BestHub
Sign in
Operations 16 min read

Mastering su vs sudo: When and How to Switch Users Securely on Linux

This tutorial explains the differences between the Linux su and sudo commands, shows how to create and manage test users, demonstrates login‑shell versus non‑login‑shell switching, and details sudo configuration with visudo to control privileged access.

Open Source Linux
Open Source Linux
Open Source Linux
Mastering su vs sudo: When and How to Switch Users Securely on Linux

1. Preparation

To demonstrate user switching we first create a few test users. The Linux command useradd must be run as root, so we switch from the regular ubuntu account to root using su - and then create test_user with useradd -m test_user. Because the new user has no password yet, we set one with passwd test_user and then exit back to the original account.

ubuntu@VM-0-14-ubuntu:~$ su -
Password:   # enter root password
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu   # two users now exist

After setting the password for test_user we return to the ubuntu user.

root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password:   # set password
Retype new UNIX password:   # confirm
passwd: password updated successfully
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$   # back to ubuntu

2. su Command Overview and Main Usage

The abbreviation su stands for “switch user”. It changes the effective user ID of the current shell.

2.1 Parameters

Typical usage:

su <user_name>

or

su - <user_name>

The dash ( -) determines whether a login shell is started.

If - is included, a login‑shell is launched, loading the target user's environment variables and settings.

If omitted, a non‑login‑shell is used; the environment remains that of the original user.

Example comparing the two modes when switching from ubuntu to root:

# Non‑login‑shell
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu   # home of ubuntu
HOME=/home/ubuntu
...
ubuntu@VM-0-14-ubuntu:~$ su
Password:   # root password
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu   # still ubuntu's PWD
root@VM-0-14-ubuntu:/home/ubuntu#

# Login‑shell
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu
HOME=/home/ubuntu
...
ubuntu@VM-0-14-ubuntu:~$ su -
Password:
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root   # now root's PWD
HOME=/root

Choosing between the two depends on whether you need the target user's environment.

2.2 Switching to a Specific User

Without a username, su defaults to root. To switch to test_user:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:   # test_user's password
$   # now logged in as test_user

2.3 The -c Parameter

Instead of opening an interactive shell, su -c "command" runs a single command as another user and returns to the original user.

ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow"
Password:   # root password
$1$fZKcWEDI$uwZ64uFvVbwpHTbCSgim0/18352:0:99999:7::
ntp:*:17752:0:99999:7::
mysql:!:18376:0:99999:7::
test_user:$6$.ZY1lj4m$ii0x9CG8h...:18406:0:99999:7::

This behaviour is similar to sudo when executing a single command.

3. sudo Command Overview and Main Usage

sudo

stands for “super user do”. It runs a command with root privileges without changing the current shell.

3.1 Basic Usage

When a regular user lacks permission to read a file (e.g., /etc/shadow), sudo can be used:

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow' for reading: Permission denied
ubuntu@VM-0-14-ubuntu:~$ sudo !!
sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7::
mysql:!:18376:0:99999:7::
test_user:$6$.ZY1lj4m$ii0x9CG8h...:18406:0:99999:7::

If the user has NOPASSWD configured, no password is required; otherwise the user’s own password is prompted.

3.2 Switching to Root with sudo

Root can also be obtained via:

sudo su -

Unlike su -, this requires the current user’s password, not root’s.

Another equivalent form is:

sudo -i

3.3 sudo Internals

Permission to use sudo is defined in /etc/sudoers. The file must be edited with visudo (only root can run it). A typical entry looks like:

# User privilege specification
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

The line for ubuntu shows the NOPASSWD flag, explaining why ubuntu can run sudo without a password. No entry for test_user means it cannot use sudo.

To grant test_user sudo rights, add:

test_user  ALL=(ALL:ALL) ALL   # test_user must provide its own password

After updating the file, test_user can run privileged commands:

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password:
$ sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7::
mysql:!:18376:0:99999:7::
test_user:$6$.ZY1lj4m$ii0x9CG8h...:18406:0:99999:7::

4. Comparison of su and sudo

su -

requires the root password to switch to the root account. sudo su - (or sudo -i) requires only the current user’s password, and which users can obtain root privileges is controlled via /etc/sudoers.

Because exposing the root password to many users is risky, the sudo approach is generally recommended for better security.

Source: Jun Tao – https://tanjuntao.github.io/
LinuxCommand LineSystem AdministrationSudosuuser switching
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment