Understanding the Differences Between su and sudo on Linux: When and How to Use Them

1. Preparation

To illustrate the commands, create a test user with useradd (usually found in PATH; use the absolute path /usr/sbin/useradd if needed). Only the root user can run useradd. After creating test_user, set its password with passwd test_user. Switch back to the original ubuntu user with exit.

2. su Command Introduction and Main Usage

The su command stands for switch user , not "super user". It can be invoked as: su <user_name> or su - <user_name> The trailing - determines whether a login‑shell (environment variables of the target user are loaded) or a non‑login‑shell (environment of the original user is kept) is started.

With -: a login‑shell is created, loading the target user's PATH, HOME, PWD, etc.

Without -: a non‑login‑shell is created, keeping the original environment.

Example: switching from ubuntu to root without - shows that PWD remains /home/ubuntu. Using su - changes PWD to /root.

To run a single command as another user without staying in the shell, use the -c option:

su -c "command string"

3. sudo Command Introduction and Main Usage

sudo

stands for "super user do" and executes a command with root privileges (or another user’s privileges). Unlike su, it does not start a new shell unless requested.

Typical usage: sudo command When a command fails due to permission denial (e.g., reading /etc/shadow), prepend sudo or use the shortcut sudo !! to repeat the previous command with sudo added.

If the user’s sudo configuration includes NOPASSWD, no password is required; otherwise the user must enter their own password. Password caching lasts about five minutes.

Other common forms: sudo su - – switches to root, prompting for the current user’s password. sudo -i – similar to sudo su -, starting a root login shell.

sudo permissions are defined in /etc/sudoers, which should be edited with visudo (only root can run it). A typical entry looks like: ubuntu ALL=(ALL:ALL) NOPASSWD: ALL To grant test_user sudo rights, add: test_user ALL=(ALL:ALL) ALL After adding the entry, test_user can run commands such as sudo tail -n 3 /etc/shadow after providing its own password.

4. Comparison Between su and sudo

Both su - and sudo su - can switch to the root account, but they differ in credential handling: su - requires the root password, exposing it to all users who need root access. sudo su - requires only the invoking user’s password, and which users can become root is controlled via /etc/sudoers, making the system more secure.

In practice, using sudo is recommended for privilege escalation because it avoids sharing the root password and allows fine‑grained permission control.

References

https://www.rootusers.com/the-difference-between-su-and-sudo-commands-in-linux/

《鸟哥的 Linux 私房菜》13.4 节：使用者身份切换

https://github.com/ustclug/Linux101-docs/blob/master/docs/Ch05/index.md

https://www.maketecheasier.com/differences-between-su-sudo-su-sudo-s-sudo-i/

https://stackoverflow.com/questions/35999671/whats-the-difference-between-sudo-i-and-sudo-su

https://www.zhihu.com/question/51746286

https://www.linuxidc.com/Linux/2017-06/144916.htm