Home » su vs sudo -s vs sudo -i vs sudo bash

su vs sudo -s vs sudo -i vs sudo bash


With su, you become another user — root by default, but potentially another user. If you say su -, your environment gets replaced with that user’s login environment as well, so that what you see is indistinguishable from logging in as that user. There is no way the system can tell what you do while su‘d to another user from actions by that user when they log in.

Things are very different with sudo:

  • Commands you run through sudo execute as the target user — root by default, but changeable with -u — but it logs the commands you run through it, tagging them with your username so blame can be assigned afterward. 🙂

  • sudo is very flexible. You can limit the commands a given user or group of users are allowed to run, for example. With su, it’s all or nothing.

    This feature is typically used to define roles. For instance, you could define a “backups” group allowed to run dump and tar, each of which needs root access to properly back up the system disk.

    I mention this here because it means you can give someone sudo privileges without giving them sudo -s or sudo bash abilities. They have only the permissions they need to do their job, whereas with su they have run of the entire system. You have to be careful with this, though: if you give someone the ability to say sudo vi, for example, they can shell out of vi and have effectively the same power as with sudo -s.

  • Because it takes the sudoer’s password instead of the root password, sudo isolates permission between multiple sudoers.

    This solves an administrative problem with su, which is that when the root password changes, all those who had to know it to use su had to be told. sudo allows the sudoers’ passwords to change independently. In fact, it is common to password-lock the root user’s account on a system with sudo to force all sysadmin tasks to be done via sudo. In a large organization with many trusted sudoers, this means when one of the sysadmins leaves, you don’t have to change the root password and distribute it to those admins who remain.

The main difference between sudo bash and sudo -s is that -s is shorter and lets you pass commands to execute in your user’s default shell in a couple of ways:

  1. You can say sudo -s some-command which runs some-command under your shell. It’s basically shorthand for sudo $SHELL -c some-command.

  2. You can instead pass the commands to the shell’s standard input, like sudo -s < my-shell-script. You could use this with a heredoc to send several commands to a single sudo call, avoiding the need to type sudo repeatedly.

Both of those behaviors are optional. Far more commonly, you give -s alone, so it just runs your user’s shell interactively. In that mode, it differs from sudo bash in that it might run a different shell than bash, since it looks first in the SHELL environment variable, and then if that is unset, at your user’s login shell setting, typically in /etc/passwd.

The shell run by sudo -s inherits your current user environment. If what you actually want is a clean environment, like you get just after login, what you want instead is sudo -i, a relatively recent addition to sudo. Roughly speaking, sudo -i is to sudo -s as su - is to su: it resets all but a few key environment variables and sends you back to your user’s home directory. If you don’t also give it commands to run under that shell via standard input or sudo -i some-command, it will run that shell as an interactive login shell, so your user’s shell startup scripts (e.g. .bash_profile) get run again.

All of this makes sudo -i considerably more secure than sudo -s. Why? Because if someone can modify your environment before sudo -s, they could cause unintended commands to be executed. The most obvious case is modifying SHELL, but it can also happen less directly, such as via PAGER if you say man foo while under sudo -s.

You might say, “If they can modify PAGER, they can modify PATH, and then they can just substitute an evil sudo program,” but someone sufficiently paranoid can say /usr/bin/sudo /bin/bash to avoid that trap. You’re probably not so paranoid that you also avoid the traps in all the other susceptible environment variables, though. Did you also remember to check EDITOR, for example, before running any VCS command? Thus sudo -i.

Because sudo -i also changes your working directory to your user’s home directory, you might still want to use sudo -s for those situations where you know you want to remain in the same directory you were cd‘d into when you ran sudo. It’s still safer to sudo -i and cd back to where you were, though.

Another variant of all this that you sometimes see is sudo su, which is approximately equivalent to sudo -s. Likewise, sudo su - is functionally quite close to sudo -i. Since sudo and su are competing commands, it’s a little odd to pair them like this, so I recommend that you use the sudo flags instead.

From an ubuntuforums post I made a while ago:

Consider the following experiment:

applic@ion:~% sudo su
[sudo] password for applic:
root@ion:/home/applic# env > /tmp/sudo_su_env
root@ion:/home/applic# exit
applic@ion:~% sudo -s
applic .bashrc read...
root@ion:~% env >/tmp/sudo_s

Here are the differences I found:

With sudo -s:

reads $USER's ~/.bashrc

With sudo su:

reads /etc/environment
reads /root/.bashrc

Notice the difference in $HOME. Being root and having $HOME set to the normal user’s home can cause problems. For example, if you run a graphical app, the normal user’s ~/.Xauthority can get overwritten by root. This causes the normal user problems later on such as not being able to run certain graphical apps through cron.

