Unix: sudo, su etc

At work, on unix, we always use,

sudo su - {application_adminid}

command to gain access to the Application admin’s files and home.

Sometimes we get confused and type it the wrong way and it doesn’t work correctly. So, I decided to dissect it, so we get it right each time.

First there is sudo – a command to execute another with superuser permissions:


This is the command that lets you run commands/programs executable by another id, typically an admin or root id, in Unix.

Once you sudo with a root or an admin id, you are running the command, with elevated permissions. This is Unix way of getting even the normal users to run some special programs, that they wouldn’t have access to otherwise. sudo permissions live only through the time of the command execution.

What if you want it to stick around longer? You can keep typing sudo this, sudo that. For that, Unix’s answer is su – substitute user. You just become that other person for a session, during which you can run any command. Windows has RunAs command or “Run As Administrator” option foroption we will see about this in another post.

su also refers to Super User or switch user, depending on who you ask. With this, you are actually switching to use another person’s (usually an admin id) shell.

Now, when you do su, you are substituting for another user. The environment, path etc remain the same as yours. So, if you didn’t get certain permission(s), you still won’t be able to access paths/files. What we really want is to switch to other (super) user’s environment completely, as if she herself was logging in. This is where you use, su with – (minus sign).

su - {superuserid}

The above command switches your session to the other user’s logon environment.

So far so good. When you want to run a super command, use sudo and when you want to act “super” or root, use su – .

But, wait! You have surely seen,

sudo su - {superuserid}

Huh? What is that? Why do you need both? There lies the power of Unix.

su switches your user to the other (super) user. But, when you do su, don’t you need the other person’s password? Then where is the security in that? This is where sudo plays a role. Remember, sudo gives you root permission for the command you are executing currently.

sudo executes the command you are trying to run, as long as you are in a sudoer list. Once you sudo, the command you execute, assumes root previleges. When you run su with that privilege, you are logging into other person’s id with root privilege, thus, you don’t need any password to login to superuser’s logon!! See that? So,

sudo su - {superuserid}

means, that you are logging in with super id, without actually knowing her password. But, only if you are given that type of access. So, there you have it. “Sudo” to assume privileges of a super user without even knowing about it.

Security behind the commands

In case you are worried, no we cannot use this to login to anyone else’s login. Only “allowed” id’s can be sudo/su into. This is where the sudoers file comes in to picture. Here is a nice picture that gives you an idea about sudo.


Courtesy: Guillermo Garron‘s post

Read Guillermo’s very well written post for more details on sudoers file. Essentially, if your id is not listed there, you cannot sudo.

su has similar restriction too – on some installations of *nix. You need to be in a group called wheel to be able to su – substitute user.



Comments, please?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s