Mastering su and sudo: When and How to Switch Users Securely on Linux

1. Preparation

To demonstrate user switching we first create a few test users. The Linux command to add a user is useradd, usually found in /usr/sbin/useradd. Only the root user can run useradd:

ubuntu@VM-0-14-ubuntu:~$ su -
Password:   # enter root password
root@VM-0-14-ubuntu:~# useradd -m test_user   # create user with home directory
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu

Set a password for the new user with passwd:

root@VM-0-14-ubuntu:# passwd test_user
Enter new UNIX password:   # type password
Retype new UNIX password:
passwd: password updated successfully

Return to the normal user:

root@VM-0-14-ubuntu:# exit
logout
ubuntu@VM-0-14-ubuntu:~$

2. The su Command

su

stands for “switch user”. It can be used in two forms:

su <user_name>
su - <user_name>

Adding the - creates a login‑shell, loading the target user’s environment variables; without it you get a non‑login‑shell, keeping the original environment. Example comparing the two:

# Non‑login‑shell
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu
HOME=/home/ubuntu
ubuntu@VM-0-14-ubuntu:~$ su
Password:   # root password
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu   # still the original PWD

# Login‑shell
ubuntu@VM-0-14-ubuntu:~$ su -
Password:   # root password
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root   # PWD changed to /root

Thus the choice depends on whether you need the target user’s environment.

2.3 The -c Parameter

With -c you can execute a command as another user without staying logged in:

su - -c "tail -n 4 /etc/shadow"

Example:

ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
ubuntu@VM-0-14-ubuntu:~$ su - -c "tail -n 4 /etc/shadow"
Password:   # root password
... (last four lines of /etc/shadow) ...
ubuntu@VM-0-14-ubuntu:~$

3. The sudo Command

sudo

means “super user do”. It runs a command with root privileges while authenticating the invoking user.

Typical usage:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied
ubuntu@VM-0-14-ubuntu:~$ sudo !!
sudo tail -n 3 /etc/shadow
... (output) ...

If the user is configured with NOPASSWD in /etc/sudoers, no password is asked; otherwise the user’s own password is required.

Other common forms:

sudo su -      # switch to root (login‑shell) using current user’s password
sudo -i        # similar to sudo su -

Permission to use sudo is defined in /etc/sudoers. Edit it safely with visudo (only root can run it):

# User privilege specification
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

To grant test_user sudo rights, add:

test_user ALL=(ALL:ALL) ALL   # test_user must provide its own password

After adding the line, test_user can run sudo commands:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:   # test_user password
$ sudo tail -n 3 /etc/shadow
... (output) ...

4. Comparison of su - and sudo su -

su -

requires the root password, exposing it to every user who needs elevated rights – a security risk. sudo su - only needs the invoking user’s password and relies on the /etc/sudoers configuration to control who can become root, making the system much safer.