Michael T. DeWitt

System Administrator

IT Consultant

Sysadmin

Infrastructure Engineer

Network Administrator

Michael T. DeWitt

System Administrator

IT Consultant

Sysadmin

Infrastructure Engineer

Network Administrator

Blog Post

Sudo Confusion? Su and sudo -i Explained for Command Line Mortals

November 12, 2024 What is
Sudo Confusion? Su and sudo -i Explained for Command Line Mortals

What is sudo, sudo -i, and su?

In the Linux environment, managing user privileges is essential, particularly for tasks that require elevated permissions. This is where commands like sudo, sudo -i, and su come into play. Each command has its purpose, with subtle yet crucial differences that impact system security, user control, and convenience.

What is sudo?

sudo stands for “superuser do.” When you prefix a command with sudo, it allows a permitted user to execute that command with superuser (root) privileges. This is particularly useful when you need to perform system-wide changes without logging in as the root user.

Example Usage:

sudo apt update

Why Use sudo?

  • Security: sudo minimizes security risks by allowing users temporary elevated privileges without granting full root access.

  • Traceability: Actions performed with sudo are logged, providing an audit trail of which users executed privileged commands.

  • User-Level Control: The sudo configuration file (/etc/sudoers) lets administrators specify which users or groups can execute specific commands, adding another layer of security and control.

When to Use sudo

  • Single Elevated Command: Use sudo for individual commands requiring temporary elevated permissions, like installing software or modifying system files.

  • Permissions on a Shared System: In multi-user environments, sudo provides necessary privileges without giving away full root access, protecting system integrity.

What is sudo -i?

sudo -i is similar to sudo, but it initiates a new shell as the root user. In this mode, users get a persistent root environment without logging in as root, which includes root’s environment variables and configuration settings.

Example Usage:

sudo -i

Why Use sudo -i?

  • Extended Root Session: Ideal for sessions involving multiple root commands, sudo -i lets you stay in a root environment without prefixing each command with sudo.

  • Root Environment: You inherit root’s environment, making it easier to run scripts or commands that require root-specific configurations, reducing potential permission issues.

When to Use sudo -i

  • Batch Tasks: If you need to perform a sequence of commands as root, sudo -i provides a root shell, making it convenient for tasks requiring multiple privileged actions.

  • Environment-Dependent Commands: Some commands require root’s specific environment variables to function correctly. In these cases, sudo -i sets you up in the appropriate environment.

What is su?

The su command stands for “substitute user” or “switch user.” By default, it switches to the root user but can also be used to switch to any other user’s account. Unlike sudo, su requires you to enter the target user’s password.

Example Usage:

su -

Why Use su?

  • Full User Switching: su switches the session to the target user entirely, including their environment and permissions.

  • Unlimited Access: For tasks that require unrestricted access to all root-level commands and files, su offers a straightforward method without needing sudo permissions.

When to Use su

  • Dedicated Admin Tasks: System administrators often use su to switch to the root account when they need full control over the system.

  • User Account Testing: If troubleshooting or testing as a different user, su lets you switch accounts without logging out, replicating that user’s experience and permissions.

Choosing the Right Command

Here’s a quick guide to when each command is best suited:

Command Use Case Key Feature
sudo Single elevated command Temporary elevation for a specific command
sudo -i Multiple commands requiring root access Persistent root session with root’s environment
su Switching to a different user account Full access and control of target user’s environment

 

Ok, now that we have a good sense of what these commands are, lets dive into circumstance and scenarios each would be great for.

Command Description Usage Circumstances
su (Switch User)
Changes to another user’s environment, usually root. When executed as su alone, it prompts for the root password. Using su - or su -l switches to root with root’s environment variables.
Use su when you need persistent root privileges for multiple commands. For example, a systems administrator may use it when performing a series of administrative tasks in a root shell without having to prepend each command with sudo.
sudo -i (Invoke Root with sudo)
Starts a root shell while inheriting environment variables (similar to su -). It’s often used to emulate a root login shell but relies on the invoking user’s sudo privileges rather than the root password.
Use sudo -i when you need root access but prefer to avoid sharing the root password. For example, a user who’s been granted sudo privileges by an admin could use sudo -i to switch to a root shell securely, using their own password for authorization. This approach provides a safer and more auditable environment.
     

