When to Use su vs sudo? A Practical Guide to Linux User Switching

1. Preparation

To illustrate user switching, several test users are created. The useradd command (usually located in /usr/sbin/useradd) must be run as root, so the article first switches from the normal ubuntu user to root using su -. After creating test_user with useradd -m test_user, the passwd command sets a password for the new account.

ubuntu@VM-0-14-ubuntu:~$ su -
Password:   # enter root password
root@VM-0-14-ubuntu:~# useradd -m test_user
root@VM-0-14-ubuntu:~# passwd test_user
Enter new UNIX password: ********
Retype new UNIX password: ********
passwd: password updated successfully
root@VM-0-14-ubuntu:~# exit
logout
ubuntu@VM-0-14-ubuntu:~$

2. The su Command

2.1 Syntax

The basic forms are:

su <user_name>
su - <user_name>

Adding the - flag starts a login shell, which loads the target user's environment variables; without it, a non‑login shell keeps the original environment.

2.2 Example: login‑shell vs non‑login‑shell

Switching to root without -:

ubuntu@VM-0-14-ubuntu:~$ su
Password:   # root password
root@VM-0-14-ubuntu:/home/ubuntu# env | grep ubuntu
PWD=/home/ubuntu   # environment unchanged

Switching with -:

ubuntu@VM-0-14-ubuntu:~$ su -
Password:   # root password
root@VM-0-14-ubuntu:~# env | grep root
PWD=/root   # environment reflects root's home

2.3 The -c option

su -c "command"

runs a command as the target user without staying in an interactive shell, then returns to the original user.

ubuntu@VM-0-14-ubuntu:~$ su -c "tail -n 4 /etc/shadow"
Password:   # root password
ntp:*:17752:0:99999:7:::
...

3. The sudo Command

3.1 Basic Usage

sudo

executes a command with root privileges. If the user is configured with NOPASSWD, no password is required; otherwise the user's own password is prompted.

ubuntu@VM-0-14-ubuntu:~$ sudo tail -n 3 /etc/shadow
ntp:*:17752:0:99999:7:::
...

Shortcut sudo !! repeats the previous command with sudo prefixed.

3.2 How sudo Works

Permission is controlled by /etc/sudoers, edited safely with visudo. A typical entry looks like:

# User privilege specification
root    ALL=(ALL:ALL) ALL
%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
ubuntu  ALL=(ALL:ALL) NOPASSWD: ALL

The presence of a line for a user (or a group the user belongs to) grants sudo rights. In the article, test_user initially lacks such a line, so sudo fails. Adding the following line enables sudo for test_user:

test_user ALL=(ALL:ALL) ALL   # test_user must provide its own password

3.3 Security Considerations

Granting full sudo rights should be limited to trusted users, as it effectively gives root access. The sudoers file can also restrict users to specific commands for tighter security.

4. Comparison of su and sudo

su -

requires the root password and switches to a full login shell. sudo su - (or sudo -i) requires only the invoking user's password and respects the /etc/sudoers configuration, making it safer in multi‑user environments.

Therefore, using sudo is generally recommended for privilege escalation.

References

https://www.rootusers.com/the-difference-between-su-and-sudo-commands-in-linux/

《鸟哥的 Linux 私房菜》13.4 节：使用者身份切换

https://github.com/ustclug/Linux101-docs/blob/master/docs/Ch05/index.md

https://www.maketecheasier.com/differences-between-su-sudo-su-sudo-s-sudo-i/

https://stackoverflow.com/questions/35999671/whats-the-difference-between-sudo-i-and-sudo-su

https://www.zhihu.com/question/51746286

https://www.linuxidc.com/Linux/2017-06/144916.htm