Mastering su and sudo: When and How to Switch Users on Linux

1. Preparation

Before experimenting with user switching, create a test user with useradd (or /usr/sbin/useradd if the command is not in PATH). Only the root account can execute useradd, so first switch from the regular ubuntu user to root.

ubuntu@VM-0-14-ubuntu:~$ su -
Password: <em># enter root password</em>
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu

Set a password for test_user using passwd and then exit back to the ubuntu user.

root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: <em># …</em>
Retype new UNIX password: <em># …</em>
passwd: password updated successfully
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

2. su Command Overview

The su command stands for "switch user" (not "super user"). It changes the effective user ID of the current shell.

2.1 Parameters

Typical usage:

su <user_name>
su - <user_name>

-

creates a login shell, loading the target user's environment variables.

Without -, a non‑login shell is started; the environment remains that of the original user.

Example comparing both modes:

# Non‑login shell
ubuntu@VM-0-14-ubuntu:~$ su
Password: <em># root password</em>
root@VM-0-14-ubuntu:/home/ubuntu$ env | grep ubuntu
PWD=/home/ubuntu
# Login shell
ubuntu@VM-0-14-ubuntu:~$ su -
Password: <em># root password</em>
root@VM-0-14-ubuntu:~# env | grep root
PWD=/root

2.2 Switching to a Specific User

Omitting a username defaults to root. To switch to test_user:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: <em># test_user password</em>
$

2.3 The -c Option

Instead of opening an interactive shell, su -c "command" runs a single command as the target user and returns to the original user.

ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow"
Password: <em># root password</em>
... (output of /etc/shadow) ...
ubuntu@VM-0-14-ubuntu:~$

3. sudo Command Overview

sudo

stands for "super user do" and allows a permitted user to execute a command with root privileges without switching the shell.

3.1 Common Usage

When a regular user lacks permission (e.g., reading /etc/shadow), prepend sudo to the command:

ubuntu@VM-0-14-ubuntu:~$ sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
...

The shortcut sudo !! repeats the previous command with sudo added.

3.2 How sudo Works

Permission to use sudo is defined in /etc/sudoers. The file must be edited with visudo (only root can run it) to avoid syntax errors.

# Example /etc/sudoers excerpt
root    ALL=(ALL:ALL) ALL
%admin   ALL=(ALL) ALL
%sudo    ALL=(ALL:ALL) ALL
ubuntu   ALL=(ALL:ALL) NOPASSWD: ALL

The line for ubuntu includes NOPASSWD, allowing password‑less sudo. test_user lacks an entry, so sudo fails for that account.

3.3 Adding a User to sudoers

To grant test_user sudo rights, add a line at the end of the file: test_user ALL=(ALL:ALL) ALL After saving, test_user can run commands with sudo after providing its own password.

4. Comparing su and sudo

su -

requires the root password and gives a full root shell. sudo su - (or sudo -i) requires the invoking user's password and respects the /etc/sudoers policy, making it safer for multi‑user environments.

Choosing between them depends on security requirements: sudo limits root password exposure and allows fine‑grained privilege control, while su is simpler but less secure when many users need elevated access.