Here are the differences:
su <someuser>
starts a shell for user someuser
. Unless you're root, you'll be asked the password for someuser
.
su
(without username) start a shell for user root
(after asking for the root password).
sudo
asks for your password and (assuming you have sudo rights) executes a command with root privileges (sudo reboot
asks for your password and reboots the computer).
sudo su <somesuer>
executes su
with root privileges. So it doesn't ask for someuser
's password. It will however ask for your password to verify your sudo rights. After that it will start a shell for user someuser.
In terms of privileges, there is no difference for the shell that is opened by sudo su <someuser>
or by su <someuser>
. This isn't a security issue, as the shell process can't escalate to the privileges of the parent process.
You can see the difference if you look at the process tree. sudo su <someuser>
shows (assuming bash):
+───bash───su───bash
While su <someuser>
shows:
+───bash───sudo───su───bash
Your next question is probably how to pass a password in an unattended script, which doesn't require user input. I think there are two options:
- Run the script from cron (or any variant thereof) and run it as root
- Run the script from your own account and use the -S option of sudo like this:
echo <yourpassword> | sudo -S su -l <someuser>
or even better: echo <yourpassword> | sudo -S su -l <someuser> -c '<somecommand>'
. Make sure the script is only readable by yourself, as your password is in it. More indirectly, you can store your password in a file and cat it to sudo. Then your script can be readable, but your password file can't be.
2When you're starting a shell as a different user, it's useful to use the command
su - <someuser>
. That will load all that user's normal environment. There might be times you don't want that, but if you're trying to troubleshoot a problem a user is having, having his/her environment just like they normally have can be handy. – unkilbeeg – 2014-10-24T18:48:49.467But as I understood, if I want to start a shell as a different user, there is no significant difference between su <someuser> and sudo su <someuser>. Both commands give you the same privileges. So my script.sh should run successfully in both cases. Or is there any difference? Can it be that script runs successfully with su <someuser> but don't with sudo su <someuser>? – Peter – 2014-10-24T19:26:33.363
Yes. sudo asks for your password. If it doesn't get one, it exits. So, use su instead of sudo su. Sudo su doesn't add anything. – agtoever – 2014-10-24T19:31:12.920
1The difference is that you do not need to know <someuser>'s password if you have root privileges, which
sudo su
gives you. To usesu
withoutsudo
you need to know the user's password. Once logged on the environment is the same. If you can't runsudo
, but know the root password, you can usesu
thensu <someuser>
and this will again allow you to log on as <someuser> without knowing his/her password. – AFH – 2014-10-24T20:56:24.340@AFH: absolutely true. I'll add that to the answer. – agtoever – 2014-10-25T09:15:16.023