Understanding and Using the su and sudo Commands in Linux

1. Preparation

To demonstrate user switching, several test users are created. The Linux command to add a user is useradd , usually located in the PATH . If the command is not found, use the absolute path /usr/sbin/useradd . Only the root user can execute useradd , so we first switch from the regular ubuntu user to root:

ubuntu@VM-0-14-ubuntu:~$ su -
Password: ********
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# ls /home
test_user  ubuntu

After creating test_user , we set its password with passwd and then exit back to the ubuntu user.

root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: ********
Retype new UNIX password: ********
passwd: password updated successfully
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

2. su Command Introduction and Main Usage

The su command stands for "switch user" (not "super user"). It is used to change the current user identity.

2.1 Parameters

Typical usage:

su <user_name>
su - <user_name>

The hyphen ( - ) determines the type of shell:

su - <user_name> starts a login shell, loading the target user's environment variables.

su <user_name> starts a non‑login shell, keeping the original user's environment.

Example showing the difference:

# Non‑login shell
ubuntu@VM-0-14-ubuntu:~$ env | grep ubuntu
USER=ubuntu
PWD=/home/ubuntu
...
ubuntu@VM-0-14-ubuntu:~$ su
Password: ********
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu

# Login shell
ubuntu@VM-0-14-ubuntu:~$ su -
Password: ********
root@VM-0-14-ubuntu:~# env | grep root
USER=root
PWD=/root
...

2.2 Switching to a Specific User

Without a username, su defaults to root. To switch to test_user :

ubuntu@VM-0-14-ubuntu:~$ su - test_user
Password: ********
$

2.3 The -c Parameter

Instead of opening an interactive shell, su -c "command" runs a command as another user and returns to the original user:

ubuntu@VM-0-14-ubuntu:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow"
Password: ********
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
...

3. sudo Command Introduction and Main Usage

The sudo command stands for "super user do" and allows a permitted user to execute commands with root privileges.

3.1 Main Usage

Typical scenario: a regular user lacks permission to read /etc/shadow . Using sudo :

ubuntu@VM-0-14-ubuntu:~$ tail -n 3 /etc/shadow
tail: cannot open '/etc/shadow': Permission denied
ubuntu@VM-0-14-ubuntu:~$ sudo !!
sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
...

If the user has the NOPASSWD flag in /etc/sudoers , no password is required; otherwise the user must enter their own password. The authentication timestamp is cached for 5 minutes.

3.2 Working Principle

Whether a user can run sudo is defined in /etc/sudoers . The file must be edited with visudo (only root can run it). Example excerpt:

# User privilege specification
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

The line for ubuntu shows the NOPASSWD option, allowing password‑less sudo. Since test_user is not listed, it cannot use sudo. To grant it permission, add:

test_user  ALL=(ALL:ALL) ALL   # test_user must provide its own password

After updating /etc/sudoers , test_user can run privileged commands:

test_user@VM-0-14-ubuntu:~$ sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
mysql:!:18376:0:99999:7:::
...

4. Comparison Between su and sudo

Both can give a user root privileges, but they differ in security model:

su - requires the root password, exposing it to all users who need elevation.

sudo requires only the invoking user's password and relies on /etc/sudoers to control who may elevate, keeping the root password secret.

Therefore, sudo is generally preferred for multi‑user environments because it provides fine‑grained, auditable privilege delegation.

Conclusion: Understanding the nuances of su and sudo helps administrators manage Linux systems securely, choose the appropriate method for privilege escalation, and configure the sudoers file to balance convenience and security.