BestHub
Sign in
Fundamentals 15 min read

Mastering su vs sudo: When and How to Switch Users Safely on Linux

This guide explains the differences between the Linux commands su and sudo, shows how to create test users, switch between login and non‑login shells, use the -c option, configure sudo privileges with visudo, and compare security implications of each method.

Senior Brother's Insights
Senior Brother's Insights
Senior Brother's Insights
Mastering su vs sudo: When and How to Switch Users Safely on Linux

1. Preparation

To demonstrate user switching you need a few test accounts. Create a new user with useradd (usually located in /usr/sbin/useradd) and set a password using passwd. Only root can run useradd, so first become root:

ubuntu@VM-0-14-ubuntu:~$ su -
Password: <em># enter root password</em>
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: <em># set password</em>
Retype new UNIX password:
passwd: password updated successfully
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

After exiting, the prompt returns to the original ubuntu user.

2. The su Command

su

stands for "switch user". It changes the effective user ID of the current shell. The command can be used in two main forms:

su <user_name>
su - <user_name>

The trailing - invokes a login shell, loading the target user's environment variables; without it you get a non‑login shell that keeps the original environment.

If you add -, the shell becomes a login shell for <user_name>, loading that user's PATH, HOME, etc.

Without -, you switch to the target user but retain the previous user's environment.

Example of a non‑login switch:

ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu
ubuntu@VM-0-14-ubuntu:~$ su
Password: <em># root password</em>
root@VM-0-14-ubuntu:/home/ubuntu$ env | grep ubuntu
PWD=/home/ubuntu   <em># environment unchanged</em>

Example of a login switch:

ubuntu@VM-0-14-ubuntu:~$ su -
Password: <em># root password</em>
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root   <em># environment now reflects root</em>

2.1 Switching to a Specific User

Running su - test_user after creating the account switches to that user (password set earlier):

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: <em># test_user password</em>
$

2.2 Using the -c Option

The -c flag lets you execute a command as another user without staying in that shell. For example:

ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow" -
Password: <em># root password</em>
... (output of /etc/shadow) ...
ubuntu@VM-0-14-ubuntu:~$

This behaves similarly to sudo but uses the su mechanism.

3. The sudo Command

sudo

stands for "super user do" and runs a command with root privileges after checking the /etc/sudoers file. It is the preferred way to gain temporary elevated rights.

3.1 Common Usage

When a regular user lacks permission (e.g., reading /etc/shadow), prepend sudo:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow': Permission denied
ubuntu@VM-0-14-ubuntu:~$ sudo !!
sudo tail -n 3 /etc/shadow
... (shadow file content) ...

If the user’s sudo entry includes NOPASSWD, no password is requested.

3.2 How sudo Works

The ability to run sudo is defined in /etc/sudoers. Edit this file safely with visudo (only root can run it). A typical entry looks like:

# User privilege specification
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

Each field means: user, hosts allowed, run‑as users, and permitted commands. The absence of an entry for test_user explains why that account cannot use sudo.

3.3 Granting sudo to a New User

Add a line for test_user using visudo:

test_user ALL=(ALL:ALL) ALL   # test_user must provide its own password

After saving, the user can run privileged commands:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: 
$ sudo tail -n 3 /etc/shadow
... (output) ...

3.4 Security Considerations

Granting full sudo rights effectively makes the user a root equivalent, which can be dangerous. Use the /etc/sudoers file to restrict commands or create groups with limited privileges.

4. Comparison of su and sudo

su -

requires the root password and gives a full root login shell. sudo su - (or sudo -i) requires only the invoking user's password and respects the sudoers policy, making it safer for multi‑user environments.

Choosing between them depends on whether you want to expose the root password ( su) or delegate specific privileges via sudo.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxUser ManagementSudosusystem-administration
Senior Brother's Insights
Written by

Senior Brother's Insights

A public account focused on workplace, career growth, team management, and self-improvement. The author is the writer of books including 'SpringBoot Technology Insider' and 'Drools 8 Rule Engine: Core Technology and Practice'.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment