All you wanted to understand about sudo vs su in Ubuntu Linux

By | 27/06/2013

Being a Linux admin user I have always used both sudo and su. As a system admin, it is very important for you to know the difference between two. For those who do not have basic idea about the difference between these two or are always confused between the two, here is a list of 13 Q&A that are aimed to make you understand the intricacies of  both sudo and su. Towards the end, I have linked some good discussion on web related to different options of sudo and su.

NOTE – This article is specific to Ubuntu only. Though some information might be applicable to most of the popular Linux distributions.

 

Sudo vs Su

The following Q&A series should clear some air on sudo vs su for many of the Ubuntu users.

Q1. What are both sudo and su used for? What is the difference between them?

Ans.  Sudo is used to run a particular command with root permissions. The interesting thing is that when you use sudo for a particular command, system prompts you for current user’s password. Once you enter the password, the command runs with root privileges.

Here is an example :

$ apt-get install skype
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

$ sudo apt-get install skype
[sudo] password for mylinuxbook: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
...
...

As you can see that first I tried installing skype using apt-get command but I got a permission denied error. Then I used sudo along with same command and system prompted password for the user mylinuxbook. Once the correct password was provided, the command executed successfully.

On the other hand, su is used to switch to any user account. System prompts for password corresponding to the switched user. If su is used without any option, a switch to root user account is done. In this case, system prompts for root user’s password. Here is an example :

$ su mylinuxbook
Password: 
mylinuxbook@mylinuxbook-Inspiron-1525:~$

In the example above, I used su to switch to mylinuxbook user account and after entering password for mylinuxbook, I was able to do so.

Here is another example :

$ su
Password: 
su: Authentication failure

In the above example, I executed su to swicth to root users account but it could not because I do not have root password configured yet. In distributions like Ubuntu, the password for root user is not configured by default. Once it is configured then you can use that password here.

Q2. What if I do not want to configure root password in my Ubuntu but still want to switch to root user?

Ans. In this case, you can try out ‘sudo su’ command. Here is an example :

$ sudo su
[sudo] password for mylinuxbook: 
root@mylinuxbook-Inspiron-1525:/home/mylinuxbook#

As sudo was used to run su, system prompted for current user’s password rather than root password. Once that was entered, current account was switched to root account.

Q3. What if I want to use su to switch to other user accounts but do not want to remember each and every user’s password?

Ans. Well, in that case, just use su command, enter root password and switch to root account. From here, use su to switch to any user account without using passwords.

Q4. If sudo is used to execute something with root privileges then why does it ask for current users password and not root password?

Ans. Well,  it’s not that any normal user can do a sudo and execute commands that require root privileges. You, as a user, have to be a sudoer too. This means that you should have the privileges to use sudo. If you are a valid sudoer, system prompts for your password just to make sure that you understand that you are doing some work that requires root privileges and you should double-check before actually doing it.

Now, question arises about sudoers. How can a user become sudoer? Well, a user can become sudoer by adding it to sudo group. Here is an example :

$ sudo adduser <username> sudo

Just replace <username> with the actual user name of the user account and this will do the job. Please note that earlier (prior to Ubuntu 12.04) the group used was ‘admin’ but it is deprecated now.

You can use ‘groups’ command to check all the groups that user is a member of. Here is an example :

$ groups mylinuxbook
mylinuxbook : mylinuxbook adm cdrom sudo dip plugdev lpadmin sambashare

So you can see that the user ‘mylinuxbook’ is part of all these groups including sudo group and hence it is a sudoer.

Q5. I observed that once I have used sudo, I still have root powers but after sometime things get back to normal. What is this?

Ans.  Well, Ubuntu remembers the sudo password for around 15 minutes. This means that once you have used sudo to run a command, system will not prompt for password if you run other commands that require root privileges to run. Though you will have to use ‘sudo’ before every command.

Q6. What is the advantage of sudo over su?

Ans. Sudo has many advantages over su.

Here is a list :

  • Sudo makes sure that root privileges are there for a specific command (or for a specific time period) and not for the complete session as that may result in accidental misuse of root privileges.
  • You can use sudo to even grant limited privileges to a user. This is helpful when you do not want a user to have control of all the root powers while doing a sudo.
  • There is a log file (auth.log) that is maintained for each sudoer. This file provides information on the commands that were executed using sudo and their time of execution. This helps administrator to keep track of even trusted users (sudoers).
  • The best advantage is that sudo requires user’s own login password rather than root password. This helps in keeping root password private and also there is no need to change it even when a user (sudoer) leaves.