To summarize:

                                     corrupted by user's 
        HOME=/root  uses root's PATH     env vars
sudo -i     Y       Y[2]                 N
sudo -s     N       Y[2]                 Y
sudo bash   N       Y[2]                 Y
sudo su     Y       N[1]                 Y
  1. PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
    probably set by /etc/environment
  2. PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

The bottom line is sudo -i is the proper command to run when you want a root shell that is untainted by the user’s environment.

su (switch user or substitute user) lets you switch user. su basically starts another shell instance with the privileges of the intended user. By default it switches you to the root user, if we want to switch specific user we need to pass user as follows:

$ su bob  # switches to bob (requires bob's password)

su - means environment variables will be reset to root and su means environment variables as old user.

for example: root’s home directory if you use su - or old user home directory if you use su.

sudo (super user do) is a command-line utility that allows users to run programs with the security privileges of another user, by default is superuser i.e root. It uses a config file /etc/sudoers which lists which users have rights to specific actions

sudo should be read as /ˈsuːduː/. syntax sudo command i.e. switch user and do this command.

  • su is equivalent to sudo -i and simulates a login into the root account. Your working directory will be /root, and it will read root’s .profile etc. The prompt will change from $ to #, indicating you have root access.

  • sudo -s launches a shell as root, but doesn’t change your working

  • sudo bash where bash is command to run with sudo. This command runs
    bash as a super user.

  • Using sudo can be logged everything someone does.
  • Using sudo prevents a user from having to know the root password.
  • Using sudo we can limit the commands are allowed to run.

Related Solutions

Joining bash arguments into single string with spaces

[*] I believe that this does what you want. It will put all the arguments in one string, separated by spaces, with single quotes around all: str="'$*'" $* produces all the scripts arguments separated by the first character of $IFS which, by default, is a space....

AddTransient, AddScoped and AddSingleton Services Differences

TL;DR Transient objects are always different; a new instance is provided to every controller and every service. Scoped objects are the same within a request, but different across different requests. Singleton objects are the same for every object and every...

How to download package not install it with apt-get command?

Use --download-only: sudo apt-get install --download-only pppoe This will download pppoe and any dependencies you need, and place them in /var/cache/apt/archives. That way a subsequent apt-get install pppoe will be able to complete without any extra downloads....

What defines the maximum size for a command single argument?

Answers Definitely not a bug. The parameter which defines the maximum size for one argument is MAX_ARG_STRLEN. There is no documentation for this parameter other than the comments in binfmts.h: /* * These are the maximum length and maximum number of strings...

Bulk rename, change prefix

I'd say the simplest it to just use the rename command which is common on many Linux distributions. There are two common versions of this command so check its man page to find which one you have: ## rename from Perl (common in Debian systems -- Ubuntu, Mint,...

Output from ls has newlines but displays on a single line. Why?

When you pipe the output, ls acts differently. This fact is hidden away in the info documentation: If standard output is a terminal, the output is in columns (sorted vertically) and control characters are output as question marks; otherwise, the output is...

mv: Move file only if destination does not exist

mv -vn file1 file2. This command will do what you want. You can skip -v if you want. -v makes it verbose - mv will tell you that it moved file if it moves it(useful, since there is possibility that file will not be moved) -n moves only if file2 does not exist....

Is it possible to store and query JSON in SQLite?

SQLite 3.9 introduced a new extension (JSON1) that allows you to easily work with JSON data . Also, it introduced support for indexes on expressions, which (in my understanding) should allow you to define indexes on your JSON data as well. PostgreSQL has some...

Combining tail && journalctl

You could use: journalctl -u service-name -f -f, --follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal. Here I've added "service-name" to distinguish this answer from others; you substitute...

how can shellshock be exploited over SSH?

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this...

Why doesn’t the tilde (~) expand inside double quotes?

The reason, because inside double quotes, tilde ~ has no special meaning, it's treated as literal. POSIX defines Double-Quotes as: Enclosing characters in double-quotes ( "" ) shall preserve the literal value of all characters within the double-quotes, with the...

What is GNU Info for?

GNU Info was designed to offer documentation that was comprehensive, hyperlinked, and possible to output to multiple formats. Man pages were available, and they were great at providing printed output. However, they were designed such that each man page had a...

Set systemd service to execute after fstab mount

a CIFS network location is mounted via /etc/fstab to /mnt/ on boot-up. No, it is not. Get this right, and the rest falls into place naturally. The mount is handled by a (generated) systemd mount unit that will be named something like mnt-wibble.mount. You can...

Merge two video clips into one, placing them next to each other

To be honest, using the accepted answer resulted in a lot of dropped frames for me. However, using the hstack filter_complex produced perfectly fluid output: ffmpeg -i left.mp4 -i right.mp4 -filter_complex hstack output.mp4 ffmpeg -i input1.mp4 -i input2.mp4...

How portable are /dev/stdin, /dev/stdout and /dev/stderr?

It's been available on Linux back into its prehistory. It is not POSIX, although many actual shells (including AT&T ksh and bash) will simulate it if it's not present in the OS; note that this simulation only works at the shell level (i.e. redirection or...

How can I increase the number of inodes in an ext4 filesystem?

It seems that you have a lot more files than normal expectation. I don't know whether there is a solution to change the inode table size dynamically. I'm afraid that you need to back-up your data, and create new filesystem, and restore your data. To create new...

Why doesn’t cp have a progress bar like wget?

The tradition in unix tools is to display messages only if something goes wrong. I think this is both for design and practical reasons. The design is intended to make it obvious when something goes wrong: you get an error message, and it's not drowned in...