Su vs Sudo Su vs Sudo -u -i

- - | Comments

This post was partially inspired by half an hour of unsuccessful googling in trying to figure out how I should be getting into a shell as another user with no password required. The other part of the inspiration came from the responses to this tweet where I was inspired to dig deeper about these ubiquitus shell commands. I use sudo/su almost every day with no deep understanding of what it does, and I figured it was time to change that.

The differences between these three possible ways to enter a shell as different users were not apparent to me at all, and I’m pretty sure that other people share my confusion or misunderstandings.

su <user>

The su command lets any user change their user id and start a shell as another user. With no extra arguments, as far as I can tell su <username> is exactly the same as attempting to login remotely as that user, but preserves the environment variables set from the original shell. You are prompted for a password, that is the password of the user that you are attempting to change into. The exception to this behavior is if you are already logged into the shell as root. If you are already root, no password is requested.

sudo su <user>

The sudo su command has similar behavior to su, but it changes which password you have to enter, if any. This command requires you to use sudo, which means that the su command will be running as root. As described earlier, if su runs as root, you will not need to enter the target user’s password.

Now the question is, how can you run sudo. This depends on how your user has been configured in the /etc/sudoers file. There are many tutorials that you can find about how that file works, how it’s formatted, and what options are available, but, in my case, there was only one consideration. My user had the NOPASSWD option set, so I do not have to use a password in order to sudo. If you did not have that option set, you would have to enter a password in order to use sudo, but it would be your own password, not root’s nor the target user’s.

Additionally, I used the word similar earlier because sudo su does not preserve the environment variables of the original shell.

sudo -u <user> -i

The sudo -u <user> -i command is what you need to run if you want to simulate precisely the initial logged in state of another user. The -i option is supposed to stand for simulate initial login. It will create the proper shell, source .bashrc/.bash_profile files, and drop you into the target user’s home directory. The only use that I can see for this is, as a system administrator, debugging issues that are user specific. So far, I have not needed it.

In this exercise, I found that sudo su was the right option for me to achieve my desired effect. I could sudo su to the user I wanted to be, and no password was required.

There is a lot more to learn about these commands, aside from the particular options that I’ve described here. Reading through the man pages, there are many possible configurations that more precisely control environment variables, which shell to start with, and many other things. I haven’t yet found a reason to use all of them as a programmer, but they’re definitely good to know.

Follow me @johnkpaul

See you in the comments!