Key Differences and Best Use Cases

  1. Password Authentication:

    • su requires the root password, which is useful when root access is tightly controlled and only certain users know the root password.

    • sudo -i requires the user’s password if they have sudo privileges, allowing an organization to avoid giving out the root password to multiple users.

  2. Security and Auditing:

    • sudo -i is preferred in environments where security and audit trails are a priority. It allows admins to log which users execute commands with root privileges, enabling better tracking and accountability.

    • su is more straightforward but lacks the auditability of sudo, as it bypasses individual user logging once switched to the root shell.

  3. Session Length and Use:

    • For one-off commands, sudo (without -i) is typically sufficient.

    • sudo -i or su is preferable if you anticipate running several commands in a row and would rather not repeatedly prefix commands with sudo.

  4. Environment Variables:

    • Both su - and sudo -i provide root’s environment settings. However, su without the - option keeps the original user’s environment, which might be useful in specific scripting scenarios where you want root privileges without changing the environment completely.

Here are some specific examples to illustrate when you might use su versus su - or sudo -i, with emphasis on how environment settings affect their use:

1. Using su without -: Preserving the User’s Environment

  • Scenario: A user needs to run a command as root but wants to keep their environment variables intact (e.g., PATH, HOME).

  • Example:

    su root -c "echo $PATH > /root/original_user_path.txt"
    • This command will switch to root, but it will preserve the original user’s $PATH variable instead of using root’s $PATH. This could be useful if you have custom paths in your environment that aren’t available in the root environment, and you want root to use those.

2. Using su - (or sudo -i): Resetting to Root’s Environment

  • Scenario: You need to emulate a true root login shell, resetting environment variables to root’s defaults.

  • Example:

    su -   # OR
    sudo -i
    • This will open a root shell with root’s own environment variables (such as $PATH, $HOME, $USER). It’s helpful when you want root to load specific configuration files or paths not available in the original user’s environment, ensuring all commands run as root would see them.

3. Using su without - in Scripting

  • Scenario: Running a script where you need root privileges but want to use some environment variables from the original user.

  • Example:

    su root -c "echo $USER > /root/username.txt"
    • Here, su root without - is used to access root, but the $USER variable remains as the original user’s username, not root. This might be used in scenarios where a script logs actions or paths specific to the original user.

4. Using su - in Scripting for a Clean Root Environment

  • Scenario: You want to run a command in a script that requires a “clean” root environment, without interference from the original user’s environment variables.

  • Example:

    su - root -c "source /root/.bashrc; my_root_script.sh"
    • This switches to root’s environment and sources root’s .bashrc configuration, ensuring that any commands or scripts run as if they were executed by root directly.

5. Using sudo -i to Open a Root Shell for Admins Without Sharing the Root Password

  • Scenario: You are part of an admin team and need temporary root access without knowing the root password.

  • Example:

    sudo -i
    • This opens a root shell using your own password (as long as you have sudo privileges). It provides a safe way to administer the system while logging access, offering security and accountability in multi-admin environments.

6. Using sudo -i for a Clean Root Environment in Multi-User Systems

  • Scenario: You want to ensure all commands run under a completely fresh root environment and avoid interference from the user’s environment, but you also want logging.

  • Example:

    sudo -i ls /root
    • This command executes with root’s environment settings as if root had logged in directly. It’s ideal in situations where consistency in root’s environment variables is crucial, especially in shared environments where commands are logged.

Summary Table

Command Example Usage Environment Outcome
su root su root -c "echo $USER > /root/username.txt" Switches to root but keeps the user’s environment, e.g., $USER remains the original username.
su - su - root -c "my_root_script.sh" Switches to root and resets to root’s environment. Useful for scripts needing root’s configuration and paths.
sudo -i sudo -i ls /root Similar to su -, but with logging and user-specific access control. Often used in multi-admin environments.

These examples demonstrate how different setups provide flexibility based on the need to preserve user environment variables or reset to a clean root environment. In summary, use su when you have direct access to the root password and need a prolonged root shell session without additional logging requirements. Use sudo -i when you prefer individual accountability and security, especially in multi-user or collaborative environments where root password sharing is discouraged.

Related Posts
Write a comment