell method;
  • If you need to use various environment variables of the user after switching users (the environment variable settings of different users are generally different), use the login shell method.


2.2 switch to the specified user

As mentioned earlier, if the su command is not followed by any < user_ Name >, the default is to switch to the root user:

ubuntu@VM-0-14-ubuntu:~$ su -
Password:                                       # Password of root user

Because we have created a new test in 1. Preparation_ User, and we also know test_ With the login password of user (set by root), we can switch from ubuntu user to test_user:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:                                       # test_user password


2.3 -c parameters

In the previous methods, we first switch to another user (root or test_user), execute the command in which user's state, and finally enter exit to return to the current ubuntu user.

There is another way: you do not need to switch users before executing commands. You can directly execute commands in the form of another user under the current user, and return to the current user after execution. This requires the - c parameter.

The specific use methods are:

su - -c "string of commands"                                  # Execute "instruction string" as root

Let's take an example:

ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied                # ubuntu users cannot directly view the contents of the / etc/shadow file

ubuntu@VM-0-14-ubuntu:~$ su - -c "tail -n 4 /etc/shadow"
Password:                                          # Enter the root user password
ubuntu@VM-0-14-ubuntu:~$                            # After execution, return to the ubuntu user instead of the root user

This execution method is very similar to sudo to be introduced later. Both of them temporarily apply for the permission of root user. But there are still differences. Let's look back.


3. Introduction and main usage of sudo command

First, explain what the sudo command means.

The full English name of sudo is super user do, that is, execute commands as a super user (root user). Sudo here is different from the switch user expressed by su before. It should be noted that it is easy to get confused.

Let's first introduce what the sudo command can do, and then explain why and how to do it.

Let's start.


3.1 main usage

We often encounter Permission denied in Linux, such as viewing the contents of / etc/shadow as a ubuntu user. Because the contents of this file can only be viewed by root.

What if we want to see it? In this case, sudo can be used:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied      # No permission
ubuntu@VM-0-14-ubuntu:~$ sudo !!                                    # And two exclamation marks
sudo tail -n 3 /etc/shadow

In the example, we use sudo!! This little trick means repeating the command entered above, but adding sudo at the beginning of the command.

Because I have set the sudo command and do not need to enter a password, here is sudo!! You can output the content directly. If it is not set, you need to enter the password of the current user. For example, in this example, I should enter the login password of the ubuntu user.

For two adjacent sudo operations, if the interval is within 5min, the second sudo input does not need to re-enter the password; If it exceeds 5min, you need to enter the password when you enter sudo again. Therefore, an easy way is to set up sudo operation without password. How to set it will be described later.

In addition to executing commands with the authority of root user, sudo has several other uses, which are briefly introduced here.

Switch to root:

sudo su -

This method can also switch to the root user in the form of login shell, but it is different from the su - Method:

  • For the former, after entering sudo su -, you need to provide the login password of the current user, that is, the password of the ubuntu user;
  • The latter needs to provide the login password of the root user after entering su -.

There is another command:

sudo -ish

This command has the same effect as sudo su -. It is also required to switch to the root user and provide the login password of the current user (ubuntu user).

Let's switch to test now_ User, try to display the contents of the / etc/shadow file:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:                                       # test_user's password
$ sudo cat /etc/shadow
[sudo] password for test_user:                  # test_user's password
test_user is not in the sudoers file.  This incident will be reported.

We will see the error message in the penultimate line. We can't view the content of / etc/shadow. Why? Why can ubuntu use sudo but test_ Why not?

This involves the working principle of sudo.


3.2 sudo working principle

Whether a user can use the sudo command depends on the setting of the / etc/sudoers file.

As we can see from Section 3.1, ubuntu users can use sudo normally, but test_user cannot use it because test is not configured in the / etc/sudoers file_ user.

/etc/sudoers is also a text file, but because of its specific syntax, we don't use vim or vi to edit it directly. We need to use the command visudo. After entering this command, you can directly edit the file / etc/sudoers.

It should be noted that only the root user has permission to use the visudo command.

Let's first look at the content displayed after entering the visudo command.

Enter (root user):

root@VM-0-14-ubuntu:~# visudo


# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
# User name allows any host to log in = you can switch to any other user in the system without entering a password when requesting sudo

Explain the format of each line:

  • The first represents the user name, such as root, ubuntu, etc;
  • Next, ALL on the left of the equal sign indicates that it is allowed to log in to the current user account from any host;
  • ALL on the right of the equal sign indicates that a user at the beginning of this line can switch to any other user in the system;
  • ALL at the end of the line indicates that the user at the beginning of the current line can issue any command as root user. ALL indicates that any command can be issued.

We also notice that the line corresponding to ubuntu has a NOPASSWD keyword, which means that the user of ubuntu does not need to enter a password when requesting sudo. Here we explain the previous problem.

At the same time, we note that there is no test in this file_ The row corresponding to user, which explains why test_user cannot use sudo command.

Next, we try to put test_ Add user to the / etc/sudoers file to make test_user can also use the sudo command. We add on the last line:

test_user  ALL=(ALL:ALL)  ALL       # test_user needs to provide test when using sudo_ User's password

Then we'll talk about it again_ Execute sudo under user account:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied
$ sudo tail -n 3 /etc/shadow                   # Plus sudo

As you can see, sudo is now available.


3.3 thinking

We have seen that if a user is in the / etc/sudoers file, it has sudo permission and can switch to the root user through sudo su - or sudo -i commands. At this time, the user becomes the root user. Does this pose a great threat to the system?

Actually, it is. Therefore, if you edit the / etc/sudoers file to give sudo permission to a user, you must make sure that the user is trusted and will not cause malicious damage to the system. Otherwise, it will be very dangerous to give all root permissions to the user.

Of course, the root user can also edit / etc/sudoers so that the user has only some permissions, that is, only a small number of commands can be executed. Interested readers can refer to Article 2 of the Reference section, which will not be repeated in this article.


4. Comparison of differences between the two

We have seen:

  • Use su -, provide the password of the root account, and you can switch to the root user;
  • Use sudo su -, provide the password of the current user, or switch to the root user

The difference between the two methods is also obvious:

  • If many users need to use our Linux system, the former requires all users to know the password of root user, which is obviously very dangerous;
  • The latter does not need to expose the root account password. Users only need to enter their own account password, and which users can switch to root is completely controlled by root (root is realized by setting / etc/sudoers), so the system is much safer.

Topics: Linux