189

I already read it from manual but I can't see difference..

su - change user ID or become superuser

sudo -s [command]

The -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in passwd(5). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed.

sudo -i disappear description in manual

muru
  • 197,895
  • 55
  • 485
  • 740
Smile.Hunter
  • 8,365

6 Answers6

149

The main difference between these commands is in the way they restrict access to their functions.

su (which means "substitute user" or "switch user") - does exactly that, it starts another shell instance with privileges of the target user. To ensure you have the rights to do that, it asks you for the password of the target user. So, to become root, you need to know root password. If there are several users on your machine who need to run commands as root, they all need to know root password - note that it'll be the same password. If you need to revoke admin permissions from one of the users, you need to change root password and tell it only to those people who need to keep access - messy.

sudo (hmm... what's the mnemonic? Super-User-DO?) is completely different. It uses a config file (/etc/sudoers) which lists which users have rights to specific actions (run commands as root, etc.) When invoked, it asks for the password of the user who started it - to ensure the person at the terminal is really the same "joe" who's listed in /etc/sudoers. To revoke admin privileges from a person, you just need to edit the config file (or remove the user from a group which is listed in that config). This results in much cleaner management of privileges.

As a result of this, in many Debian-based systems root user has no password set - i.e. it's not possible to login as root directly.

Also, /etc/sudoers allows to specify some additional options - i.e. user X is only able to run program Y etc.

The often-used sudo su combination works as follows: first sudo asks you for your password, and, if you're allowed to do so, invokes the next command (su) as a super-user. Because su is invoked by root, it does not require you to enter the target user's password. So, sudo su allows you to open a shell as another user (including root), if you're allowed super-user access by the /etc/sudoers file.

Sergey
  • 43,665
  • 3
    I've never seen su as "switch user", but always as superuser; the default behavior without another's user name (though it makes sense). From wikipedia : "The su command, also referred to as super user[1] as early as 1974, has also been called "substitute user", "spoof user" or "set user" because it allows changing the account associated with the current terminal (window)." – dr jimbob Oct 22 '11 at 13:47
  • 7
    @dr jimbob: you're right, but I'm finding that "switch user" is kinda describes better what it does - though historically it stands for "super user". I'm also delighted to find that the wikipedia article is very similar to my answer - I never saw the article before :) – Sergey Oct 22 '11 at 20:33
  • 16
    The official meaning of "su" is "substitute user". See: "man su". – Angel O'Sphere Nov 26 '13 at 13:02
  • 2
    @AngelO'Sphere: Interestingly, Ubuntu's manpage does not mention "substitute" at all. The manpage at gnu.org (http://www.gnu.org/software/coreutils/manual/html_node/su-invocation.html) does indeed say "su: Run a command with substitute user and group ID". I think gnu.org is a canonical source :) – Sergey Nov 26 '13 at 20:25
  • @Serqey well, linux is not unix :D perhaps that little word got lost. Have no Solaris or SunOS machine at hand right now, but I check on my Mac later. As far as I know (that is roughly 25 years ago) it was always ment to be called "substitute user". – Angel O'Sphere Dec 03 '13 at 14:49
  • 2
    What about sudo su? – Kaz Wolfe Oct 15 '14 at 08:14
  • @Whaaaaaat: I've added a paragraph to my answer – Sergey Oct 15 '14 at 21:04
  • @Sergey: Have an upvote. So sudo su acts like sudo -s? – Kaz Wolfe Oct 15 '14 at 21:05
  • @Whaaaaaat: well, it's similar, although I'm not sure if there are any differences related to login shell, environment etc. – Sergey Oct 15 '14 at 21:10
  • 1
    Debian asks for a root pw on install. Therefore you are inaccurate with 'root has no pw on debian based systems' – Thomas Ward Nov 08 '14 at 14:17
  • 1
    @ThomasW.: Accorsing to this: https://wiki.debian.org/Root - the password is optional in Debian. I've amended my answer slightly, thanks :) – Sergey Feb 06 '15 at 22:40
  • 1
    @Sergey optional yes, but you still need root to get sudo installed. Same general thing though. The installer images also don't like you not entering a root pw. I've set up quite a few so... – Thomas Ward Feb 06 '15 at 22:58
  • 1
    @Sergey - The answer you provided doesn't provide clarity on why a user should choose su - over another option such as su -s or su -i as well as the differences? Additionally, sudo su - doesn't seem optimal since it's elevating privileges only to then switch users so that a password isn't asked. Why not simply select su -, sudo -i or sudo -s? – Motivated Jan 16 '19 at 19:26
  • 1
    @Motivated: sudo su, sudo -i and sudo -s behave very similarly for all practical purposes, with sudo su being just as optimal as other variants. Just use whatever you like.

    Plain su (or su - as you put it) behaves completely differently, the difference is explained in my answer.

     – Sergey Jan 16 '19 at 19:41
  • 1
    @Sergey - Do you mean to say that there are no differences or advantages to use sudo su over sudo -i or sudo -s or vice versa or in any other combination? – Motivated Jan 16 '19 at 19:48
  • 2
    There are minor differences in the way the root environment is initialized, some of the details are discussed in other answers. More often than not those differences are unimportant. – Sergey Jan 16 '19 at 19:59
77

sudo lets you run commands in your own user account with root privileges. su lets you switch user so that you're actually logged in as root.

sudo -s runs a shell with root privileges. sudo -i also acquires the root user's environment.

