[OT] sudo, why not su?

Mon Aug 8 08:38:18 UTC 2005

Magnus Therning wrote:

>The difference is that I use sudo, and my colleague use su. I wanted to
>know exactly what the benefit of sudo is over su. In the most simple
>usage of sudo (as in a newly installed Ubuntu) the benefit is that sudo
>requires the user's password, su requires root's password. If su could,
>in some way, be made to require the calling user's password then that
>difference would disappear and, in that very simple scenario, su and
>sudo would be so similar that either could be used.
>  
>
Just found the original question -- somewhere along the line somebody 
made the statement that you couldn't su to another user except through 
root... that was the basis of my previous answer... now, this one...

I have been using both sudo and su in a professional environment for 
about 10 years... I have never considered them to be in any way the same 
thing... neither has a benefit over the other because they do different 
things.

su
----
su switches user. It creates a new shell process spawned from the one it 
is called from which is logged in as the requested user (if none is 
specified this is root).  When you su to another user you have to enter 
their password unless you are logged as root when you issue the command 
in which case you do not. This is because of the heirarchy... root is 
the super-user, others do not have this privilege.

To set su up so that you entered your own password would completely 
negate the whole Linux/Unix security model. It would effectively mean 
that every user is a super-user and, as such, have the ability to do 
things that only root should.

sudo
--------
sudo runs a single command as the root user. In its "ubuntu" incarnation 
it has a lot of access to commands whereas in its purest incarnation it 
does not.

Access to run commands as root using "sudo" is controlled by root... 
there is a file called /etc/sudoers which links commands to users.  When 
using it at an Insurance company I was working at normal users had very 
few commands they could run... killing print jobs was one... but they 
certainly wouldn't have been able to get to a root shell using sudo.

The values in /etc/sudoers are changed by root by issuing the command 
"visudo"... the Ubuntu setup as supplied by default basically gives the 
first user set up during install carte-blance to run anything as root.  
This is not really what sudo is designed for but is a novel way of 
giving folks the ability to administer every aspect of their Ubuntu 
install without ever having to go to a root shell.

conclusion
------------------
su - switches to another user (default=root).
sudo - runs pre-approved commands as root, access to do so having been 
granted by root.

Hope that helps,

For more information take a look at the "sudo" and "su" man pages.

Sean