sudo su "username" vs. su "username"

5

2

Please explain me, what is the difference between: sudo su "username" vs. su "username"

Which has higher privileges? If I log into root with sudo su "username", I am root for one command only? So it can be that the beginning of the script works fine, but the rest doesn't? So in this case su "username" is suggested, because it has higher privileges? Please explain me the difference between the 2 commands, thank you.

Peter

Posted 2014-10-24T16:32:35.583

Reputation: 63

Answers

10

Here are the differences:

  • su <someuser> starts a shell for user someuser. Unless you're root, you'll be asked the password for someuser.
  • su (without username) start a shell for user root (after asking for the root password).
  • sudo asks for your password and (assuming you have sudo rights) executes a command with root privileges (sudo reboot asks for your password and reboots the computer).
  • sudo su <somesuer> executes su with root privileges. So it doesn't ask for someuser's password. It will however ask for your password to verify your sudo rights. After that it will start a shell for user someuser.

In terms of privileges, there is no difference for the shell that is opened by sudo su <someuser> or by su <someuser>. This isn't a security issue, as the shell process can't escalate to the privileges of the parent process.

You can see the difference if you look at the process tree. sudo su <someuser> shows (assuming bash):

+───bash───su───bash

While su <someuser> shows:

+───bash───sudo───su───bash

Your next question is probably how to pass a password in an unattended script, which doesn't require user input. I think there are two options:

  • Run the script from cron (or any variant thereof) and run it as root
  • Run the script from your own account and use the -S option of sudo like this: echo <yourpassword> | sudo -S su -l <someuser> or even better: echo <yourpassword> | sudo -S su -l <someuser> -c '<somecommand>'. Make sure the script is only readable by yourself, as your password is in it. More indirectly, you can store your password in a file and cat it to sudo. Then your script can be readable, but your password file can't be.

agtoever

Posted 2014-10-24T16:32:35.583

Reputation: 5 490

2When you're starting a shell as a different user, it's useful to use the command su - <someuser>. That will load all that user's normal environment. There might be times you don't want that, but if you're trying to troubleshoot a problem a user is having, having his/her environment just like they normally have can be handy. – unkilbeeg – 2014-10-24T18:48:49.467

But as I understood, if I want to start a shell as a different user, there is no significant difference between su <someuser> and sudo su <someuser>. Both commands give you the same privileges. So my script.sh should run successfully in both cases. Or is there any difference? Can it be that script runs successfully with su <someuser> but don't with sudo su <someuser>? – Peter – 2014-10-24T19:26:33.363

Yes. sudo asks for your password. If it doesn't get one, it exits. So, use su instead of sudo su. Sudo su doesn't add anything. – agtoever – 2014-10-24T19:31:12.920

1The difference is that you do not need to know <someuser>'s password if you have root privileges, which sudo su gives you. To use su without sudo you need to know the user's password. Once logged on the environment is the same. If you can't run sudo, but know the root password, you can use su then su <someuser> and this will again allow you to log on as <someuser> without knowing his/her password. – AFH – 2014-10-24T20:56:24.340

@AFH: absolutely true. I'll add that to the answer. – agtoever – 2014-10-25T09:15:16.023

Asked: 2014-10-24T16:32:35.583

Viewed: 30 065 times

Active: 2014-10-25T09:29:14.533