su or sudo ?

My notes and some information about su and sudo, to gain privileged access on a Linux system.

Both the su and sudo commands are used to access a superuser account in Unix/Linux-based operating systems. However, these commands exhibit essential differences.

Using su and su -#

An acronym for “substitute user,” the su command allows switching to another user account, typically “root.” Authentication requires the password of the target account, while Linux’s PAM (Pluggable Authentication Modules) system is used to verify the information.

You must know the user’s password to authenticate yourself. For instance, by executing su root, the “root” account’s password will be requested. su utilizes Linux’s internal “PAM” system to authenticate accounts.

bash
# Connection to the "bob" user from your own account
su bob

# "full" connection with the user 'julien'
su - julien

While su is convenient, it retains the original account’s UID (User Identifier) and GID (Group Identifier), which can lead to confusion in the working directory and identifiers. For a complete connection to the target account, su - is recommended. The - indicates --login, ensuring an authentic connection.

sudo#

Using the sudo command necessitates installing the “sudo” package on the machine. This command, ubiquitous in documentation and command entries, grants the user two capabilities: executing commands with elevated privileges and the ability to operate as another specified user.

bash
#Debian/Ubuntu
apt install sudo

#Archlinux
pacman -S sudo

#Fedora/CentOS
yum install sudo

You’ve likely encountered “sudo” everywhere, whether in documentation or while observing your colleague entering commands. Using a command with sudo allows a user to:

  • Execute commands with elevated privileges, performing actions they might not have had access to before.
  • Execute commands as a specified user, inheriting the specified user’s privileges.

sudo goes beyond su by integrating plugins for security, strong authentication, logging, and LDAP account exploitation. To enable sudo, the user must belong to the “sudo” group, which can be modified using usermod -aG sudo username.

Various uses of sudo are visible: sudo -i, sudo su, sudo command1… They are all almost equivalent.

  • sudo -i truly connects to the “root” user account and uses its .bashrc and .profile.
  • sudo su is a combination of two different commands: “sudo” and “su.” By entering “sudo su,” you execute the “su” command as root. This means you will need to enter your user password, not the root account’s password.
  • sudo command: Executes the desired command with privileged rights (if you’re a member of the “sudo” group).

Taking sudo a step further#

In addition to its flexibility, sudo offer precise control by restricting privileges for specific commands. This functionality separates administrative tasks from routine operations, reducing potential misuse. However, the option to not enter a password each time requires caution to prevent errors. Additionally, sudo can integrate with sophisticated security policies and allows plugin usage for specific needs.

Another significant feature of sudo is the ability to configure specific commands to run without needing to enter a password every time. While this can enhance efficiency by avoiding repeated inputs, using this feature requires caution. It can increase the risk of errors, especially if the specified commands have significant consequences.

Beyond these aspects, sudo can integrate with sophisticated security policies, enabling two-factor authentications or context-based access controls. The use of plugins extends customization possibilities to meet specific environment needs.

And you?#

Using sudo is generally preferred over su due to its flexibility and enhanced security. It is a balanced choice between administrative tasks and mitigating potential errors. For security reasons, restricting privileges to the bare necessity and configuring sudo policies is recommended. While su is useful, sudo represents a modern and secure approach to privilege management on Linux systems.

I’m using sudo whenever possible. Depending on server configurations and security considerations, I might remove the sudo package and directly use the root account, connecting via su.

P1 Article info
// manifest
Tags
#Linux
Author
Julien HOMMET
Published
Reading time
3 minutes
Word count
622 words
Category
Tuto
Last modified

Stay Updated

Subscribe to the RSS feed or follow for new articles.

RSS Feed GitHub

Related articles

No image
#kubernetes

Minikube, a light Kubernetes cluster locally

Minikube is a tool to generate a light Kubernetes cluster, easy and ready to use. This post will tell you how, without going into the depths of the tool.

Read more
No image
#linux

Install Proxmox on Debian

Proxmox is a hypervisor which can be installed on Debian. Rather than using the ISO file, this procedure shows you how to install the packages yourself, easily.

Read more
No image
#archlinux

YAY, install packages from AUR repositories

Can't find a package in the official Arch Linux repositories? Use the YAY tool! This utility allows you to install packages from AUR repositories.

Read more

Latest in #linux

No image

Using Packer and Proxmox to build templates

Automating the deployment of virtual machines (VMs) is an essential part of modern IT infrastructure. Packer and Proxmox are two powerful tools that, when combined, offer an effective solution for automated VM image creation. This article explores why using Packer with Proxmox is beneficial, as well as the practical implementation of this combination. Why use Packer for Proxmox?# Reproducibility and consistency: Packer lets you define all the configurations of a VM image in a file in HCL or JSON format. By using Packer, you guarantee reproducibility in the image creation process, ensuring consistency in your deployments.

Read more
No image

Using Terraform or OpenTofu to create LXC containers on Proxmox

These days, task automation and the creation of immutable infrastructures are essential. With this in mind, the use of tools such as Terraform or its open-source fork OpenTofu becomes particularly interesting for the creation of LXC, automated and in mass.

Read more