Can sudo replace su?

Question

There is much duplication of functionality on Linux-based systems, for example these do the same thing:

sudo --login --user <user>
sudo su - <user>

The sudo-only approach looks more elegant. Can one do without su without breaking too many things?

Answer 1

If I'm not wrong, there are some slight differences between su and sudo:

• su only allows changing the user id (to become superuser for example).
• su allows any user that knows the password of another user to become that user, and there is no way to control this.
• sudo allows running a command as another user (including root).
• sudo is controlled by the /etc/sudoers file.

I think the initial goal of the sudo command is to have a better control of who can run commands with root privileges and who cannot. When you have a system with more than one administrator, sudo allows running commands as root without needing the root password, which is from my point of view, more secure. On many distributions, the /etc/sudoers allows to control the user or group list that can use sudo.

Answer 2

In usage, yes, sudo can completely replace su. But there are a lot of scripts and programs that use su, so there is no way to safely remove it. Lots of Linux distrubutions don't have sudo preinstalled. Using sudo in a script will make it incompatible with these systems. As Jernej mentioned in his comment, su is part of the Posix standard. That means that when you write a script you should be able to trust that if you use su your script will run on all Posix compliant operating systems.

Here is a reference.

Answer 3

sudo closes any file descriptors greater than >&2 for invoked processes automatically - which might be a problem.

The whole sudoers thing is yet another (arguably unnecessary) abstraction from the tried and true /etc/passwd basic user/group Unix-style permissions scheme and it requires its own management.

For instance, from man growisofs:

If executed under sudo(8) growisofs refuses to start. This is done for the following reason. Naturally growisofs has to access the data set to be recorded to DVD media, either indirectly by letting mkisofs generate ISO9660 layout on-the-fly or directly if a pre-mastered image is to be recorded. Being executed under sudo(8), growisofs effectively grants sudoers read access to any file in the file system. The situation is intensified by the fact that growisofs parses $MKISOFS environment variable in order to determine alternative path to mkisofs executable image. This means that being executed under sudo(8), growisofs effectively grants sudoers right to execute program of their choice with elevated privileges. If you for any reason still find the above acceptable and are willing to take the consequences, then consider running following wrapper script under sudo(8) in place for real growisofs binary.

    #!/bin/ksh
    unset SUDO_COMMAND
    export MKISOFS=/path/to/trusted/mkisofs
    exec growisofs "$@"

But note that the recommended alternative to the above "workaround" is actually to install growisofs set-root-uid, in which case it will drop privileges prior accessing data or executing mkisofs in order to preclude unauthorized access to the data.

At least su actually temporarily switches users and preserves Unix-style permissions. sudo, on the other hand, transcends users. Still, if you properly cope with that in /etc/sudoers sudo can probably completely replace su in most respects and do so conveniently - with some minimal cost to security, because su presents most of the same security problems as sudo - and maybe a few of its own. I consider this an excellent discussion on the subject.

But why not just skip them both and...

CTRL+ALT+Fn

login: root

Or...

ssh root@localhost

Whatever happened to root anyway?