Mastering su vs sudo: When and How to Switch Users on Linux

1 Preparation

To demonstrate user switching, several test users are created. The Linux command to add a user is useradd, usually found in the PATH. If the command is not found, use the absolute path /usr/sbin/useradd. Only the root user can execute useradd:

ubuntu@VM-0-14-ubuntu:~$ su -
Password: 
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu

Set a password for the new user with passwd:

root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Return to the normal user:

root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

2 su Command Introduction and Main Usage

2.1 Meaning and Basic Options

The su command stands for "switch user", not "super user". It changes the current user identity.

Typical usage:

su  <user_name>
su - <user_name>

The dash ( -) triggers a login shell, loading the target user's environment variables; without the dash, a non‑login shell keeps the original environment.

2.2 Example of Environment Difference

Switching to root without a dash:

ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu
HOME=/home/ubuntu
ubuntu@VM-0-14-ubuntu:~$ su
Password: 
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu

Switching with a dash loads root's environment:

ubuntu@VM-0-14-ubuntu:~$ su -
Password: 
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root
HOME=/root

2.3 Switching to a Specific User

Without a username, su - defaults to root. To switch to test_user:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: 
$

2.4 The -c Option

Instead of opening an interactive shell, su -c "command" runs a command as the target user and returns immediately:

ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow"
Password: 
... (output of tail) ...

3 sudo Command Introduction and Main Usage

3.1 Basic Purpose

sudo

stands for "super user do" and executes a command with root privileges after verifying the invoking user's password.

Common shortcut sudo !! repeats the previous command with sudo prefixed.

3.2 Using sudo for Privilege Escalation

Examples:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow': Permission denied
ubuntu@VM-0-14-ubuntu:~$ sudo !!
sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
test_user:$6$...:18406:0:99999:7:::

Other forms:

sudo su -      # switch to root, prompting for the current user's password
sudo -i        # similar to "sudo su -"

3.3 sudoers File and visudo

Whether a user can run sudo is defined in /etc/sudoers. The file must be edited with visudo to ensure correct syntax.

# User privilege specification
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

The line for ubuntu includes NOPASSWD, allowing password‑less sudo.

To grant test_user sudo rights, add:

test_user ALL=(ALL:ALL) ALL   # test_user must provide its own password

3.4 Security Considerations

Only trusted users should be given sudo privileges, as they can execute any command as root. The /etc/sudoers file can also restrict users to specific commands for tighter security.

4 Comparison of su and sudo

Using su - requires knowing the root password, which is risky in multi‑user environments.

Using sudo su - or sudo -i requires only the invoking user's password, and which users can become root is controlled by the /etc/sudoers configuration, making the system more secure.