Mastering Linux User Switching: su vs sudo Explained with Real Examples

Before diving into the commands, several test users are created to demonstrate user switching on a Linux system.

1. Preparation

New users are added with useradd. Since useradd requires root privileges, the article shows how to switch from the regular ubuntu user to root using su - and then create a test user test_user with a password.

ubuntu@VM-0-14-ubuntu:~$ su -
Password: ********
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: ********
Retype new UNIX password: ********
passwd: password updated successfully
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

2. su Command Introduction and Main Usage

The su command stands for "switch user" (not "super user"). It changes the current user identity, optionally loading the target user's login environment.

2.1 Parameters

Typical forms are:

su <user_name>
su - <user_name>

Adding - starts a login shell, loading the target user's environment variables (e.g., HOME, PWD); without it, a non‑login shell keeps the original environment.

Example comparing the two:

# Non‑login shell
ubuntu@VM-0-14-ubuntu:~$ su
Password: ********
root@VM-0-14-ubuntu:/home/ubuntu# env | grep PWD
PWD=/home/ubuntu
root@VM-0-14-ubuntu:/home/ubuntu# exit
logout
ubuntu@VM-0-14-ubuntu:~$

# Login shell
ubuntu@VM-0-14-ubuntu:~$ su -
Password: ********
root@VM-0-14-ubuntu:~# env | grep PWD
PWD=/root
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

When no user name is supplied, su defaults to switching to root.

2.2 Switching to a Specific User

After creating test_user, you can switch to it:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: ********
$

2.3 -c Parameter

The -c option runs a command as the target user without staying in the new shell: su -c "tail -n 4 /etc/shadow" Example:

ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow"
Password: ********
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$...$...:18406:0:99999:7:::

3. sudo Command Introduction and Main Usage

sudo

stands for "super user do" and allows a permitted user to execute a command with root privileges, as defined in /etc/sudoers. Unlike su, it does not require the root password; the invoking user provides their own password (or none if NOPASSWD is set).

3.1 Main Usage

When a regular user lacks permission to read a protected file, sudo can be used:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied
ubuntu@VM-0-14-ubuntu:~$ sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$...$...:18406:0:99999:7:::

The shortcut sudo !! repeats the previous command with sudo prefixed.

3.2 How sudo Works

Permission to use sudo is granted by entries in /etc/sudoers. The file should be edited with visudo to avoid syntax errors. A typical entry looks like:

# User privilege specification
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

This line gives the user ubuntu the ability to run any command as any user without a password.

3.3 Adding a New User to sudoers

To allow test_user to use sudo, add a line: test_user ALL=(ALL:ALL) ALL After updating the file, test_user can execute privileged commands:

test_user@VM-0-14-ubuntu:~$ sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$...$...:18406:0:99999:7:::

4. Comparison Between su and sudo

Using su - requires knowing the root password, which is risky in multi‑user environments.

Using sudo (or sudo su -) only requires the invoking user's password and relies on /etc/sudoers to control who can obtain root privileges, providing better security.