To see the difference between su and sudo -s, do cd ~ and then pwd after each of them. In the first case, you'll be in root's home directory, because you're root. In the second case, you'll be in your own home directory, because you're yourself with root privileges.

There's more discussion of this exact question here.

Mike Scott
  • 2,194
  • 28
    "you're yourself with root privileges" is not what's actually happening :) Actually, it's not possible to be "yourself with root privileges" - either you're root or you're yourself. Try typing whoami in both cases. The fact that cd ~ results are different is a result of sudo -s not setting $HOME environment variable. – Sergey Oct 22 '11 at 07:28
  • 2
    @Sergey, whoami it says are 'root' because you are running the 'whoami' cmd as though you sudoed it, so temporarily (for the duration of that command) you appear to be the root user, but you might still not have full root access according to the sudoers file. – Octopus Feb 06 '15 at 22:15
  • 1
    @Octopus: what I was trying to say is that in Unix, a process can only have one UID, and that UID determines the permissions of the process. You can't be "yourself with root privileges", a program either runs with your UID or with root's UID (0). – Sergey Feb 06 '15 at 22:24
  • 5
    Regarding "you might still not have full root access according to the sudoers file": the sudoers file controls who can run which command as another user, but that happens before the command is executed. However, once you were allowed to start a process as, say, root - the running process has root's UID and has a full access to the system, there's no way for sudo to restrict that. Again, you're always either yourself or root, there's no "half-n-half". So, if sudoers file allows you to run shell as root - permissions in that shell would be indistinguishable from a "normal" root shell. – Sergey Feb 06 '15 at 22:32
55

This answer is a dupe of my answer on a dupe of this question, put here on the canonical answer so that people can find it!

The major difference between sudo -i and sudo -s is:

  • sudo -i gives you the root environment, i.e. your ~/.bashrc is ignored.
  • sudo -s gives you the user's environment, so your ~/.bashrc is respected.

Here is an example, you can see that I have an application lsl in my ~/.bin/ directory which is accessible via sudo -s but not accessible with sudo -i. Note also that the Bash prompt changes as will with sudo -i but not with sudo -s:

dotancohen@melancholy:~$ ls .bin
lsl

dotancohen@melancholy:~$ which lsl
/home/dotancohen/.bin/lsl

dotancohen@melancholy:~$ sudo -i

root@melancholy:~# which lsl

root@melancholy:~# exit
logout

dotancohen@melancholy:~$ sudo -s
Sourced .bashrc

dotancohen@melancholy:~$ which lsl
/home/dotancohen/.bin/lsl

dotancohen@melancholy:~$ exit
exit

Though sudo -s is convenient for giving you the environment that you are familiar with, I recommend the use of sudo -i for two reasons:

  1. The visual reminder that you are in a 'root' session.
  2. The root environment is far less likely to be poisoned with malware, such as a rogue line in .bashrc.
Community
  • 1
dotancohen
  • 2,815
  • I noticed sudo -s doesnt seem to process /etc/profile , or anything I have in /etc/profile.d/ .. any idea why? – Northstrider Feb 23 '17 at 05:21
  • @dotancohen - What do you mean by sudo -s provides an environment that a user is familiar with? – Motivated Jan 16 '19 at 19:18
  • @dotancohen - The command sudo -s already provides visual cues so i'm curios as to why sudo -i is a better option. – Motivated Jan 16 '19 at 19:28
  • 1
    Perhaps things have changed since originally written and is no longer strictly correct about ~/.bashrc. Since your ~/.profile likely sources .bashrc and sudo -i would source ~/.profile. – Cas Aug 26 '21 at 18:31
19
  • su Asks root password, becomes root, opens an interactive non-login shell.
  • su - Asks root password, becomes root, opens an interactive login shell.
  • sudo -s Asks your passwords, becomes root, opens a interactive non login shell.
  • sudo -i Asks your passwords, becomes root, opens a interactive login shell.

Best practice is to use the above two commands.

  • sudo su Asks your password, becomes root momentarily to run su as root.
  • sudo su - Asks your password, becomes root momentarily to run su - as root.

So in this case you are running su using sudo and you don't have to know root's actual password. The results are same as su and su -.

Mateen Ulhaq
  • 133
Ravexina
  • 55,668
  • 25
  • 164
  • 183
11

su asks for the password of the user "root".

sudo asks for your own password (and also checks if you're allowed to run commands as root, which is configured through /etc/sudoers -- by default all user accounts that belong to the "admin" or "sudo" groups are allowed to use sudo).

sudo -s launches a shell as root, but doesn't change your working directory. sudo -i simulates a login into the root account: your working directory will be /root, and root's .profile etc. will be sourced as if on login.

Marius Gedminas
  • 11,340
3

In Ubuntu or a related system, I don't find much use for su in the traditional, super-user sense. sudo handles that case much better. However, su is great for becoming another user in one-off situations where configuring sudoers would be silly.

For example, if I'm repairing my system from a live CD/USB, I'll often mount my hard drive and other necessary stuff and chroot into the system. In such a case, my first command is generally:

su - myuser  # Note the '-'. It means to act as if that user had just logged in.

That way, I'm operating not as root, but as my normal user, and I then use sudo as appropriate.

Scott Severance
  • 14,056