What’s the Difference Between Sudo and Su in Linux?
“What is the difference between the su and sudo commands?” Is a question commonly asked to those new to *nix based operating systems that we’ll explain and answer here.
In order to discuss the differences, let’s first establish what each command actually does with some examples.
The su Command
The su command allows you to swtich user and run your commands as some other user under their user ID.
When you run su without any arguments, it will try to open up a root shell by default and will therefore prompt you for the root password to proceed. After entering the root password, you are now the root user and anything you run during this session will be run as root.
[user1@centos7 ~]$ whoami user1 [user1@centos7 ~]$ su Password: [root@centos7 user1]# whoami root
Alternatively you can specify the user that you want to change to, which generally requires their password unless you are root.
[root@centos7 ~]# su - user1 Last login: Tue Aug 30 11:30:32 AEST 2016 on pts/0 [user1@centos7 ~]$ whoami user1 [user1@centos7 ~]$ su - user2 Password: Last login: Tue Aug 30 11:29:59 AEST 2016 on pts/0
As shown if user1 wants to switch to user2 they need the password, however root can switch to any other user without providing the password.
While it is not required that the ‘-‘ be specified, it is recommended for an interactive shell. As shown below if we switch user without specifying ‘-‘ the path or current working directory of /root are not changed, which may cause problems when user1 goes to run commands.
[root@centos7 ~]# echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin [root@centos7 ~]# su user1 [user1@centos7 root]$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin [user1@centos7 root]$ exit exit [root@centos7 ~]# su - user1 Last login: Tue Aug 30 11:32:02 AEST 2016 on pts/0 [user1@centos7 ~]$ echo $PATH /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user1/.local/bin:/home/user1/bin
Essentially you almost always want to make use of the ‘-‘ when using su.
We don’t just have to enter a shell of the new user, we can optionally execute commands as that user with the -c flag.
[user1@centos7 ~]$ su -c whoami Password: root
Now that we understand the su command, let’s see what sudo has to offer.
The sudo Command
The super user do, or sudo command on the other hand instead allows you to run a command as root from your current user. By default this will require you to provide your password again as a security measure.
The non root user account requires sudo privileges to do this, and this is normally setup by either adding the user or group to the /etc/sudoers file, or by adding the user to the wheel group.
[root@centos7 ~]# usermod -aG wheel user1 [root@centos7 ~]# id user1 uid=1000(user1) gid=1000(user1) groups=1000(user1),10(wheel) [root@centos7 ~]# su - user1 Last login: Tue Aug 30 11:42:46 AEST 2016 on pts/0 [user1@centos7 ~]$ sudo whoami We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for user1: root
In this example the root user adds user1 to the wheel group, which is defined in the /etc/sudoers configuration file to provide root privileges via the sudo command. From there we run the whoami command as root with sudo, and after providing the password of user1 we are advised that we are root. Note that we are not dropped into a root shell after this.
After entering the user’s password for the first time for sudo, subsequent sudo usage does not require the password, as shown below. Here we also see that user1 does not have permission to list contents of /root by itself, however it works correctly with sudo.
[user1@centos7 ~]$ ls -l /root ls: cannot open directory /root: Permission denied [user1@centos7 ~]$ sudo ls -l /root total 3244 -rw-------. 1 root root 984 Aug 29 14:21 anaconda-ks.cfg
We can also use sudo in combination with the su command to enter an interactive root shell, rather than entering every command with the sudo prefix.
[user1@centos7 ~]$ sudo su - Last login: Tue Aug 30 11:49:01 AEST 2016 on pts/0 [root@centos7 ~]# whoami root
Similarly, we can get a shell with the -i flag.
[user1@centos7 ~]$ sudo -i [sudo] password for user1: [root@centos7 ~]# whoami root
In order to define specific commands that may be executed with root privileges, we modify the /etc/sudoers file. For example, we can add the below configuration to the /etc/sudoers file which will allow user1 to perform systemctl commands, allowing them to stop and start services using sudo (among many other things, systemctl can do a lot in RHEL 7).
user1 ALL=(ALL) /bin/systemctl
This will be all they can do with sudo, anything else attempted will be denied.
[user1@centos7 ~]$ sudo systemctl restart httpd [user1@centos7 ~]$ sudo ls /root Sorry, user user1 is not allowed to execute '/bin/ls /root' as root on centos7.example.com. [user1@centos7 ~]$ exit logout [root@centos7 ~]# su - user2 Last login: Tue Aug 30 12:42:20 AEST 2016 on pts/0 [user2@centos7 ~]$ sudo systemctl restart httpd user2 is not in the sudoers file. This incident will be reported.
As expected user1 can restart Apache, but user2 is not allowed. We also see that user1 is not able to do other tasks that require root, such as list the contents of the /root directory.
Differences Between su and sudo
With the explanations out of the way for each command hopefully you can already see the key differences between the two.
They are indeed quite similar in some aspects, the ‘su’ command is basically equivalent to ‘sudo -i’, while the ‘sudo’ command is basically equivalent to ‘su -c’.
A major key difference is who gets the root password. If a user wishes to su to root then they require the password of the root account. If instead the user is executing a command with sudo, they only need their own password and sudo privileges. Therefore if you have multiple users that require root privileges on a system, providing sudo access is considered to be more secure as we can audit commands that have been executed by specific users without sharing the root user’s password with other people.
By default a non root user could use sudo privileges to change the root password, however the /etc/sudoers file can be used to only grant root access to specific commands that the user needs to run as root rather than being able to run anything as root. With sudo we can define security policy, allowing one group of users to perform only a specific subset of clearly defined commands as the root user.
We have covered what the su and sudo commands are typically used for, and then outlined the differences between the two.
While both are useful commands for running commands with root privileges, sudo is generally considered the better option as we do not need to share the password of the root user, and we can configure specific policy to only allow a subset of required commands to be executed as root on a per user or group basis.
Hopefully this guide has shown that there’s a time and place for both commands, depending on what you’re trying to achieve.