Q7. Can any user perform sudo operations?

Ans. No, only trusted users or sudoers can perform sudo operations. Here is the official help page that describes how to make a user as a sudoer.

Q8. I am a su follower. How can I tweak su usage so as to achieve the functionality similar to sudo?

Ans. If you are a su follower, this means that you already have root password configured. To achieve functionality similar to sudo ie to run only a single command with root privileges using su, all you need is to use -c option of su command.

Here is an example :

$ su -c 'apt-get install skype'
Password:

Just enter the root password and only this command will run with root privileges. Though this is just like sudo but the only difference is that you need to enter root password instead of current user’s password.

Q9. I am a sudo follower. How can I tweak sudo usage so as to achieve the functionality similar to su?

Ans. To achieve functionality of su through sudo, try -i option of sudo command.

Here is an example :

$ sudo -i
[sudo] password for mylinuxbook: 
root@mylinuxbook-Inspiron-1525:~#

You can see that using ‘sudo -i’, a switch to root account was done though the password entered was that of the current user (mylinuxbook in this case).

Q10. My root account password is still not active. Can I use sudo to activate root password?

Ans. To activate the password for root user, you can use the ‘passwd’ command in the following way :

$ sudo passwd root

This command requires root privileges so you will have to use sudo.

Q12. Can I use sudo to grant specific rights to users?

Ans. The configuration file for sudo is /etc/sudoers. It is never advised to edit this file manually using any editor. It is always recommended to use visudo command for this purpose.

Here is the exact command :

$sudo visudo

and here is what you will get :

visudo

(Click to Enlarge)

This command will open a temporary file /etc/sudoers.tmp in nano editor for you to edit. Visudo makes sure that there is no conflict when multiple instances of same file are getting edited.

To understand how to grant limited privileges, understand the design of this configuration file here.

Q13. What is the difference between sudo -i vs sudo su- vs sudo su vs su -s vs sudo -s?

Ans. Here are some good discussions on comparisons between these

For more information on sudo and su, go through the respective man pages.

Some expand sudo as Super User do and su as Super User while others say that sudo stands for Switch User Do and su stands for Switch User. I am not sure about which one is correct. :-)

Category: CommandLineTips Commands Linux administration Ubuntu

About Himanshu Arora

Himanshu Arora is a software programmer, open source enthusiast and Linux researcher. He writes technical articles for various websites and blogs. Some of his articles have been featured on IBM developerworks, ComputerWorld and in Linux Journal. He is the administrator of the blog and also contributes useful posts on the blog. Visit his google+ profile or mail him at himanshuz.chd[at]MAILSERVER[dot]com (where MAILSERVER=gmail)

8 thoughts on “All you wanted to understand about sudo vs su in Ubuntu Linux

  1. djohnston

    “$ sudo adduser sudo

    Just replace (username) with the actual user name of the user account and this will do the job.”

    Well, your blog isn’t allowing the characters used in your post. Should be:

    You aren’t showing (username) in your example.

    Reply
  2. Alexander

    Don’t use “sudo su”. “sudo” has an option builtin for becoming root:

    sudo -i

    It’s there, so use it ;)

    Reply
  3. raju

    Hi,
    what does it means sudo su – oracle

    After connecting to putty with my credentials then we are used (sudo su – oracle) command then it will ask for password.

    Best Regards,
    Raju

    Reply
    1. Himanshu Post author

      sudo su - would ask for the current user passoword before logging him/her as root.

      Reply
  4. Rishi Raj

    Thanks for such a good article.

    In answers to Q.4, you have used “group” word for the name of command:
    “You can use ‘group’ command to check all the groups that user is a member of. ”
    But, in code snippet, you have typed the command name as “groups”.
    “$ groups mylinuxbook”

    Please check if “group” is correct or “groups” is, and amend the wrong command name.

    Reply
  5. Cliff Spencer

    I wrote the original sudo based on an idea from Bob Coggeshall back in the early 80s. I posted the sources to net.sources on USENET, I believe under the id sunybcs@cliff. The name refers to do-as-su.
    Regards,
    Cliff Spencer

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *